diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 0542bed8..34009b37 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -32,17 +32,6 @@ PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin . /usr/local/share/bastille/common.sh -## root check first. -bastille_root_check() { - if [ "$(id -u)" -ne 0 ]; then - ## permission denied - error_notify "Bastille: Permission Denied" - error_exit "root / sudo / doas required" - fi -} - -bastille_root_check - ## check for config existance bastille_conf_check() { if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then @@ -73,7 +62,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.9.20220714" +BASTILLE_VERSION= usage() { cat << EOF @@ -110,6 +99,7 @@ Available Commands: stop Stop a running container. sysrc Safely edit rc files within targeted container(s). template Apply file templates to targeted container(s). + tags Add or remove tags to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. @@ -141,7 +131,7 @@ help|-h|--help) bootstrap|create|destroy|export|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; -clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) +clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|tags|template|top|umount|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' diff --git a/usr/local/man/man8/bastille.8.gz b/usr/local/man/man8/bastille.8.gz index cfe7efff..8f40bcbf 100644 Binary files a/usr/local/man/man8/bastille.8.gz and b/usr/local/man/man8/bastille.8.gz differ diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index c6acdbb8..b36d9429 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -42,6 +42,8 @@ help|-h|--help) ;; esac +bastille_root_check + #Validate if ZFS is enabled in rc.conf and bastille.conf. if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)" diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 5630b71d..f39b84d4 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -46,6 +46,8 @@ if [ $# -ne 2 ]; then usage fi +bastille_root_check + NEWNAME="${1}" IP="${2}" diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index 6bc69610..8047ded7 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -46,6 +46,8 @@ if [ $# -eq 0 ]; then usage fi +bastille_root_check + COUNT=0 RETURN=0 diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index adc1ac21..864c01f6 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -33,6 +33,14 @@ COLOR_GREEN= COLOR_YELLOW= COLOR_RESET= +bastille_root_check() { + if [ "$(id -u)" -ne 0 ]; then + ## permission denied + error_notify "Bastille: Permission Denied" + error_exit "root / sudo / doas required" + fi +} + enable_color() { . /usr/local/share/bastille/colors.pre.sh } diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index 8bfa996d..3a089276 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -55,6 +55,8 @@ if [ $# -eq 1 ] || [ $# -gt 3 ]; then usage fi +bastille_root_check + ACTION=$1 shift diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 30c5f0f4..64c4b570 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -46,6 +46,8 @@ if [ $# -gt 1 ]; then usage fi +bastille_root_check + USER="${1}" validate_user() { diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index feb7ce85..dc729734 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -46,6 +46,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + convert_symlinks() { # Work with the symlinks, revert on first cp error if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index a7dabc35..1cfa2835 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -54,6 +54,8 @@ if [ $# -ne 2 ]; then usage fi +bastille_root_check + case "${OPTION}" in -q|--quiet) OPTION="-a" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index bc2cf700..0014c427 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -588,6 +588,8 @@ help|-h|--help) ;; esac +bastille_root_check + if echo "$3" | grep '@'; then BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}') BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}') diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 91602dac..7126edb2 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -210,6 +210,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + ## check what should we clean case "${TARGET}" in *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current) diff --git a/usr/local/share/bastille/edit.sh b/usr/local/share/bastille/edit.sh index 6b591667..0e6996a4 100644 --- a/usr/local/share/bastille/edit.sh +++ b/usr/local/share/bastille/edit.sh @@ -48,6 +48,8 @@ elif [ $# -eq 1 ]; then TARGET_FILENAME="${1}" fi +bastille_root_check + if [ -z "${EDITOR}" ]; then EDITOR=vi fi diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 3bedb9fe..d57854f8 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -71,6 +71,8 @@ if [ $# -gt 5 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + zfs_enable_check() { # Temporarily disable ZFS so we can create a standard backup archive if [ "${bastille_zfs_enable}" = "YES" ]; then diff --git a/usr/local/share/bastille/htop.sh b/usr/local/share/bastille/htop.sh index a9e50848..b3ecdf72 100644 --- a/usr/local/share/bastille/htop.sh +++ b/usr/local/share/bastille/htop.sh @@ -46,6 +46,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path) if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 7044a3da..ce7a4178 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -59,6 +59,8 @@ if [ $# -gt 3 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + TARGET="${1}" OPT_FORCE= USER_IMPORT= diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index ce16e76b..87dde8d9 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -55,6 +55,8 @@ if [ $# -ne 2 ]; then usage fi +bastille_root_check + OPTION="${1}" VALUE="${2}" diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index a646b543..a71cbc2e 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -35,6 +35,12 @@ usage() { error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]" } +if [ "$1" = help -o "$1" = "-h" -o "$1" = "--help" ]; then + usage +fi + +bastille_root_check + if [ $# -eq 0 ]; then /usr/sbin/jls -N fi @@ -47,9 +53,6 @@ fi if [ $# -gt 0 ]; then # Handle special-case commands first. case "$1" in - help|-h|--help) - usage - ;; all|-a|--all) if [ -d "${bastille_jailsdir}" ]; then DEFAULT_VALUE="-" diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 4e946c66..96bd7689 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -50,6 +50,8 @@ else _fstab="$@" fi +bastille_root_check + ## assign needed variables _hostpath=$(echo "${_fstab}" | awk '{print $1}') _jailpath=$(echo "${_fstab}" | awk '{print $2}') diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 97cabfe2..32a18ef9 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -45,6 +45,8 @@ if [ $# -lt 1 ]; then usage fi +bastille_root_check + errors=0 for _jail in ${JAILS}; do diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index a7e59c2e..86b61e5c 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -46,6 +46,8 @@ if [ $# -lt 2 ]; then usage fi +bastille_root_check + TARGET="${1}" JAIL_NAME="" JAIL_IP="" diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index e48aa7c2..b59ab476 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -56,6 +56,8 @@ if [ $# -ne 1 ]; then usage fi +bastille_root_check + NEWNAME="${1}" update_jailconf() { diff --git a/usr/local/share/bastille/service.sh b/usr/local/share/bastille/service.sh index 0217d3bf..f0b58361 100644 --- a/usr/local/share/bastille/service.sh +++ b/usr/local/share/bastille/service.sh @@ -45,6 +45,8 @@ if [ $# -lt 1 -o $# -gt 2 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do info "[${_jail}]:" jexec -l "${_jail}" /usr/sbin/service "$@" diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index c681e164..1586b020 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -46,6 +46,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + TARGET="${1}" shift diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 5343d77d..728f2ffd 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -46,6 +46,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do ## test if running if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then diff --git a/usr/local/share/bastille/sysrc.sh b/usr/local/share/bastille/sysrc.sh index 20445f83..ba004974 100644 --- a/usr/local/share/bastille/sysrc.sh +++ b/usr/local/share/bastille/sysrc.sh @@ -45,6 +45,8 @@ if [ $# -lt 1 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do info "[${_jail}]:" jexec -l "${_jail}" /usr/sbin/sysrc "$@" diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh new file mode 100644 index 00000000..6c8cca62 --- /dev/null +++ b/usr/local/share/bastille/tags.sh @@ -0,0 +1,104 @@ +#!/bin/sh +# +# Copyright (c) 2018-2023, Christer Edwards +# All rights reserved. +# Ressource limits added by Lars Engels github.com/bsdlme +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_notify "Usage: bastille tags TARGET add tag1[,tag2,...]" + error_notify " bastille tags TARGET delete tag1[,tag2,...]" + error_notify " bastille tags TARGET list [tag]" + echo -e "Example: bastille tags JAILNAME add database,mysql" + echo -e " bastille tags JAILNAME delete mysql" + echo -e " bastille tags ALL list" + echo -e " bastille tags ALL list mysql" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -lt 1 -o $# -gt 2 ]; then + usage +fi + +bastille_root_check + +ACTION="${1}" +TAGS="${2}" + +for _jail in ${JAILS}; do + bastille_jail_tags="${bastille_jailsdir}/${_jail}/tags" + case ${ACTION} in + add) + for _tag in $(echo ${TAGS} | tr , ' '); do + echo ${_tag} >> "${bastille_jail_tags}" + tmpfile="$(mktemp)" + sort "${bastille_jail_tags}" | uniq > "${tmpfile}" + mv "${tmpfile}" "${bastille_jail_tags}" + done + ;; + del*) + for _tag in $(echo ${TAGS} | tr , ' '); do + [ ! -f "${bastille_jail_tags}" ] && break # skip if no tags file + tmpfile="$(mktemp)" + grep -Ev "^${_tag}\$" "${bastille_jail_tags}" > "${tmpfile}" + mv "${tmpfile}" "${bastille_jail_tags}" + # delete tags file if empty + [ ! -s "${bastille_jail_tags}" ] && rm "${bastille_jail_tags}" + done + ;; + list) + if [ -n "${TAGS}" ]; then + [ -n "$(echo ${TAGS} | grep ,)" ] && usage # Only one tag per query + [ ! -f "${bastille_jail_tags}" ] && continue # skip if there is no tags file + grep -qE "^${TAGS}\$" "${bastille_jail_tags}" + if [ $? -eq 0 ]; then + echo "${_jail}" + continue + fi + else + if [ -f "${bastille_jail_tags}" ]; then + echo -n "${_jail}: " + xargs < "${bastille_jail_tags}" + fi + fi + ;; + *) + usage + ;; + esac +done + diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 9cb94d09..fe963ff2 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -116,6 +116,8 @@ if [ $# -lt 1 ]; then bastille_usage fi +bastille_root_check + ## global variables TEMPLATE="${1}" bastille_template=${bastille_templatesdir}/${TEMPLATE} diff --git a/usr/local/share/bastille/top.sh b/usr/local/share/bastille/top.sh index 5f8d5992..6d5535dc 100644 --- a/usr/local/share/bastille/top.sh +++ b/usr/local/share/bastille/top.sh @@ -45,6 +45,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do info "[${_jail}]:" jexec -l "${_jail}" /usr/bin/top diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index b9513c42..1c210ec9 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -46,6 +46,8 @@ if [ $# -ne 1 ]; then usage fi +bastille_root_check + MOUNT_PATH=$1 for _jail in ${JAILS}; do diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index eeb8325b..fadf6e9b 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -46,6 +46,8 @@ if [ $# -gt 2 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + TARGET="${1}" OPTION="${2}" diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index eb2a1672..d6f50743 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -46,6 +46,8 @@ if [ $# -gt 3 ] || [ $# -lt 2 ]; then usage fi +bastille_root_check + TARGET="$1" NEWRELEASE="$2" OPTION="$3" diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index be513dad..c1bca9ff 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -154,6 +154,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then bastille_usage fi +bastille_root_check + case "$1" in *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) RELEASE=$1 diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index 85087d74..5eb79439 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -82,6 +82,8 @@ help|-h|--help) ;; esac +bastille_root_check + ## check ZFS enabled if [ ! "${bastille_zfs_enable}" = "YES" ]; then error_exit "ZFS not enabled."