# ezjail under FreeBSD 9 and port security



## kimj (Dec 21, 2011)

Hello to everyone, new user.

Today the idea of installing FreeBSD 9 on my server came on my mind, so I decided to try it in a VM.

I have noticed some problems: the ezjail script isn't working under freebsd FreeBSD 9, the structure of the mirror is changed, as you can see here:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/

and even the package format is changed: packages aren't composed anymore by a list of partial files with an install script; they are zx'ed tar archives of /. 

I tried to correct the ezjail script, and as of now, I found this section interesting:


```
# Try all paths as stolen from sysinstall, break on success.
      for ezjail_path in pub/FreeBSD/releases pub/FreeBSD/snapshot pub/FreeBSD releases snapshots NO; do
        if [ "${ezjail_path}" = "NO" ]; then
          echo -e "\nCould not fetch ${pkg} from ${ezjail_ftphost}.\n  Maybe your release (${ezjail_release}) is specified incorrectly or the
 host ${ezjail_ftphost} does not provide that release build.\n  Use the -r option to specify an existing release or the -h option to specify an
 alternative ftp server." >&2
          [ "${ezjail_ftpserverqueried}" ] || ezjail_queryftpserver
          exit 1
        fi
        ftp "${ezjail_ftphost}:${ezjail_path}/${ezjail_installarch}/${ezjail_release}/${pkg}/*" && break
      done

      # These actions are really ugly: sources want $1 to contain the set
      # of sources to install, base asks the user if he is sure, hence the
      # yes and the set -- all
      [ "${pkg}" = "base" ] && echo "Ignore the next question, ezjail answers it for you."
      set -- all
      [ -f install.sh ] && yes | . install.sh
      [ $? -eq 0 ] || exerr "Error: Package install script for ${pkg} failed."

      rm -rf "${ezjail_jailtemp}"
    else
      cd "${ezjail_reldir}/${ezjail_dir}/${pkg}" || exerr "Error: Could not cd to ${ezjail_dir}."
      set -- all
      [ -f install.sh ] && yes | . install.sh
      [ $? -eq 0 ] || exerr "Error: Package install script for ${pkg} failed."
    fi
  done
```


I think it sould be corrected as follows: 


```
ftp "${ezjail_ftphost}:${ezjail_path}/${ezjail_installarch}/${ezjail_installarch}/${ezjail_release}/*" && break
```
and then there sould be some code for extracting the archive, as simple as that.

Unfortunately I'm a student (still in high school) and I have a lot to study for tomorrow, so I can't do it now, and I'm very bad at scripting/coding. Can someone do it for me and, if the changes are working, send them to the ezjail creator/maintainer?

Here's the second problem I've encountered: binary packages aren't cryptographycally signed. An attacker who can perform active attacks could simply create a mirror ftp archive of the freebsd FreeBSD one and force the client to install malicious packages. The simplest solution, either than signing every single package, would be signing the file containing the list and the hashes of the packages. But I bet it doesn't matter, since I'm a paranoid and on freebsd FreeBSD binary packages are simply shit... [ very mature. -- Mod. ]

Have a good day, and thanks for any response in advantage. 

ps: sorry for my english, if I've made any mistake.


----------



## kimj (Dec 22, 2011)

So, at least I've tried. 

Here's the code, can someone check if it works?


```
DESTDIR=${ezjail_jailfull}

  rm -rf "${ezjail_jailtemp}"
    # The first case means, that a remote host has been specified.
    if [ "${ezjail_dir}" = "${ezjail_ftphost}" ]; then
      # Create and try to access temp dir
      mkdir -p "${ezjail_jailtemp}" || exerr "Error: Could not create temporary base jail directory ${ezjail_jailtemp}."
      cd "${ezjail_jailtemp}" || exerr "Error: Could not cd to ${ezjail_jailtemp}."

      # Try all paths as stolen from sysinstall, break on success.
      for pkg in base.txz kernel.txz ports.txz doc.txz; do
        ftp "${ezjail_ftphost}:${ezjail_path}/${ezjail_installarch}/${ezjail_installarch}/${ezjail_release}/${pkg}"
        (cat $pkg | tar --unlink -xpJf - -C ${DESTDIR:-/}); done
    rm -rf "${ezjail_jailtemp}"
```


----------



## Nukama (Jan 2, 2012)

erdgeist fixed some code to support this new layout.
ezjail mailinglist post
commit diffs


----------



## kimj (Jan 4, 2012)

Nukama said:
			
		

> erdgeist fixed some code to support this new layout.
> ezjail mailinglist post
> commit diffs



I know, thanks!


----------



## kimj (Jan 4, 2012)

I still have a question:

Doesn't xdec decompress xz? And, if so, why is tar invoked with the -J switch?


```
+        xzdec ${pkg}.txz | tar --unlink -xpJf - -C ${DESTDIR}
```


----------

