# ( http://www.fsf.org/licenses/gpl.txt )
# first Release: 2004-07-30
-# latest update: 2007-01-07
+# latest update: 2007-02-24
#
# The latest version of the script is available at
# http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/
#
# Feedback is welcome!
#
-# Thanks for Bugfixes / Enhancements to
+# Thanks for Bugfixes / Enhancements to
# Michael Prokop <http://www.michael-prokop.at/chroot/>,
# Randy K., Randy D. and Jonathan Hunter.
fi
echo "Am I root? "
-if [ "$(whoami &2>/dev/null)" != "root" ] && [ "$(id -un &2>/dev/null)" != "root" ] ; then
+if [ "$(whoami 2>/dev/null)" != "root" ] && [ "$(id -un 2>/dev/null)" != "root" ] ; then
echo " NO!
-Error: You must be root to run this script."
+Error: You must be root to run this script." >&2
exit 1
fi
echo " OK";
# Specify the apps you want to copy to the jail
if [ "$DISTRO" = SUSE ]; then
- APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/netcat /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd /usr/lib/ssh/sftp-server"
+ APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/netcat /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
elif [ "$DISTRO" = FEDORA ]; then
- APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd /usr/libexec/openssh/sftp-server"
+ APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
elif [ "$DISTRO" = REDHAT ]; then
- APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd /usr/libexec/openssh/sftp-server"
+ APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
elif [ "$DISTRO" = DEBIAN ]; then
- APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd /usr/lib/sftp-server"
+ APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
else
- APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /usr/sbin/unix_chkpwd /usr/lib/misc/sftp-server"
+ APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /usr/sbin/unix_chkpwd"
fi
# Check existence of necessary files
-echo "Checking for which... "
+echo "Checking for which... "
if ( test -f /usr/bin/which ) || ( test -f /bin/which ) || ( test -f /sbin/which ) || ( test -f /usr/sbin/which );
then echo " OK";
else echo " failed
Please install which-binary!
-"
+" >&2
exit 1
fi
-echo "Checking for chroot..."
+echo "Checking for chroot..."
if [ `which chroot` ];
then echo " OK";
else echo " failed
chroot not found!
Please install chroot-package/binary!
-"
+" >&2
exit 1
fi
-echo "Checking for sudo..."
+echo "Checking for sudo..."
if [ `which sudo` ]; then
echo " OK";
-else
+else
echo " failed
sudo not found!
Please install sudo-package/binary!
-"
+" >&2
exit 1
fi
-echo "Checking for dirname..."
+echo "Checking for dirname..."
if [ `which dirname` ]; then
- echo " OK
-";
-else
+ echo " OK";
+else
echo " failed
dirname not found!
Please install dirname-binary (to be found eg in the package coreutils)!
-"
+" >&2
exit 1
fi
+echo "Checking for awk..."
+if [ `which awk` ]; then
+ echo " OK
+";
+else
+ echo " failed
+
+awk not found!
+Please install (g)awk-package/binary!
+" >&2
+exit 1
+fi
+
+# get location of sftp-server binary from /etc/ssh/sshd_config
+# check for existence of /etc/ssh/sshd_config and for
+# (uncommented) line with sftp-server filename. If neither exists, just skip
+# this step and continue without sftp-server
+#
+if (test ! -f /etc/ssh/sshd_config >/dev/null 2>&1); then
+ echo "
+File /etc/ssh/sshd_config not found.
+Not checking for path to sftp-server.
+ ";
+else
+ if !(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server >/dev/null 2&1); then
+ echo "Obviously no sftp-server is running on this system.
+";
+ else SFTP_SERVER=$(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server | awk '{ print $3}')
+ fi
+fi
+
+#if !(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server /etc/ssh/sshd_config | awk '{ print $3}' >/dev/null 2&1); then
+APPS="$APPS $SFTP_SERVER"
+
# Get accountname to create
CHROOT_USERNAME=$1
if ( id $CHROOT_USERNAME > /dev/null 2>&1 ) ; then {
echo "
-----------------------------
-User $CHROOT_USERNAME exists.
+User $CHROOT_USERNAME exists.
Are you sure you want to modify the users home directory and lock him into the
chroot directory?
Are you REALLY sure?
-Say only yes if you absolutely know what you are doing!"
- read -p "(yes/no) -> " MODIFYUSER
+Say only yes if you absolutely know what you are doing!
+(yes/no) -> "
+ read MODIFYUSER
if [ "$MODIFYUSER" != "yes" ]; then
echo "
-Not entered yes. Exiting...."
+Not entered yes. Exiting...." >&2
exit 1
fi
}
if [ -f ${SHELL} ] ; then
echo "
-----------------------------
-The file $SHELL exists.
+The file $SHELL exists.
Probably it was created by this script.
Are you sure you want to overwrite it?
(you want to say yes for example if you are running the script for the second
-time when adding more than one account to the jail)"
-read -p "(yes/no) -> " OVERWRITE
+time when adding more than one account to the jail)
+(yes/no) -> "
+read OVERWRITE
if [ "$OVERWRITE" != "yes" ]; then
echo "
-Not entered yes. Exiting...."
+Not entered yes. Exiting...." >&2
exit 1
fi
else
[ -r $JAILPATH/dev/urandom ] || mknod $JAILPATH/dev/urandom c 1 9
[ -r $JAILPATH/dev/null ] || mknod -m 666 $JAILPATH/dev/null c 1 3
[ -r $JAILPATH/dev/zero ] || mknod -m 666 $JAILPATH/dev/zero c 1 5
-[ -r $JAILPATH/dev/tty ] || mknod -m 666 $JAILPATH/dev/tty c 5 0
+[ -r $JAILPATH/dev/tty ] || mknod -m 666 $JAILPATH/dev/tty c 5 0
# if we only want to update the files in the jail
# skip the creation of the new account
if [ "$1" != "update" ]; then
-# Modifiy /etc/sudoers to enable chroot-ing for users
+# Modify sudo config to enable chroot-ing for users,
# must be removed by hand if account is deleted
-echo "Modifying /etc/sudoers"
-echo "$CHROOT_USERNAME ALL=NOPASSWD: `which chroot`, /bin/su - $CHROOT_USERNAME" >> /etc/sudoers
+SUDOERS="$CHROOT_USERNAME ALL=NOPASSWD: $(which chroot), /bin/su - $CHROOT_USERNAME"
+if [ -d /etc/sudoers.d ]; then
+ echo "Installing sudoers configuration file /etc/sudoers.d/jail-$CHROOT_USERNAME"
+ echo "$SUDOERS" > "/etc/sudoers.d/jail-$CHROOT_USERNAME"
+ chmod 0440 "/etc/sudoers.d/jail-$CHROOT_USERNAME"
+else
+ echo "Modifying /etc/sudoers"
+ echo "$SUDOERS" >> /etc/sudoers
+fi
# Define HomeDir for simple referencing
HOMEDIR="$JAILPATH/home/$CHROOT_USERNAME"
# $HOME to $JAILPATH/home/*
if [ "$CREATEUSER" != "yes" ] ; then echo "
Not creating new User account
-Modifying User \"$CHROOT_USERNAME\"
+Modifying User \"$CHROOT_USERNAME\"
Copying files in $CHROOT_USERNAME's \$HOME to \"$HOMEDIR\"
"
usermod -d "$HOMEDIR" -m -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"
fi
-if [ "$CREATEUSER" == "yes" ] ; then {
+if [ "$CREATEUSER" = "yes" ] ; then {
echo "Adding User \"$CHROOT_USERNAME\" to system"
useradd -m -d "$HOMEDIR" -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"
# Enter password for new account
if !(passwd $CHROOT_USERNAME);
- then echo "Passwords are probably not the same, try again."
+ then echo "Passwords are probably not the same, try again." >&2
exit 1;
fi
echo
fi
# grep the username which was given to us from /etc/passwd and add it
-# to ./etc/passwd replacing the $HOME with the directory as it will then
+# to ./etc/passwd replacing the $HOME with the directory as it will then
# appear in the jail
echo "Adding User $CHROOT_USERNAME to jail"
grep -e "^$CHROOT_USERNAME:" /etc/passwd | \
echo "Copying necessary library-files to jail (may take some time)"
# The original code worked fine on RedHat 7.3, but did not on FC3.
-# On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that
+# On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that
# points to nothing (or a 90xb.....), and it also does not pick up
# some files that start with a '/'. To fix this, I am doing the ldd
# to a file called ldlist, then going back into the file and pulling
# out the libs that start with '/'
-#
+#
# Randy K.
#
# The original code worked fine on 2.4 kernel systems. Kernel 2.6
-# introduced an internal library called 'linux-gate.so.1'. This
-# 'phantom' library caused non-critical errors to display during the
-# copy since the file does not actually exist on the file system.
-# To fix re-direct output of ldd to a file, parse the file and get
+# introduced an internal library called 'linux-gate.so.1'. This
+# 'phantom' library caused non-critical errors to display during the
+# copy since the file does not actually exist on the file system.
+# To fix re-direct output of ldd to a file, parse the file and get
# library files that start with /
#
-if [ -x ${HOME}/ldlist ]; then
+if [ -x ${HOME}/ldlist ]; then
mv ${HOME}/ldlist ${HOME}/ldlist.bak
fi
-if [ -x ${HOME}/lddlist2 ]; then
+if [ -x ${HOME}/lddlist2 ]; then
mv ${HOME}/lddlist2 ${HOME}/lddlist2.bak
fi
if [ -e ${HOME}/ldlist2 ]; then
rm ${HOME}/ldlist2
fi
-for libs in `cat /root/ldlist`; do
+for libs in `cat ${HOME}/ldlist`; do
frst_char="`echo $libs | cut -c1`"
if [ "$frst_char" = "/" ]; then
- echo "$libs" >> /root/ldlist2
+ echo "$libs" >> ${HOME}/ldlist2
fi
done
-for lib in `cat /root/ldlist2`; do
+for lib in `cat ${HOME}/ldlist2`; do
mkdir -p .`dirname $lib` > /dev/null 2>&1
# If the files in the chroot are on the same file system as the original
# needed library just copy all of them)
#
#cp /lib/*.* ${JAILPATH}/lib/
-#cp /lib/lib64/*.* ${JAILPATH}/lib/lib64/
+#cp /lib/lib64/*.* ${JAILPATH}/lib/lib64/
# if you are using PAM you need stuff from /etc/pam.d/ in the jail,
echo "Copying files from /etc/pam.d/ to jail"
if [ -f /etc/DIR_COLORS ] ; then
cp /etc/DIR_COLORS ${JAILPATH}/etc/
-fi
+fi
# Don't give more permissions than necessary
chown root.root ${JAILPATH}/bin/su
projects / grml-scripts.git / blobdiff