Created
February 17, 2012 16:40
-
-
Save dillera/1854285 to your computer and use it in GitHub Desktop.
mkchroot (from Luis Iafigliola) For Centos 32/64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
##################################################################### | |
# Mkchroot update for 32/64-bit RHEL Systems support by Luis Iafigliola. | |
# Dated 29th June 2010. | |
##################################################################### | |
##################################################################### | |
## | |
## mkchroot.sh - set up a chroot jail. | |
## | |
## This script is written to work for Red Hat 8/9 systems, but may work on | |
## other systems. Or, it may not... In fact, it may not work at all. Use at | |
## your own risk. | |
## | |
fail() { | |
echo "`basename $0`: fatal error" >&2 | |
echo "$1" >&2 | |
exit $2 | |
} | |
##################################################################### | |
# | |
# Initialize - handle command-line args, and set up variables and such. | |
# | |
# $1 is the directory to make the root of the chroot jail (required) | |
# $2, if given, is the user who should own the jail (optional) | |
# $3, if given, is the permissions on the directory (optional) | |
# | |
if [ -z "$1" ]; then | |
echo "`basename $0`: error parsing command line" >&2 | |
echo " You must specify a directory to use as the chroot jail." >&2 | |
exit 1 | |
fi | |
jail_dir="$1" | |
if [ -n "$2" ]; then | |
owner="$2" | |
fi | |
if [ -n "$3" ]; then | |
perms="$3" | |
fi | |
if [ -n "$4" ]; then | |
group="$4" | |
fi | |
# Check for 64-bit platform, will affect libraries location. | |
platform=`uname -a|grep x86_64` | |
if [ $? -eq 0 ] | |
then | |
lib_dir="lib64" | |
else | |
lib_dir="lib" | |
fi | |
echo "library support = $lib_dir" | |
##################################################################### | |
# | |
# build the jail | |
# | |
# now make the directory | |
if [ ! -d "$jail_dir" ]; then | |
echo "Creating root jail directory." | |
mkdir -p "$jail_dir" | |
if [ $? -ne 0 ]; then | |
echo " `basename $0`: error creating jail directory." >&2 | |
echo "Check permissions on parent directory." >&2 | |
exit 2 | |
fi | |
fi | |
if [ -n "$owner" -a `whoami` = "root" ]; then | |
echo "Setting owner of jail." | |
chown "$owner" "$jail_dir" | |
if [ $? -ne 0 ]; then | |
echo " `basename $0`: error changing owner of jail directory." >&2 | |
exit 3 | |
fi | |
else | |
echo -e "NOT changing owner of root jail. \c" | |
if [ `whoami` != "root" ]; then | |
echo "You are not root." | |
else | |
echo | |
fi | |
fi | |
if [ -n "$perms" -a `whoami` = "root" ]; then | |
echo "Setting permissions of jail." | |
chmod "$perms" "$jail_dir" | |
if [ $? -ne 0 ]; then | |
echo " `basename $0`: error changing perms of jail directory." >&2 | |
exit 3 | |
fi | |
else | |
echo -e "NOT changing perms of root jail. \c" | |
if [ `whoami` != "root" ]; then | |
echo "You are not root." | |
else | |
echo | |
fi | |
fi | |
if [ -n "$group" -a `whoami` = "root" ]; then | |
echo "Setting group of jail." | |
chgrp "$group" "$jail_dir" | |
if [ $? -ne 0 ]; then | |
echo " `basename $0`: error changing group of jail directory." >&2 | |
exit 3 | |
fi | |
fi | |
# copy SSH files | |
rsync_path="/usr/bin/rsync" | |
scp_path="/usr/bin/scp" | |
sftp_server_path="/usr/libexec/openssh/sftp-server" | |
rssh_path="/usr/bin/rssh" | |
chroot_helper_path="/usr/libexec/rssh_chroot_helper" | |
for jail_path in `dirname "$jail_dir$rsync_path"` `dirname "$jail_dir$scp_path"` `dirname "$jail_dir$sftp_server_path"` `dirname "$jail_dir$rssh_path"` `dirname "$jail_dir$chroot_helper_path"`; do | |
echo "setting up $jail_path" | |
if [ ! -d "$jail_path" ]; then | |
mkdir -p "$jail_path" || \ | |
fail "Error creating $jail_path. Exiting." 4 | |
fi | |
done | |
cp -p "$rsync_path" "$jail_dir$rsync_path" || \ | |
fail "Error copying $rsync_path. Exiting." 5 | |
cp -p "$scp_path" "$jail_dir$scp_path" || \ | |
fail "Error copying $scp_path. Exiting." 5 | |
cp -p "$sftp_server_path" "$jail_dir$sftp_server_path" || \ | |
fail "Error copying $sftp_server_path. Exiting." 5 | |
cp -p "$rssh_path" "$jail_dir$rssh_path" || \ | |
fail "Error copying $rssh_path. Exiting." 5 | |
cp -p "$chroot_helper_path" "$jail_dir$chroot_helper_path" || \ | |
fail "Error copying $chroot_helper_path. Exiting." 5 | |
##################################################################### | |
# | |
# identify and copy libraries needed in the jail | |
# | |
for prog in $rsync_path $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do | |
echo "Copying libraries for $prog." | |
libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3|egrep -v ^'\('` | |
echo "libs for $prog = $libs" | |
for lib in $libs; do | |
mkdir -p "$jail_dir$(dirname $lib)" | |
echo -e "\t$lib" | |
cp -p "$lib" "$jail_dir/$lib" | |
done | |
done | |
echo "copying name service resolution libraries..." | |
tar -cf - /$lib_dir/libnss*_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/' | |
#echo "copy /lib contents for dependencies..." | |
#tar -cf - /$lib_dir/* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/' | |
cp -p /$lib_dir/ld-linux* $jail_dir/$lib_dir/ | |
cp -p /$lib_dir/libcrypt* $jail_dir/$lib_dir/ | |
cp -p /$lib_dir/libnss_compat* $jail_dir/$lib_dir/ | |
##################################################################### | |
# | |
# copy config files for the dynamic linker, nsswitch.conf, and the passwd file | |
# | |
echo "Setting up /etc, /dev, /tmp in the chroot jail" | |
mkdir -p "$jail_dir/dev" | |
mkdir -p "$jail_dir/etc" | |
cp -a /dev/null "$jail_dir/dev/" | |
cp -pr /etc/ld.* "$jail_dir/etc/" | |
grep $owner /etc/passwd >> $jail_dir/etc/passwd | |
grep $group /etc/group >> $jail_dir/etc/group | |
echo -e "Chroot jail configuration completed." | |
echo -e "\nNOTE: if you are not using the passwd file for authentication," | |
echo -e "you may need to copy some of the /lib/libnss_* files into the jail.\n" | |
##################################################################### | |
# | |
# For end user to dump files. | |
# Also helps to circumvent strange refresh problem. | |
# Occurs if user attempts to open non-readable directory above. | |
# Then if user refreshes jail session, they lose visibility. | |
# Workaround is to view tmp and then refresh does not do this. | |
#chmod g+w,o-r $jail_dir/tmp | |
# Base directories of chroot jail (/dev, /lib, /usr) not readable to others | |
chmod go-r $jail_dir/dev | |
chmod go-r $jail_dir/etc | |
chmod go-r $jail_dir/$lib_dir | |
chmod go-r $jail_dir/usr | |
##################################################################### | |
# | |
# set up /dev/log | |
# | |
echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd" | |
echo -e "with appropriate options to log to $jail_dir/dev/log. In most cases," | |
echo -e "you will need to start syslog as:\n" | |
echo -e " /sbin/syslogd -a $jail_dir/dev/log\n" | |
echo -e "NOTE: we make no guarantee that ANY of this will work for you... \c" | |
echo -e "if it\ndoesn't, you're on your own. Sorry!\n" | |
##################################################################### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment