1
Debian wants libnss_compat* in addition to libnss_files* for UID lookups
2
to work properly, and doesn't have a libnss1_files*.
4
Create the /dev/null device in the chroot, needed by sftp-server.
6
Create the /dev/log device in the chroot, for one less step.
8
Update the code to copy over libraries to be able to parse the new output
11
Update file paths for Debian.
13
Add better error handling.
15
Thanks to proctor mcduff for his contributions.
17
--- rssh.orig/mkchroot.sh
23
#####################################################################
24
#####################################################################
26
## mkchroot.sh - set up a chroot jail.
28
-## This script is written to work for Red Hat 8/9 systems, but may work on
29
-## other systems. Or, it may not... In fact, it may not work at all. Use at
31
+## This script is written to work for Red Hat 8/9 systems and adapted to work
32
+## on Debian systems, but may work on other systems. Or, it may not... In
33
+## fact, it may not work at all. Use at your own risk. :)
40
scp_path="/usr/bin/scp"
41
-sftp_server_path="/usr/libexec/openssh/sftp-server"
42
+sftp_server_path="/usr/lib/openssh/sftp-server"
43
rssh_path="/usr/bin/rssh"
44
-chroot_helper_path="/usr/libexec/rssh_chroot_helper"
45
+chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"
47
for jail_path in `dirname "$jail_dir$scp_path"` `dirname "$jail_dir$sftp_server_path"` `dirname "$jail_dir$chroot_helper_path"`; do
51
# identify and copy libraries needed in the jail
55
+# linux-gate.so.1 => (0xffffe000)
56
+# libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb7ef2000)
57
+# libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7da8000)
58
+# libutil.so.1 => /lib/i686/cmov/libutil.so.1 (0xb7da3000)
59
+# libz.so.1 => /usr/lib/libz.so.1 (0xb7d8e000)
60
+# libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb7d76000)
61
+# libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb7d44000)
62
+# libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7d1b000)
63
+# libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7c8d000)
64
+# libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7c69000)
65
+# libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7c66000)
66
+# libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7b19000)
67
+# libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7b15000)
68
+# libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7b0d000)
69
+# libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7b09000)
70
+# /lib/ld-linux.so.2 (0xb7f13000)
72
+# either the first or the third column may contain a path
75
for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do
76
echo "Copying libraries for $prog."
77
- libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
78
+ libs=`ldd $prog | awk '$1 ~ /^\// {print $1} $3 ~ /^\// {print $3}'`
80
- mkdir -p "$jail_dir$(dirname $lib)"
81
+ mkdir -p "$jail_dir$(dirname $lib)" || \
82
+ fail "Error creating $(dirname $lib). Exiting" 6
84
- cp "$lib" "$jail_dir$lib"
85
+ cp "$lib" "$jail_dir$lib" || \
86
+ fail "Error copying $lib. Exiting" 6
90
echo "copying name service resolution libraries..."
91
-tar -cf - /lib/libnss_files* /lib/libnss1_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/'
92
+tar -cf - /lib/libnss_compat* /lib/libnss_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/'
94
#####################################################################
99
echo "Setting up /etc in the chroot jail"
100
-mkdir -p "$jail_dir/etc"
101
-cp /etc/nsswitch.conf "$jail_dir/etc/"
102
-cp /etc/passwd "$jail_dir/etc/"
103
-cp /etc/ld.* "$jail_dir/etc/"
105
-echo -e "Chroot jail configuration completed."
106
-echo -e "\nNOTE: if you are not using the passwd file for authentication,"
107
-echo -e "you may need to copy some of the /lib/libnss_* files into the jail.\n"
108
+mkdir -p "$jail_dir/etc" || fail "Error creating /etc. Exiting" 7
109
+cp /etc/nsswitch.conf "$jail_dir/etc/" || \
110
+ fail "Error copying /etc/nsswitch.conf. Exiting" 7
111
+cp /etc/passwd "$jail_dir/etc/" || \
112
+ fail "Error copying /etc/passwd. Exiting" 7
113
+cp -r /etc/ld.* "$jail_dir/etc/" || \
114
+ fail "Error copying /etc/ld.*. Exiting" 7
117
#####################################################################
123
mkdir -p "$jail_dir/dev"
124
+if [ `whoami` = "root" ]; then
125
+ cp -a /dev/log "$jail_dir/dev" || \
126
+ fail "Error creating /dev/log. Exiting" 8
127
+ cp -a /dev/null "$jail_dir/dev" || \
128
+ fail "Error creating /dev/null. Exiting" 8
130
+ echo -e "NOT creating /dev/null and /dev/log in the chroot jail. \c"
131
+ echo -e "You are not root.\n"
134
+echo -e "Chroot jail configuration completed.\n"
136
+echo -e "NOTE: if you are not using the passwd file for authentication,"
137
+echo -e "you may need to copy some of the /lib/libnss_* files into the jail.\n"
139
echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
140
echo -e "with appropriate options to log to $jail_dir/dev/log. In most cases,"
141
echo -e "you will need to start syslog as:\n"
142
-echo -e " /sbin/syslogd -a $jail_dir/dev/log\n"
143
+echo -e " /sbin/syslogd -a $jail_dir/dev/log\n\n"
145
echo -e "NOTE: we make no guarantee that ANY of this will work for you... \c"
146
echo -e "if it\ndoesn't, you're on your own. Sorry!\n"