1
|
#!/bin/bash
|
2
|
|
3
|
# Gregory Colpart <reg@evolix.fr>
|
4
|
# chroot script for OpenSSH
|
5
|
# $Id: chroot-ssh.sh,v 1.12 2010-07-02 17:40:29 gcolpart Exp $
|
6
|
|
7
|
# tested on Debian Etch and recently on Lenny
|
8
|
# Exec this script for jail creation:
|
9
|
# ./chroot-ssh.sh /backup/jails/myserver
|
10
|
# Note: etc/{sshd_config,group,passwd} files should be present
|
11
|
|
12
|
# For Etch
|
13
|
# Start: chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
|
14
|
# Reload: kill -HUP `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
15
|
# Stop: kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
16
|
# Restart: Stop + Start
|
17
|
|
18
|
# For Lenny
|
19
|
# Start :
|
20
|
# chroot /backup/jails/myserver mount -t proc proc-chroot /proc/
|
21
|
# chroot /backup/jails/myserver mount -t devpts devpts-chroot /dev/pts/
|
22
|
# chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
|
23
|
# Reload: kill -HUP `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
24
|
# Stop: kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
25
|
# Restart:
|
26
|
# kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
27
|
# chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
|
28
|
|
29
|
# After *each* ssh upgrade or libs upgrade:
|
30
|
# sh chroot-ssh.sh updateall
|
31
|
# And restart all sshd daemons
|
32
|
|
33
|
bincopy() {
|
34
|
|
35
|
chrootdir=$1
|
36
|
|
37
|
# TODO : better detection of amd64 arch
|
38
|
cp -f /lib/ld-linux.so.2 $chrootdir/lib/ || cp -f /lib64/ld-linux-x86-64.so.2 $chrootdir/lib64/
|
39
|
cp /lib/libnss* $chrootdir/lib/
|
40
|
|
41
|
for dbin in /bin/bash /bin/cat /bin/chown /bin/mknod /bin/rm /bin/sed /bin/sh /bin/uname /bin/mount /usr/bin/rsync /usr/sbin/sshd /usr/lib/openssh/sftp-server; do
|
42
|
cp -f $dbin $chrootdir/$dbin;
|
43
|
# (comme dans http://www.gcolpart.com/hacks/chroot-bind.sh)
|
44
|
for lib in `ldd $dbin | cut -d">" -f2 | cut -d"(" -f1`; do
|
45
|
cp -p $lib $chrootdir/$lib
|
46
|
done
|
47
|
done
|
48
|
|
49
|
}
|
50
|
|
51
|
# synopsis
|
52
|
if [ $# -ne 1 ]; then
|
53
|
echo "Vous devez indiquer un repertoire."
|
54
|
echo "Exemple : chroot-ssh.sh /backup/jails/myserver"
|
55
|
exit 0
|
56
|
fi
|
57
|
|
58
|
# are u root?
|
59
|
if [ `whoami` != "root" ]; then
|
60
|
echo "Vous devez executer le script en étant root."
|
61
|
exit 0
|
62
|
fi
|
63
|
|
64
|
|
65
|
if [ -e $1 ]; then
|
66
|
echo "Le repertoire $1 existe deja..."
|
67
|
fi
|
68
|
|
69
|
if [ "$1" = "updateall" ]; then
|
70
|
|
71
|
for i in `ls -1 /backup/jails/*/lib/libnss_compat.so.2`; do
|
72
|
chrootdir=`echo $i | cut -d"/" -f1,2,3,4`
|
73
|
echo -n "MaJ $chrootdir ..."
|
74
|
bincopy $chrootdir
|
75
|
echo "...OK"
|
76
|
done
|
77
|
|
78
|
else
|
79
|
|
80
|
# where is jail
|
81
|
chrootdir=$1
|
82
|
|
83
|
mkdir -p $chrootdir
|
84
|
chown root:root $chrootdir
|
85
|
|
86
|
# create jail
|
87
|
|
88
|
echo -n "1 - Creation de la prison..."
|
89
|
|
90
|
mkdir -p $chrootdir/{bin,dev,etc/ssh,lib,lib64}
|
91
|
mkdir -p $chrootdir/lib/tls/i686/cmov/
|
92
|
mkdir -p $chrootdir/proc
|
93
|
mkdir -p $chrootdir/root/.ssh
|
94
|
mkdir -p $chrootdir/usr/lib/i686/cmov/
|
95
|
mkdir -p $chrootdir/lib/i686/cmov/
|
96
|
mkdir -p $chrootdir/usr/{bin,lib,sbin}
|
97
|
mkdir -p $chrootdir/usr/lib/openssh
|
98
|
mkdir -p $chrootdir/var/log/
|
99
|
mkdir -p $chrootdir/var/run/sshd
|
100
|
|
101
|
touch $chrootdir/var/log/{authlog,lastlog,messages,syslog}
|
102
|
touch $chrootdir/etc/fstab
|
103
|
|
104
|
echo "...OK"
|
105
|
|
106
|
echo -n "2 - Copie des donnees..."
|
107
|
cp /proc/devices $chrootdir/proc
|
108
|
|
109
|
cp /etc/ssh/{ssh_host_rsa_key,ssh_host_dsa_key} $chrootdir/etc/ssh/
|
110
|
cp etc/sshd_config $chrootdir/etc/ssh/
|
111
|
cp etc/passwd $chrootdir/etc/
|
112
|
cp etc/shadow $chrootdir/etc/
|
113
|
cp etc/group $chrootdir/etc/
|
114
|
|
115
|
echo ".......OK"
|
116
|
|
117
|
echo -n "3 - Copie des binaires..."
|
118
|
|
119
|
bincopy $chrootdir
|
120
|
|
121
|
echo "......OK"
|
122
|
|
123
|
echo -n "4 - Creation des devices..."
|
124
|
cd $chrootdir/dev/
|
125
|
|
126
|
MAKEDEV {null,random,urandom,pty}
|
127
|
mkdir pts
|
128
|
#mknod ptmx c 5 2
|
129
|
|
130
|
echo "....OK"
|
131
|
|
132
|
echo -n "5 - Termine."
|
133
|
|
134
|
# end
|
135
|
|
136
|
echo ""
|
137
|
|
138
|
fi
|