forked from pmenhart/make_chroot_jail
-
Notifications
You must be signed in to change notification settings - Fork 2
/
make_chroot_jail.sh
executable file
·741 lines (659 loc) · 26.1 KB
/
make_chroot_jail.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
#!/bin/sh
#
# (c) Copyright by Wolfgang Fuschlberger
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# ( http://www.fsf.org/licenses/gpl.txt )
#####################################################################
# first Release: 2004-07-30
RELEASE="2020-05-07"
#
# The original script was taken from
# http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
#
# Feedback is welcome!
#
# Thanks for Bugfixes / Enhancements to
# Michael Prokop <http://www.michael-prokop.at/chroot/>,
# Randy K., Randy D., Jonathan Hunter and everybody else.
#####################################################################
#
# Features:
# - enable scp and sftp in the chroot-jail
# - use one directory (default /home/jail/) as chroot for all users
# - create new accounts
# - move existing accounts to chroot
#####################################################################
#
# Modified by pmenhart/Benbria:
# - work on Ubuntu 8.04
# - added APPS: cat more less nano
# - copy /lib/terminfo
# - made the script non-interactive
# -- create user without a password
# -- if the user exists and jailed then do nothing
# -- if the user exists then jail her
# -- do not create shell if already exists
#
# Original: http://www.devcu.com/forums/topic/560-chrootjail-users-for-sshscp-ubuntu-1204/
# Based on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
#####################################################################
#
# Modified by Maksim Kramarenko
# http://www.k-max.name/
# - tested on Debian 9
# - added more friendly help
# - script became more talkative
# - Added lots of CLI options (see -h option)
# - if you use a single partition, you can use hard links instead of copy (use -l, --link options)
# - fixed some problems with "&>/dev/null"
# - removed APPS: cat more less nano (now, you can add it by CLI option -a )
#
#####################################################################
# path to sshd's config file: needed for automatic detection of the locaten of
# the sftp-server binary
SSHD_CONFIG="/etc/ssh/sshd_config"
#
APPS=""
action=add
SHELL=/bin/chroot-shell
JAILPATH=/home/jail
LINK=cp
PAM=copy
# Show HELP message
usage () {
echo
echo "USAGE: $0 < -u username [options]... | --update [options]... | -h >"
echo
echo " -u, --user username Set the name of new or exist user"
echo " --update Update files (not user) inside of jail"
echo " -h, --help Show this message"
echo
echo " Options:"
echo " -a --apps \"/path/app1 /p/to/app2\" Add your apps to be avaliable inside of Jail."
echo " Space-separated quoted list of paths"
echo " -c --config /path/to/sshd_config Set path to sshd_config. (\$SSHD_CONFIG)"
echo " Default:/etc/ssh/sshd_config"
echo " -j, --jail /path/to/jail Set the root of jail."
echo " Default:/home/jail"
echo " -l, --link Set hard link mode."
echo " -n, --nopam Do not copy PAM libs."
echo " -s, --shell /path/to/chroot-shell Set name of shell. "
echo " User will be chrooted by this script."
echo " Default:/bin/chroot-shell"
echo
echo "-------------------------------------------------------------"
echo
echo "Create new chrooted account or"
echo "add existing User to chroot-jail:"
echo "-> $0 -u username"
echo
echo "or specify the chroot-shell file, path where the jail should be located and [--link] option:"
echo "-> $0 -u username -s /path/to/chroot-shell -j /path/to/jail --link"
echo "-------------------------------------------------------------"
echo
echo "You can specify [--link] option, if the files in the chroot are "
echo "on the same file system as the original files."
echo "It creates hard links instead of copy files."
echo "By default, script copies files."
echo "-------------------------------------------------------------"
echo
echo "You can specify [--nopam] option, in case you don't want to use the PAM inside the jail."
echo "E.g. if you use script to build chroot for SSHD."
echo "-------------------------------------------------------------"
echo
echo "or update files in the chroot-jail:"
echo "-> $0 --update -s /path/to/chroot-shell -j /path/to/jail --link"
echo "-------------------------------------------------------------"
echo
echo "You can include your application to the chroot by modification of \$APPS variable"
echo "-------------------------------------------------------------"
echo
echo "-------------------------------------------------------------"
echo
echo "To uninstall:"
echo " # userdel \$USER"
echo " # rm -rf /home/jail"
echo " (this deletes all Users' files!)"
echo " # rm -f /bin/chroot-shell"
echo " manually delete the User's line from /etc/sudoers"
}
cp () {
if [ $LINK = "ln" ]; then
if [ "$1" = "-p" ]; then shift ; fi
# prevent create Link for recurcive copy
if [ "$1" != "-r" ]; then
# echo "Start create hard links for files $*"
for dst in $@; do :; done # get the latest CLI argument = destination
# create links of each argument
until [ "$1" = "$dst" ]; do
if [ -d $dst ]; then
# echo "current link to DIR will be ln -v --force $( readlink -nf $1 ) $dst/$( basename -z $1 )"
#ln -v --force $( readlink -nf $1 ) $dst/$( basename -z $1 )
ln --force $( readlink -nf $1 ) $dst/$( basename -z $1 )
shift
else
# echo "current link NOT to DIR will be ln -v --force $( readlink -nf $1 ) $dst"
#ln -v --force $( readlink -nf $1 ) $dst
ln --force $( readlink -nf $1 ) $dst
shift
fi
done
else
# echo "Start Copy files Recucively"
#echo " options sre $*"
/bin/cp $*
fi
else
#echo "Start Copy files"
#echo " options sre $*"
/bin/cp $*
fi
} # This replace of cp command to make hard links of just copy
##### Main
if [ $# -eq 0 ] ; then
echo
echo "USAGE: $0 < -u username [options]... | --update [options]... | -h >"
echo
exit 1
fi
while [ "$1" != "" ]; do
case $1 in
-a | --apps ) shift
APPS="$1"
;;
--update ) action=update
;;
-u | -user ) shift
CHROOT_USERNAME=$1
;;
-s | --shell ) shift
SHELL=$1
;;
-j | --jail ) shift
JAILPATH=$1
;;
-l | --link ) LINK=ln
;;
-n | --nopam ) PAM=nocopy
;;
-c | --config ) shift
SSHD_CONFIG=$1
;;
-h | -? | --help ) usage
exit
;;
* ) usage
exit 1
esac
shift
done
echo
if [ $action = "update" ]; then
echo "!!! You are going to <$action> all files (hard links) inside of Jail <$JAILPATH>."
else
echo "!!! You are going to <$action> the user <$CHROOT_USERNAME> into the Jail <$JAILPATH>."
fi
echo "Shell to make the jail is <$SHELL>. Files will be <${LINK}>'ed."
echo "Config of SSHd is <$SSHD_CONFIG>. PAM modules will be <$PAM>'ed."
echo "List of additional application into the Jail is <$APPS>."
echo "
-----------------------------
Is it correct?"
read -p "(yes/no) -> " CORRECT
if [ "$CORRECT" != "yes" ]; then
echo "
Not entered yes. Exiting...."
exit 1
fi
if [ -z "$PATH" ] ; then
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin
fi
echo
echo $0 Release: $RELEASE
echo
if [ "$(whoami &2>/dev/null)" != "root" ] && [ "$(id -un &2>/dev/null)" != "root" ] ; then
echo "Error: You must be root to run this script."
exit 1
fi
# Check existence of necessary files
echo "Checking distribution... "
if [ -f /etc/debian_version ];
then echo -n " Supported Distribution found:"
echo " System is running Debian Linux"
DISTRO=DEBIAN;
### Check Ubuntu version (e.g. hardy, precise)
#UBUNTU_CODENAME=`lsb_release -c | cut -f 2` # DO NOT NEED IT ANYMORE
# added more universal way
elif [ -f /etc/SuSE-release ];
then echo -n " Supported Distribution found^"
echo " System is running SuSE Linux"
DISTRO=SUSE;
elif [ -f /etc/fedora-release ];
then echo -n " Supported Distribution found:"
echo " System is running Fedora Linux"
DISTRO=FEDORA;
elif [ -f /etc/redhat-release ];
then echo -n " Supported Distribution found:"
echo " System is running Red Hat Linux"
DISTRO=REDHAT;
else echo -e " failed...........\nThis script works best on Debian, Red Hat, Fedora and SuSE Linux!\nLet's try it nevertheless....\nIf some program files cannot be found adjust the respective path in line 98\n"
#exit 1
fi
# Specify the apps you want to copy to the jail
if [ "$DISTRO" = SUSE ]; then
APPS="${APPS} /bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/netcat /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
elif [ "$DISTRO" = FEDORA ]; then
APPS="${APPS} /bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
elif [ "$DISTRO" = REDHAT ]; then
APPS="${APPS} /bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
elif [ "$DISTRO" = DEBIAN ]; then
APPS="${APPS} /bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd"
else
APPS="${APPS} /bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /usr/sbin/unix_chkpwd"
fi
#echo $APPS
# Check existence of necessary files
echo -n "Checking for which... "
#if [ -f $(which which) ] ;
# not good because if which does not exist I look for an
# empty filename and get OK nevertheless
if ( test -f /usr/bin/which ) || ( test -f /bin/which ) || ( test -f /sbin/which ) || ( test -f /usr/sbin/which );
then echo " OK";
else echo " failed
Please install which-binary!
You can try to find it by:
yum whatprovides */which # on RHEL
apt-file search /which | grep /which$ # on Deb-based
zypper search --provides which # on SUSE
"
exit 1
fi
echo -n "Checking for chroot..."
if [ `which chroot` ];
then echo " OK";
else echo " failed
chroot not found!
Please install chroot-package/binary! (usually named like coreutils)
You can try to find it by:
yum whatprovides */chroot # on RHEL
apt-file search /chroot | grep /chroot$ # on Deb-based
zypper search --provides chroot # on SUSE
"
exit 1
fi
echo -n "Checking for sudo..."
if [ `which sudo` ]; then
echo " OK";
else
echo " failed
sudo not found!
Please install sudo-package/binary! (named like sudo)
You can try to find it by:
yum whatprovides */sudo # on RHEL
apt-file search /sudo | /grep sudo$ # on Deb-based
zypper search --provides sudo # on SUSE
"
exit 1
fi
echo -n "Checking for dirname..."
if [ `which dirname` ]; then
echo " OK";
else
echo " failed
dirname not found!
Please install dirname-binary (to be found eg in the package coreutils)!
You can try to find it by:
yum whatprovides */dirname # on RHEL
apt-file search /dirname | grep /dirname$ # on Deb-based
zypper search --provides dirname # on SUSE
"
exit 1
fi
echo -n "Checking for readlink..."
if [ `which readlink` ]; then
echo " OK";
else
echo " failed
readlink not found!
Please install readlink-binary (to be found eg in the package coreutils)!
You can try to find it by:
yum whatprovides */readlink # on RHEL
apt-file search /readlink | grep /readlink$ # on Deb-based
zypper search --provides readlink # on SUSE
"
exit 1
fi
echo -n "Checking for awk..."
if [ `which awk` ]; then
echo " OK
";
else
echo " failed
awk not found!
Please install (g)awk-package/binary! (named like gawk)
You can try to find it by:
yum whatprovides */awk # on RHEL
apt-file search awk | grep awk$ # on Deb-based
zypper search --provides awk # on SUSE
"
exit 1
fi
# get location of sftp-server binary from /etc/ssh/sshd_config
# check for existence of /etc/ssh/sshd_config and for
# (uncommented) line with sftp-server filename. If neither exists, just skip
# this step and continue without sftp-server
#
#if (test ! -f /etc/ssh/sshd_config &> /dev/null); then
# echo "
#File /etc/ssh/sshd_config not found.
#Not checking for path to sftp-server.
# ";
#else
if [ ! -f ${SSHD_CONFIG} ]
then
echo "File ${SSHD_CONFIG} not found."
echo "Not checking for path to sftp-server."
echo "Please adjust the global \$SSHD_CONFIG variable"
else
if !(grep -v "^#" ${SSHD_CONFIG} | grep -i sftp-server &> /dev/null); then
echo "Obviously no external sftp-server is running on this system.
";
else SFTP_SERVER=$(grep -v "^#" ${SSHD_CONFIG} | grep -i sftp-server | awk '{ print $3}')
fi
fi
#if !(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server /etc/ssh/sshd_config | awk '{ print $3}' &> /dev/null); then
APPS="$APPS $SFTP_SERVER"
# Get accountname to create / move # do not need it anymore because it passed by CLI
#CHROOT_USERNAME=$1
# if ! [ -z "$2" ] ; then
# SHELL=$2
# else
# SHELL=/bin/chroot-shell
# fi
# if ! [ -z "$3" ] ; then
# JAILPATH=$3
# else
# JAILPATH=/home/jail
# fi
# Exit if user already exists
#id $CHROOT_USERNAME > /dev/null 2>&1 && { echo "User exists."; echo "Exiting."; exit 1; }
# Check if user already exists and ask for confirmation
# we have to trust that root knows what she is doing when saying 'yes'
if ( test "$CHROOT_USERNAME" != "" && id $CHROOT_USERNAME > /dev/null 2>&1 ) ; then {
echo -n "User $CHROOT_USERNAME exists."
#TODO: add to CLI interactive mode
#echo "-----------------------------
#User $CHROOT_USERNAME exists.
#Are you sure you want to modify the users home directory and lock him into the
#chroot directory?
#Are you REALLY sure?
#Say only yes if you absolutely know what you are doing!"
# read -p "(yes/no) -> " MODIFYUSER
# if [ "$MODIFYUSER" != "yes" ]; then
# echo "
#Not entered yes. Exiting...."
if [ -d $JAILPATH/home/$CHROOT_USERNAME ] ; then
echo "Already jailed. Exiting...."
exit 1
fi
echo "Adding the user to jail."
MODIFYUSER="yes"
}
else
CREATEUSER="yes"
fi
# Create $SHELL (shell for jailed accounts)
if [ -f ${SHELL} ] ; then
echo "The file $SHELL already exists."
# echo "
#-----------------------------
#The file $SHELL exists.
#Probably it was created by this script.
#
#Are you sure you want to overwrite it?
#(you want to say yes for example if you are running the script for the second
#time when adding more than one account to the jail)"
# read -p "(yes/no) -> " OVERWRITE
# if [ "$OVERWRITE" != "yes" ]; then
# echo "
# Not entered yes. Exiting...."
# exit 1
# fi
else
echo "Creating $SHELL"
echo '#!/bin/sh' > $SHELL
echo "`which sudo` `which chroot` $JAILPATH /bin/su - \$USER" \"\$@\" >> $SHELL
chmod 755 $SHELL
fi
# make common jail for everybody if inexistent
if [ ! -d ${JAILPATH} ] ; then
mkdir -p ${JAILPATH}
echo "Creating ${JAILPATH}"
fi
cd ${JAILPATH}
# Create directories in jail that do not exist yet
JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin usr/lib"
for directory in $JAILDIRS ; do
if [ ! -d "$JAILPATH/$directory" ] ; then
mkdir $JAILPATH/"$directory"
echo "Creating $JAILPATH/$directory"
fi
done
echo
# Comment in the following lines if your apache can't read the directories and
# uses the security contexts
# Fix security contexts so Apache can read files
#CHCON=$(`which chcon`)
#if [ -n "$CHCON" ] && [ -x $CHCON ]; then
# $CHCON -t home_root_t $JAILPATH/home
# $CHCON -t user_home_dir_t $JAILPATH/home/$CHROOT_USERNAME
#fi
# Creating necessary devices
[ -r $JAILPATH/dev/urandom ] || mknod $JAILPATH/dev/urandom c 1 9
[ -r $JAILPATH/dev/null ] || mknod -m 666 $JAILPATH/dev/null c 1 3
[ -r $JAILPATH/dev/zero ] || mknod -m 666 $JAILPATH/dev/zero c 1 5
[ -r $JAILPATH/dev/tty ] || mknod -m 666 $JAILPATH/dev/tty c 5 0
# if we only want to update the files in the jail
# skip the creation of the new account
if [ $action != "update" ]; then
# Modifiy /etc/sudoers to enable chroot-ing for users
# must be removed by hand if account is deleted
echo "Modifying /etc/sudoers"
echo "$CHROOT_USERNAME ALL=NOPASSWD: `which chroot`, /bin/su - $CHROOT_USERNAME" >> /etc/sudoers
# Define HomeDir for simple referencing
HOMEDIR="$JAILPATH/home/$CHROOT_USERNAME"
# Create new account, setting $SHELL to the above created script and
# $HOME to $JAILPATH/home/*
if [ "$CREATEUSER" != "yes" ] ; then
echo " Not creating new User account
Modifying User \"$CHROOT_USERNAME\"
Copying files in $CHROOT_USERNAME's \$HOME to \"$HOMEDIR\"
"
usermod -d "$HOMEDIR" -m -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"
fi # endif usermod
if [ "$CREATEUSER" = "yes" ] ; then {
echo "Adding User \"$CHROOT_USERNAME\" to system (no password)"
useradd -m -d "$HOMEDIR" -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"
# Enter password for new account - TODO for interactive mode
#if !(passwd $CHROOT_USERNAME);
# then echo "Passwords are probably not the same, try again."
# exit 1;
# fi
# echo
}
fi # endif useradd
# Create /usr/bin/groups in the jail
echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
chmod 755 usr/bin/groups
# Add users to etc/passwd
#
# check if file exists (ie we are not called for the first time)
# if yes skip root's entry and do not overwrite the file
if [ ! -f etc/passwd ] ; then
grep /etc/passwd -e "^root" > ${JAILPATH}/etc/passwd
fi
if [ ! -f etc/group ] ; then
grep /etc/group -e "^root" > ${JAILPATH}/etc/group
# add the group for all users to etc/group (otherwise there is a nasty error
# message and probably because of that changing directories doesn't work with
# winSCP)
grep /etc/group -e "^users" >> ${JAILPATH}/etc/group
fi
# grep the username which was given to us from /etc/passwd and add it
# to ./etc/passwd replacing the $HOME with the directory as it will then
# appear in the jail
echo "Adding User $CHROOT_USERNAME to jail"
grep -e "^$CHROOT_USERNAME:" /etc/passwd | \
sed -e "s#$JAILPATH##" \
-e "s#$SHELL#/bin/bash#" >> ${JAILPATH}/etc/passwd
# if the system uses one account/one group we write the
# account's group to etc/group
grep -e "^$CHROOT_USERNAME:" /etc/group >> ${JAILPATH}/etc/group
# write the user's line from /etc/shadow to /home/jail/etc/shadow
grep -e "^$CHROOT_USERNAME:" /etc/shadow >> ${JAILPATH}/etc/shadow
chmod 600 ${JAILPATH}/etc/shadow
# endif for =! update
fi
# Copy the apps and the related libs
echo "Copying necessary library-files to jail (may take some time)"
# The original code worked fine on RedHat 7.3, but did not on FC3.
# On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that
# points to nothing (or a 90xb.....), and it also does not pick up
# some files that start with a '/'. To fix this, I am doing the ldd
# to a file called ldlist, then going back into the file and pulling
# out the libs that start with '/'
#
# Randy K.
#
# The original code worked fine on 2.4 kernel systems. Kernel 2.6
# introduced an internal library called 'linux-gate.so.1'. This
# 'phantom' library caused non-critical errors to display during the
# copy since the file does not actually exist on the file system.
# To fix re-direct output of ldd to a file, parse the file and get
# library files that start with /
#
# create temporary files with mktemp, if that doesn't work for some reason use
# the old method with $HOME/ldlist[2] (so I don't have to check the existence
# of the mktemp package / binary at the beginning
#
# Maksim K
#
# Don't know why, but redirection operator "&>/dev/null" is not working on Debian 9
# (where /bin/sh -> /bin/dash), so, I've replaced it to the ">/dev/null 2>&1".
TMPFILE1=`mktemp -q` >/dev/null 2>&1 || TMPFILE1="${HOME}/ldlist"; if [ -x ${TMPFILE1} ]; then mv -v ${TMPFILE1} ${TMPFILE1}.bak;fi
TMPFILE2=`mktemp -q` >/dev/null 2>&1 || TMPFILE2="${HOME}/ldlist2"; if [ -x ${TMPFILE2} ]; then mv -v ${TMPFILE2} ${TMPFILE2}.bak;fi
for app in $APPS; do
# First of all, check that this application exists
if [ -x $app ]; then
# Check that the directory exists; create it if not.
# app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
app_path=`dirname $app`
if ! [ -d .$app_path ]; then
mkdir -p .$app_path
fi
# If the files in the chroot are on the same file system as the
# original files you should be able to use hard links instead of
# copying the files, too. Symbolic links cannot be used, because the
# original files are outside the chroot.
cp -p $app .$app
# get list of necessary libraries
ldd $app >> ${TMPFILE1}
fi
done
# Clear out any old temporary file before we start
for libs in `cat ${TMPFILE1}`; do
frst_char="`echo $libs | cut -c1`"
if [ "\"$frst_char\"" = "\"/\"" ]; then
# if [ "$frst_char" = "/" ]; then
echo "$libs" >> ${TMPFILE2}
fi
done
for lib in `cat ${TMPFILE2}`; do
mkdir -p .`dirname $lib` > /dev/null 2>&1
# If the files in the chroot are on the same file system as the original
# files you should be able to use hard links instead of copying the files,
# too. Symbolic links cannot be used, because the original files are
# outside the chroot.
cp $lib .$lib
done
#
# Now, cleanup the 2 files we created for the library list
#
#/bin/rm -f ${HOME}/ldlist
#/bin/rm -f ${HOME}/ldlist2
/bin/rm -f ${TMPFILE1}
/bin/rm -f ${TMPFILE2}
# Necessary files that are not listed by ldd.
#
# There might be errors because of files that do not exist but in the end it
# may work nevertheless (I added new file names at the end without deleting old
# ones for reasons of backward compatibility).
# So please test ssh/scp before reporting a bug.
if [ "$DISTRO" = SUSE ]; then
cp /lib/libnss_compat.so.2 /lib/libnss_files.so.2 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
elif [ "$DISTRO" = FEDORA ]; then
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-ldb.so.3 /lib/ld-lsb.so.3 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
cp /lib/*.* ${JAILPATH}/lib/
cp /usr/lib/libcrack.so.2 ${JAILPATH}/usr/lib/
elif [ "$DISTRO" = REDHAT ]; then
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-lsb.so.1 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/
# needed for scp on RHEL
echo "export LD_LIBRARY_PATH=/usr/kerberos/lib" >> ${JAILPATH}/etc/profile
elif [ "$DISTRO" = DEBIAN ]; then
# due to migration to Multiarch - https://wiki.ubuntu.com/MultiarchSpec
# check /lib/x86_64-linux-gnu/ directory is much more universal way
# ??? DO WE NEED IT FOR SUSE AND REDHAT
#if [ "$UBUNTU_CODENAME" = "hardy" ]; then
if [ -d /lib/x86_64-linux-gnu/ ]; then
cp /lib/x86_64-linux-gnu/libnss_compat.so.2 /lib/x86_64-linux-gnu/libnsl.so.1 /lib/x86_64-linux-gnu/libnss_files.so.2 /lib/x86_64-linux-gnu/libcap.so.2 /lib/x86_64-linux-gnu/libnss_dns.so.2 ${JAILPATH}/lib/
else
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/
fi
# needed for less and nano
# nano and less are optional now
#cp -ar /lib/terminfo ${JAILPATH}/lib/
else
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/
fi
if [ $PAM = "copy" ]; then
# if you are using a 64 bit system and have strange problems with login comment
# the following lines in, perhaps it works then (motto: if you can't find the
# needed library just copy all of them)
#
#cp /lib/*.* ${JAILPATH}/lib/
#cp /lib/lib64/*.* ${JAILPATH}/lib/lib64/
# if you are using PAM you need stuff from /etc/pam.d/ in the jail,
echo "Copying files from /etc/pam.d/ to jail"
cp /etc/pam.d/* ${JAILPATH}/etc/pam.d/
# ...and of course the PAM-modules...
echo "Copying PAM-Modules to jail"
if [ -d /lib/security ]; then
cp /lib/security/* ${JAILPATH}/lib/
fi
# this is needed for Ubuntu 8.04, but will not hurt on 12.04 neither
if [ -d /lib/x86_64-linux-gnu/security ]; then
cp -r /lib/x86_64-linux-gnu/security ${JAILPATH}/lib/
fi
# ...and something else useful for PAM
cp -r /etc/security ${JAILPATH}/etc/
cp /etc/login.defs ${JAILPATH}/etc/
if [ -f /etc/DIR_COLORS ] ; then
cp /etc/DIR_COLORS ${JAILPATH}/etc/
fi
fi # endif for checking $PAM
# Don't give more permissions than necessary
if [ $LINK != "ln" ]; then
chown root.root ${JAILPATH}/bin/su
chmod 700 ${JAILPATH}/bin/su
fi
exit