On Mon, Sep 18, 2006 at 03:23:37PM +0200, Bambero wrote:
> Hello
>
> Is there any good way to setup chrooted sftp-server without shell access ?
I wrote a shell script for this kind of stuff. Maybe you can use it
for yourself. I keep my users within an OpenLDAP database and want to
enable some users to access the www directory on my OpenBSD webserver
by scponly. Maybe you can use some parts of it.
#!/bin/sh
#
# Written by Aiko Barz
#
altroot="/var/www"
USERSHELL="/opt/sbin/scponlyc"
function checkChroot
{
##
# Hierachy
##
if [ ! -d "$altroot" ]; then
mkdir -p $altroot
chown root:daemon $altroot
fi
if [ ! -d "$altroot/bin" ]; then
mkdir -p $altroot/bin
chown root:daemon $altroot/bin
fi
if [ ! -d "$altroot/etc" ]; then
mkdir -p $altroot/etc
chown root:daemon $altroot/etc
fi
if [ ! -d "$altroot/lib" ]; then
mkdir -p $altroot/lib
chown root:daemon $altroot/lib
fi
if [ ! -d "$altroot/usr" ]; then
mkdir -p $altroot/usr
chown root:daemon $altroot/usr
fi
if [ ! -d "$altroot/usr/bin" ]; then
mkdir -p $altroot/usr/bin
chown root:daemon $altroot/usr/bin
fi
if [ ! -d "$altroot/usr/sbin" ]; then
mkdir -p $altroot/usr/sbin
chown root:daemon $altroot/usr/sbin
fi
if [ ! -d "$altroot/usr/lib" ]; then
mkdir -p $altroot/usr/lib
chown root:daemon $altroot/usr/lib
fi
if [ ! -d "$altroot/usr/libexec" ]; then
mkdir -p $altroot/usr/libexec
chown root:daemon $altroot/usr/libexec
fi
if [ ! -d "$altroot/usr/libexec/openssh" ]; then
mkdir -p $altroot/usr/libexec/openssh
chown root:daemon $altroot/usr/libexec/openssh
fi
##
# Static commands
##
CHGRP=$(which chgrp)
if [ -x "$CHGRP" ]; then
cp $CHGRP $altroot/usr/sbin
fi
CHMOD=$(which chmod)
if [ -x "$CHMOD" ]; then
cp $CHMOD $altroot/$CHMOD
fi
CHOWN=$(which chown)
if [ -x "$CHOWN" ]; then
cp $CHOWN $altroot/usr/sbin
fi
LN=$(which ln)
if [ -x "$LN" ]; then
cp $LN $altroot/$LN
fi
LS=$(which ls)
if [ -x "$LS" ]; then
cp $LS $altroot/$LS
fi
MKDIR=$(which mkdir)
if [ -x "$MKDIR" ]; then
cp $MKDIR $altroot/$MKDIR
fi
MV=$(which mv)
if [ -x "$MV" ]; then
cp $MV $altroot/$MV
fi
RM=$(which rm)
if [ -x "$RM" ]; then
cp $RM $altroot/$RM
fi
RMDIR=$(which rmdir)
if [ -x "$RMDIR" ]; then
cp $RMDIR $altroot/$RMDIR
fi
ECHO=$(which echo)
if [ -x "$ECHO" ]; then
cp $ECHO $altroot/$ECHO
fi
PWD=$(which pwd)
if [ -x "$PWD" ]; then
cp $PWD $altroot/$PWD
fi
GROUPS=$(which groups)
if [ -x "$GROUPS" ]; then
cp $GROUPS $altroot/$GROUPS
fi
##
# Dynamic commands
##
ID=$(which id)
if [ -x "$ID" ]; then
cp $ID $altroot/$ID
for lib in $(ldd $ID | awk '{if ($3 == "rlib"){print $5}}'); do
if [ -f "$lib" ]; then
cp -f $lib $altroot/$lib
fi
done
fi
PASSWD=$(which passwd)
if [ -x "$PASSWD" ]; then
cp $PASSWD $altroot/$PASSWD
for lib in $(ldd $PASSWD | awk '{if ($3 == "rlib"){print $5}}'); do
if [ -f "$lib" ]; then
cp -f $lib $altroot/$lib
fi
done
fi
QUOTA=$(which quota)
if [ -x "$QUOTA" ]; then
cp $QUOTA $altroot/$QUOTA
for lib in $(ldd $QUOTA | awk '{if ($3 == "rlib"){print $5}}'); do
if [ -f "$lib" ]; then
cp -f $lib $altroot/$lib
fi
done
fi
SCP=$(which scp)
if [ -x "$SCP" ]; then
cp $SCP $altroot/$SCP
for lib in $(ldd $SCP | awk '{if ($3 == "rlib"){print $5}}'); do
if [ -f "$lib" ]; then
cp -f $lib $altroot/$lib
fi
done
fi
RSYNC=$(which rsync)
if [ -x "$RSYNC" ]; then
cp $RSYNC $altroot/$RSYNC
for lib in $(ldd $RSYNC | awk '{if ($3 == "rlib"){print $5}}'); do
if [ -f "$lib" ]; then
cp -f $lib $altroot/$lib
fi
done
fi
SFTP="/usr/libexec/sftp-server"
if [ -x "$SFTP" ]; then
cp $SFTP $altroot/$SFTP
for lib in $(ldd $SFTP | awk '{if ($3 == "rlib"){print $5}}'); do
if [ -f "$lib" ]; then
cp -f $lib $altroot/$lib
fi
done
fi
##
# ld.so
##
LD_SO="/usr/libexec/ld.so"
if [ -f $LD_SO ]; then
cp -f $LD_SO $altroot/$LD_SO
fi
LD_SO_HINTS="/var/run/ld.so.hints"
if [ -f $LD_SO_HINTS ]; then
cp -f $LD_SO_HINTS $altroot/$LD_SO_HINTS
fi
##
# passwd
##
FILE="/etc/master.passwd"
if [ ! -f "$altroot/$FILE" ]; then
touch $altroot/$FILE
fi
}
function addUser
{
if [ ! -z "$1" ]; then
USERNAME="$1"
useradd -d $altroot -s $USERSHELL -L ldap $USERNAME
i=$(egrep "^$USERNAME:" $altroot/etc/master.passwd | wc -l)
if [ $i = 0 ]; then
# Create user within chroot
egrep "^$USERNAME:" /etc/master.passwd >> $altroot/etc/master.passwd
pwd_mkdb -d "$altroot/etc" $altroot/etc/master.passwd
rm -f $altroot/etc/spwd.db
fi
fi
}
function delUser
{
if [ ! -z "$1" ]; then
USERNAME="$1"
userdel $USERNAME
# Remove user
egrep -v "^$USERNAME:" $altroot/etc/master.passwd >
$altroot/etc/master.tmp
mv -f $altroot/etc/master.tmp $altroot/etc/master.passwd
# Create new pwd.db
pwd_mkdb -d "$altroot/etc" $altroot/etc/master.passwd
rm -f $altroot/etc/spwd.db
fi
}
function helpMe
{
echo "$1 (--check|--add|--del|--help)"
}
if [ ! -z "$1" ]; then
case $1 in
--check)
checkChroot
;;
--add)
[ ! -z "$2" ] && addUser $2
;;
--del)
[ ! -z "$2" ] && delUser $2
;;
*)
helpMe $0
;;
esac
else
helpMe $0
fi
Bye,
Aiko
--
Aiko Barz <[EMAIL PROTECTED]>
Web: http://www.haeckser.de
