This patch includes Alan Porter's patch
(http://sourceforge.net/mailarchive/message.php?msg_name=46818104.3020909%40kr4jb.net)
and adds a few things:
1) fails over to different sftp_server_path and chroot_helper_path if
the default paths do not exist
2) includes the following in the jail:
/lib/libnss_compat*
/etc/localtime (not necessary, but nice for displaying correct tz)
/dev/null
/dev/zero
3) Adds a message about syslog-ng to the echoed notes
These are things I needed for my openSUSE 10.2 system, but I think they
should increase the compatibility of mkchroot.sh with other distros as well.
ross
--- rssh-2.3.2.orig/mkchroot.sh 2004-06-03 21:25:11.000000000 -0400
+++ rssh-2.3.2/mkchroot.sh 2009-02-03 11:51:50.000000000 -0500
@@ -61,6 +61,14 @@
fi
fi
+# Previous versions of this script incorrectly created a
+# directory named "/home/rssh.". We check here instead of
+# in the RPM spec file because we know the value of $jail_dir
+# here.
+if [ -d "$jail_dir." ] ; then
+ rmdir "$jail_dir."
+fi
+
if [ -n "$owner" -a `whoami` = "root" ]; then
echo "Setting owner of jail."
chown "$owner" "$jail_dir"
@@ -97,8 +105,14 @@
scp_path="/usr/bin/scp"
sftp_server_path="/usr/libexec/openssh/sftp-server"
+if [ ! -a "$sftp_server_path" ]; then
+ sftp_server_path="/usr/lib/ssh/sftp-server"
+fi
rssh_path="/usr/bin/rssh"
chroot_helper_path="/usr/libexec/rssh_chroot_helper"
+if [ ! -a "$chroot_helper_path" ]; then
+ chroot_helper_path="/usr/lib/rssh_chroot_helper"
+fi
for jail_path in `dirname "$jail_dir$scp_path"` `dirname
"$jail_dir$sftp_server_path"` `dirname "$jail_dir$chroot_helper_path"`; do
@@ -128,16 +142,52 @@
for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do
echo "Copying libraries for $prog."
- libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
- for lib in $libs; do
- mkdir -p "$jail_dir$(dirname $lib)"
- echo -e "\t$lib"
- cp "$lib" "$jail_dir$lib"
+ #libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
+
+ # SAMPLE OUTPUT OF 'LDD'
+ # [apor...@sti dist(i386)]$ ldd /usr/libexec/openssh/sftp-server
+ # linux-gate.so.1 => (0xb7f31000)
+ # libcrypto.so.4 => /lib/libcrypto.so.4 (0xb7e34000)
+ # libutil.so.1 => /lib/libutil.so.1 (0xb7e30000)
+ # libz.so.1 => /usr/lib/libz.so.1 (0xb7e20000)
+ # libnsl.so.1 => /lib/libnsl.so.1 (0xb7e0a000)
+ # libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7ddc000)
+ # libselinux.so.1 => /lib/libselinux.so.1 (0xb7dce000)
+ # libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7db9000)
+ # libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7d54000)
+ # libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7d33000)
+ # libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7d30000)
+ # libresolv.so.2 => /lib/libresolv.so.2 (0xb7d1d000)
+ # libc.so.6 => /lib/tls/libc.so.6 (0xb7bf2000)
+ # libdl.so.2 => /lib/libdl.so.2 (0xb7bed000)
+ # /lib/ld-linux.so.2 (0xb7f32000)
+ # [apor...@sti dist(i386)]$
+
+ # Sometimes (see linux-gate.so.1), there is no full path.
+ # Sometimes (see /lib/ld-linux.so.2), there is no base filename.
+ # Most of the time, there is a base filename and a full path.
+ # If we just look for words that start with "/", this catches them all.
+
+ # Look at each space-separated word of the ldd output.
+ for lib in `ldd $prog` ; do
+ # See if the word begins with '/'.
+ if [ `echo $lib | cut -c1` == "/" ] ; then
+ # Don't repeat our previous work.
+ if [ ! -f "$jail_dir$lib" ] ; then
+ # If the directory does not exist, make it.
+ if [ ! -d "$jail_dir$(dirname $lib)" ] ; then
+ mkdir -p "$jail_dir$(dirname $lib)"
+ fi
+ # Copy the library to the jail.
+ echo -e "\t$lib"
+ cp "$lib" "$jail_dir$lib"
+ fi
+ fi
done
done
echo "copying name service resolution libraries..."
-tar -cf - /lib/libnss_files* /lib/libnss1_files* | tar -C "$jail_dir" -xvf -
|sed 's/^/\t/'
+tar -cf - /lib/libnss_files* /lib/libnss_compat* /lib/libnss1_files* | tar -C
"$jail_dir" -xvf - |sed 's/^/\t/'
#####################################################################
#
@@ -149,6 +199,7 @@
cp /etc/nsswitch.conf "$jail_dir/etc/"
cp /etc/passwd "$jail_dir/etc/"
cp /etc/ld.* "$jail_dir/etc/"
+cp -p /etc/localtime "$jail_dir/etc/"
echo -e "Chroot jail configuration completed."
echo -e "\nNOTE: if you are not using the passwd file for authentication,"
@@ -157,15 +208,19 @@
#####################################################################
#
-# set up /dev/log
+# set up /dev (for /dev/log and other needed devices)
#
mkdir -p "$jail_dir/dev"
+cp -dpPR /dev/{null,zero} "$jail_dir/dev/"
echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
echo -e "with appropriate options to log to $jail_dir/dev/log. In most cases,"
echo -e "you will need to start syslog as:\n"
echo -e " /sbin/syslogd -a $jail_dir/dev/log\n"
+echo -e "In some systems (openSUSE) you can instead add the following to"
+echo -e "/etc/syslog-ng/syslog-ng.conf:\n"
+echo -e " unix-dgram(\"$jail_dir/dev/log\");\n"
echo -e "NOTE: we make no guarantee that ANY of this will work for you... \c"
echo -e "if it\ndoesn't, you're on your own. Sorry!\n"
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
