On 06/08/15 07:46, dan mclaughlin wrote:
i figure this should be useful to some.
any nits welcome.
haven't used it ina while, but are you aware of security/jailkit?
Sebastian
#!/bin/ksh
#copies a binary and libs to a chroot fs
MYNAME=${0##*/}
USAGE="$MYNAME bin jailroot"
[[ "$1" = -h ]] && { echo "USAGE $USAGE"; return 0; }
isemptyv() { eval [ \${#$1} -eq 0 ]; }
err() { echo "$MYNAME: ERR $*" >&2; }
usage() { echo "USAGE $USAGE" >&2; exit 1; }
alias xt='set -o xtrace'
alias xt-='set +o xtrace'
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin
[ $(id -u) -eq 0 ] && { err "cannot run as root"; return 1; }
_bin=$1
_jailroot=${2%/}
if isemptyv _bin;then
err "bin not given"
usage
fi
if ! _binpath=$(whence $_bin);then
err "so such executable '$_bin'"
usage
fi
_bindir=$(dirname $_binpath)
if isemptyv _jailroot;then
err "jailroot not given"
usage
fi
if [ ! -d "$_jailroot" ];then
err "no such dir '$_jailroot'"
usage
fi
_jailbindir=$_jailroot$_bindir
if [ -e "$_jailbindir" ];then
if [ ! -d "$_jailbindir" ];then
err "invalid dir '$_jailbindir'"
usage
fi
if [ -e "$_jailroot$_binpath" ];then
echo "$_jailroot$_binpath already exists"
return 0
fi
else
sudo mkdir -p $_jailbindir || return 1
fi
#optimized to minimize log entries
_liblist=
for _lib in $(ldd $_binpath | grep ' rlib ' | awk '{printf $7" "}');do
[ -f $_jailroot/$_lib ] || _liblist="$_liblist\n$_lib"
done
_liblist=${_liblist#??}
sudo cp -p $_binpath $_jailbindir || return 1
isemptyv _liblist && return 0
for _libdir in $(echo "$_liblist" | sed 's:/[^/]*$::' | sort -u);do
sudo cp -p $(echo "$_liblist" | grep ^$_libdir/) $_jailroot/$_libdir
done
