devpts for chroot jail
Hi. I just wanted to set up a chroot jail on my machine; to make it
useful, I needed to put ptys in it. I modified /etc/init.d/devpts.sh
to do this.
I have some questions:
- is this a secure way to do this? Or can this cause problems?
- is this a useful thing to do, or a good way to do it? Or is my
machine going to die horribly the next time I try to reboot?
- why is the ||true there in the $()? Is this script running with -e
set? (It looked like it.)
- why in God's name does installing the ssh client package INSTALL AN
SSH SERVER AND TURN IT ON!?!?!?? I HAD ALL REMOTE LOGIN DAEMONS
TURNED OFF FOR A GOOD REASON! I SPENT EIGHT DAYS WITH SSHD RUNNING
WITHOUT KNOWING IT!! Well, this is probably the wrong place to ask
that.
--- /etc/init.d/devpts.sh.orig Tue May 30 20:55:43 2000
+++ /etc/init.d/devpts.sh Tue May 30 21:02:14 2000
@@ -5,24 +5,38 @@
[ "$(uname -s)" = "Linux" ] || exit 0
+# modified to work from arbitrary roots by Kragen Sitaker ---- 2000-05-29
make_devptmx()
{
- [ -c /dev/ptmx ] || mknod --mode=666 /dev/ptmx c 5 2
+ [ -c "$1"/dev/ptmx ] || mknod --mode=666 "$1"/dev/ptmx c 5 2
}
make_devpts()
{
- [ -d /dev/pts ] || mkdir --mode=755 /dev/pts
+ [ -d "$1"/dev/pts ] || mkdir --mode=755 "$1"/dev/pts
}
mount_devpts_fs()
{
- mount -t devpts devpts /dev/pts -ogid=${TTYGRP},mode=${TTYMODE}
+ mount -t devpts devpts "$1"/dev/pts -ogid=${TTYGRP},mode=${TTYMODE}
+}
+
+do_devpts_stuff()
+{
+ make_devptmx "$@"
+ make_devpts "$@"
+ devpts_mounted=$(mount | grep -c "^devpts on $1/dev/pts" || true)
+ if [ $devpts_mounted -lt 1 ]
+ then
+ # echo "trying to mount in $1/dev/pts; devpts_mounted $devpts_mounted"
+ mount_devpts_fs "$@"
+ else
+ # echo "not trying to mount in $1/dev/pts"
+ fi
}
devfs=$(grep -c '\<devfs' /proc/filesystems || true)
devpts=$(grep -c '\<devpts' /proc/filesystems || true)
-devpts_mounted=$(mount | grep -c '/dev/pts' || true)
release=$(uname -r)
major_release=${release%.*}
@@ -42,12 +56,8 @@
:
;;
devpts)
- make_devptmx
- make_devpts
- if [ $devpts_mounted -lt 1 ]
- then
- mount_devpts_fs
- fi
+ do_devpts_stuff
+ do_devpts_stuff /usr/jail
;;
esac
;;
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
The Internet stock bubble didn't burst on 1999-11-08. Hurrah!
<URL:http://www.pobox.com/~kragen/bubble.html>
The power didn't go out on 2000-01-01 either. :)
Reply to: