Re: chrooting rssh problem
Am Donnerstag, 1. November 2007 07:06 schrieb Russ Allbery:
> "Bjorn Meyer" <bjorn.m.meyer@gmail.com> writes:
> > I am using debian 4.0. I'm having a problem with the setup. Once
setup,
> > I am able to sftp or scp in to the server. However it doesn't
actually
> > seem to set up the chroot. There doesn't seem to be anything logged
in
> > syslog to show why. The rssh_chroot_helper doesn't seem to be run.
>
> Did you follow the instructions in /usr/share/doc/rssh/CHROOT.gz? A
> chroot isn't enabled by default since setting up the chroot
environment is
> complex and requires the administrator to think about what they want
to
> copy into it and what they want to expose.
>
i found the instructions in /usr/share/doc/rssh/CHROOT.gz incomplete, so
after a long search i copied together this (ugly) skript, but by reading
it you might find the information you are missing.
(not quite sure if the above is english, i'm not a native speaker...)
#!/bin/bash
#####################################################################
#####################################################################
##
## mkchroot.sh - set up a chroot jail.
##
## This script is modified to work for Debian 4.0 "Etch", but may work
on
## other systems. Or, it may not... In fact, it may not work at all.
Use at
## your own risk. :)
##
## This is a combination of the "original" mkchroot.sh-script and the
## "setup-chrootdir-rsync.sh"-script.
## These scripts can be found in the rssh-package
## (/usr/share/doc/rssh/examples/mkchroot.sh) and in the
libpam-chroot-package
## (/usr/share/doc/libpam-chroot/examples/setup-chrootdir-rsync.sh).
##
#####################################################################
#
# Initialize - handle command-line args, and set up variables and such.
#
# $1 is the directory to make the root of the chroot jail (required)
# $2 is the list of users to make home-dirs for
#
if [ -z "$1" -o -z "$2" ]; then
echo "`basename $0`: error parsing command line" >&2
echo " You must specify a directory to use as the chroot jail
and at least one user." >&2
exit 1
fi
jail_dir="$1"
jail_users="$2"
#####################################################################
#
# build the jail
#
sftp_server_path="/usr/lib/openssh/sftp-server"
DIRECTORIES="dev home lib usr/lib/openssh"
FILES="usr/lib/openssh/sftp-server lib/ld-linux.so.2"
# now make the directory
if [ ! -d "$jail_dir" ]; then
echo -e "\n\E[1mCreating root jail directory.\E[0m"
mkdir -p "$jail_dir"
if [ $? -ne 0 ]; then
echo " `basename $0`: error creating jail directory."
>&2
echo "Check permissions on parent directory." >&2
exit 2
fi
curr_dir=`pwd`
cd $jail_dir
# Create dirs
echo -e "\nCreating jail directory-tree."
echo -e "\t$DIRECTORIES"
for d in $DIRECTORIES; do
mkdir -p $d
done
# Add files
echo -e "\nCopying rssh, sftp-server & linker."
echo -e "\t$FILES"
for f in $FILES; do
cp /$f $f
done
cd $curr_dir
fi
#####################################################################
#
# identify and copy libraries needed in the jail
#
echo -e "\nCopying libraries for $sftp_server_path."
libs=`ldd $sftp_server_path | tr -s ' ' | cut -d' ' -f3 | grep /`
for lib in $libs; do
mkdir -p "$jail_dir$(dirname $lib)"
echo -e "\t$lib"
cp "$lib" "$jail_dir$lib"
done
#####################################################################
#
# set up /dev/null
#
echo -e "\nCreating $jail_dir/dev/null."
mknod $jail_dir/dev/null c 1 3 && chmod a+w $jail_dir/dev/null
#####################################################################
#
# set up "user-environment"
#
echo -e "\nSetting up $jail_dir/home/*."
for i in $jail_users; do
mkdir $jail_dir/home/$i && chown $i:$i $jail_dir/home/$i
echo -e "\t$jail_dir/home/$i"
done
#####################################################################
#
# some good advice...
#
echo -e "\n\E[1mChroot jail configuration completed.\E[0m\n"
echo -e "NOTE: you must MANUALLY edit your syslog rc script to start
syslogd"
echo -e "with appropriate options to log to $jail_dir/dev/log."
echo -e "You will need to edit /etc/default/syslogd:"
echo -e "\tSYSLOGD=\"-a $jail_dir/dev/log\"\n"
echo -e "You will also need to edit /etc/rssh.conf and /etc/passwd.\n"
Reply to: