evolix/evobackup
22
0
Fork 1
Code Issues 28 Pull requests 5 Releases 20 Activity

Some ameliorations esp. for shared libraries and chroot path.

Browse source 
* Replaced backtick by $().
* Some "Beautification".
* Better finding of shared libraries.
* $chrootdir used when giving name to the chroot with -n.
* Jessie tested OK.
This commit is contained in:
Benoît S. 2015-07-02 16:25:04 +02:00
parent aaa0910e9b
commit 0fcc2478c4
1 changed files with 40 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

87
chroot-ssh.sh
View file

@ -1,23 +1,24 @@
#!/bin/bash
# Gregory Colpart <reg@evolix.fr> & Benoit Serie <bserie@evolix.fr>
# chroot script for OpenSSH
# $Id: chroot-ssh.sh,v 1.12 2010-07-02 17:40:29 gcolpart Exp $
# Chroot script for EvoBackup/OpenSSH
# new version tested only on Debian Wheezy amd64
# Start :
# Tested only on Debian Wheezy/Jessie amd64
# Start:
# chroot /backup/jails/myserver mount -t proc proc-chroot /proc/
# chroot /backup/jails/myserver mount -t devtmpfs udev /dev/
# chroot /backup/jails/myserver mount -t devpts devpts-chroot /dev/pts/
# chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
# Reload: kill -HUP `chroot /backup/jails/myserver cat /var/run/sshd.pid`
# Stop: kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
# Reload:
# kill -HUP $(chroot /backup/jails/myserver cat /var/run/sshd.pid)
# Stop:
# kill -9 $(chroot /backup/jails/myserver cat /var/run/sshd.pid)
# Restart:
# kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
# kill -9 $(chroot /backup/jails/myserver cat /var/run/sshd.pid)
# chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
# After *each* ssh upgrade or libs upgrade:
# sh chroot-ssh.sh updateall
# sh chroot-ssh.sh updateall
# And restart all sshd daemons
# We suppose jails are all in /backup/jails...
@ -35,10 +36,10 @@ usage() {
cat <<EOT
Add an OpenSSH chroot.
Usage: $0 -n chroot-dir -i ip -p port -k pub-key-path
Usage: $0 -n chroot-name -i ip -p port -k pub-key-path
Mandatory parameters:
-n: directory of chroot
-n: name of chroot
Optional parameters:
-i: IP address of the client machine.
@ -75,7 +76,7 @@ for dbin in /bin/bash /bin/cat /bin/chown /bin/mknod /bin/rm \
/usr/lib/openssh/sftp-server; do
cp -f $dbin $chrootdir/$dbin;
for lib in `ldd $dbin | cut -d">" -f2 | cut -d"(" -f1`; do
for lib in $(ldd $dbin | grep -Eo "/.*so.[0-9\.]+"); do
cp -p $lib $chrootdir/$lib
done
done
@ -104,6 +105,9 @@ while getopts ':n:i:p:k:' opt; do
esac
done
# Complete path to chroot dir.
chrootdir=${BACKUP_PATH}/${jail}
# Verify parameters.
if [ -z $jail ];
then
@ -111,7 +115,7 @@ then
exit 1
fi
# Test if the chroot exists.
if [ -e $jail ]; then
if [ -e $chrootdir ]; then
echo "Error, directory to chroot already exists!"
exit 1
fi
@ -120,7 +124,7 @@ if [ -n "$pub_key_path" ] && [ ! -f "$pub_key_path" ]; then
echo "Public key $pub_key_path not found."
exit 1
fi
# Try to guess the next port
# Try to guess the next SSH port.
if [ "$port" = "guess" ]; then
port=$(grep -h Port ${BACKUP_PATH}/*/etc/ssh/sshd_config 2>/dev/null \
| grep -Eo [0-9]+ | sort -n | tail -1)
@ -131,10 +135,11 @@ if [ "$port" = "guess" ]; then
fi
fi
# Used for updating jails.
if [ "$jail" = "updateall" ]; then
for i in `ls -1 ${BACKUP_PATH}/*/lib/x86_64-linux-gnu/libnss_compat.so.2`; do
chrootdir=`echo $i | cut -d"/" -f1,2,3,4`
for i in $(ls -1 ${BACKUP_PATH}/*/lib/x86_64-linux-gnu/libnss_compat.so.2); do
chrootdir=$(echo $i | cut -d"/" -f1,2,3,4)
echo -n "Updating $chrootdir ..."
bincopy $chrootdir
echo "...Done!"
@ -142,52 +147,40 @@ if [ "$jail" = "updateall" ]; then
else
# where is jail
chrootdir=$jail
# Creation of the jail.
mkdir -p $chrootdir
chown root:root $chrootdir
umask 022
# create jail
echo -n "1 - Creating the chroot..."
mkdir -p $chrootdir/{bin,dev,etc/ssh,lib,lib64,proc}
mkdir -p $chrootdir/lib/{x86_64-linux-gnu,tls/i686/cmov,i686/cmov}
mkdir -p $chrootdir/usr/{bin,lib,sbin}
mkdir -p $chrootdir/usr/lib/{x86_64-linux-gnu,openssh,i686/cmov}
mkdir -p $chrootdir/root/.ssh && chmod 700 $chrootdir/root/.ssh
mkdir -p $chrootdir/var/{log,run/sshd}
touch $chrootdir/var/log/{authlog,lastlog,messages,syslog}
touch $chrootdir/etc/fstab
mkdir -p $chrootdir/{bin,dev,etc/ssh,lib,lib64,proc}
mkdir -p $chrootdir/lib/{x86_64-linux-gnu,tls/i686/cmov,i686/cmov}
mkdir -p $chrootdir/usr/{bin,lib,sbin}
mkdir -p $chrootdir/usr/lib/{x86_64-linux-gnu,openssh,i686/cmov}
mkdir -p $chrootdir/root/.ssh && chmod 700 $chrootdir/root/.ssh
mkdir -p $chrootdir/var/{log,run/sshd}
touch $chrootdir/var/log/{authlog,lastlog,messages,syslog}
touch $chrootdir/etc/fstab
echo "...OK"
echo -n "2 - Copying essential files..."
cp /proc/devices $chrootdir/proc
cp /etc/ssh/{ssh_host_rsa_key,ssh_host_dsa_key} $chrootdir/etc/ssh/
cp etc/sshd_config $chrootdir/etc/ssh/
cp etc/passwd $chrootdir/etc/
cp etc/shadow $chrootdir/etc/
cp etc/group $chrootdir/etc/
cp /proc/devices $chrootdir/proc
cp /etc/ssh/{ssh_host_rsa_key,ssh_host_dsa_key} $chrootdir/etc/ssh/
cp etc/sshd_config $chrootdir/etc/ssh/
cp etc/passwd $chrootdir/etc/
cp etc/shadow $chrootdir/etc/
cp etc/group $chrootdir/etc/
echo "...OK"
echo -n "3 - Copying binaries..."
bincopy $chrootdir
bincopy $chrootdir
echo "...OK"
echo -n "4 - Configuring the chroot..."
[ -n "$port" ] && [ "$port" != "guess" ] && sed -i "s/^Port 2222/Port ${port}/" ${jail}/etc/ssh/sshd_config
[ -n "$ip" ] && sed -i "s/IP/$ip/g" ${jail}/etc/ssh/sshd_config
touch ${jail}/root/.ssh/authorized_keys && chmod 600 ${jail}/root/.ssh/authorized_keys && chown -R root:root ${jail}/root/.ssh/
[ -n "$pub_key_path" ] && cat $pub_key_path >> ${jail}/root/.ssh/authorized_keys
[ -n "$port" ] && [ "$port" != "guess" ] && sed -i "s/^Port 2222/Port ${port}/" ${chrootdir}/etc/ssh/sshd_config
[ -n "$ip" ] && sed -i "s/IP/$ip/g" ${chrootdir}/etc/ssh/sshd_config
touch ${chrootdir}/root/.ssh/authorized_keys && chmod 600 ${chrootdir}/root/.ssh/authorized_keys && chown -R root:root ${chrootdir}/root/.ssh/
[ -n "$pub_key_path" ] && cat $pub_key_path >> ${chrootdir}/root/.ssh/authorized_keys
echo "...OK"
echo ""