Some ameliorations esp. for shared libraries and chroot path.
* Replaced backtick by $(). * Some "Beautification". * Better finding of shared libraries. * $chrootdir used when giving name to the chroot with -n. * Jessie tested OK.
This commit is contained in:
parent
aaa0910e9b
commit
0fcc2478c4
|
@ -1,23 +1,24 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Gregory Colpart <reg@evolix.fr> & Benoit Serie <bserie@evolix.fr>
|
||||
# chroot script for OpenSSH
|
||||
# $Id: chroot-ssh.sh,v 1.12 2010-07-02 17:40:29 gcolpart Exp $
|
||||
# Chroot script for EvoBackup/OpenSSH
|
||||
|
||||
# new version tested only on Debian Wheezy amd64
|
||||
# Start :
|
||||
# Tested only on Debian Wheezy/Jessie amd64
|
||||
# Start:
|
||||
# chroot /backup/jails/myserver mount -t proc proc-chroot /proc/
|
||||
# chroot /backup/jails/myserver mount -t devtmpfs udev /dev/
|
||||
# chroot /backup/jails/myserver mount -t devpts devpts-chroot /dev/pts/
|
||||
# chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
|
||||
# Reload: kill -HUP `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
||||
# Stop: kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
||||
# Reload:
|
||||
# kill -HUP $(chroot /backup/jails/myserver cat /var/run/sshd.pid)
|
||||
# Stop:
|
||||
# kill -9 $(chroot /backup/jails/myserver cat /var/run/sshd.pid)
|
||||
# Restart:
|
||||
# kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
|
||||
# kill -9 $(chroot /backup/jails/myserver cat /var/run/sshd.pid)
|
||||
# chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
|
||||
|
||||
# After *each* ssh upgrade or libs upgrade:
|
||||
# sh chroot-ssh.sh updateall
|
||||
# sh chroot-ssh.sh updateall
|
||||
# And restart all sshd daemons
|
||||
|
||||
# We suppose jails are all in /backup/jails...
|
||||
|
@ -35,10 +36,10 @@ usage() {
|
|||
cat <<EOT
|
||||
|
||||
Add an OpenSSH chroot.
|
||||
Usage: $0 -n chroot-dir -i ip -p port -k pub-key-path
|
||||
Usage: $0 -n chroot-name -i ip -p port -k pub-key-path
|
||||
|
||||
Mandatory parameters:
|
||||
-n: directory of chroot
|
||||
-n: name of chroot
|
||||
|
||||
Optional parameters:
|
||||
-i: IP address of the client machine.
|
||||
|
@ -75,7 +76,7 @@ for dbin in /bin/bash /bin/cat /bin/chown /bin/mknod /bin/rm \
|
|||
/usr/lib/openssh/sftp-server; do
|
||||
|
||||
cp -f $dbin $chrootdir/$dbin;
|
||||
for lib in `ldd $dbin | cut -d">" -f2 | cut -d"(" -f1`; do
|
||||
for lib in $(ldd $dbin | grep -Eo "/.*so.[0-9\.]+"); do
|
||||
cp -p $lib $chrootdir/$lib
|
||||
done
|
||||
done
|
||||
|
@ -104,6 +105,9 @@ while getopts ':n:i:p:k:' opt; do
|
|||
esac
|
||||
done
|
||||
|
||||
# Complete path to chroot dir.
|
||||
chrootdir=${BACKUP_PATH}/${jail}
|
||||
|
||||
# Verify parameters.
|
||||
if [ -z $jail ];
|
||||
then
|
||||
|
@ -111,7 +115,7 @@ then
|
|||
exit 1
|
||||
fi
|
||||
# Test if the chroot exists.
|
||||
if [ -e $jail ]; then
|
||||
if [ -e $chrootdir ]; then
|
||||
echo "Error, directory to chroot already exists!"
|
||||
exit 1
|
||||
fi
|
||||
|
@ -120,7 +124,7 @@ if [ -n "$pub_key_path" ] && [ ! -f "$pub_key_path" ]; then
|
|||
echo "Public key $pub_key_path not found."
|
||||
exit 1
|
||||
fi
|
||||
# Try to guess the next port
|
||||
# Try to guess the next SSH port.
|
||||
if [ "$port" = "guess" ]; then
|
||||
port=$(grep -h Port ${BACKUP_PATH}/*/etc/ssh/sshd_config 2>/dev/null \
|
||||
| grep -Eo [0-9]+ | sort -n | tail -1)
|
||||
|
@ -131,10 +135,11 @@ if [ "$port" = "guess" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# Used for updating jails.
|
||||
if [ "$jail" = "updateall" ]; then
|
||||
|
||||
for i in `ls -1 ${BACKUP_PATH}/*/lib/x86_64-linux-gnu/libnss_compat.so.2`; do
|
||||
chrootdir=`echo $i | cut -d"/" -f1,2,3,4`
|
||||
for i in $(ls -1 ${BACKUP_PATH}/*/lib/x86_64-linux-gnu/libnss_compat.so.2); do
|
||||
chrootdir=$(echo $i | cut -d"/" -f1,2,3,4)
|
||||
echo -n "Updating $chrootdir ..."
|
||||
bincopy $chrootdir
|
||||
echo "...Done!"
|
||||
|
@ -142,52 +147,40 @@ if [ "$jail" = "updateall" ]; then
|
|||
|
||||
else
|
||||
|
||||
# where is jail
|
||||
chrootdir=$jail
|
||||
|
||||
# Creation of the jail.
|
||||
mkdir -p $chrootdir
|
||||
chown root:root $chrootdir
|
||||
umask 022
|
||||
# create jail
|
||||
|
||||
echo -n "1 - Creating the chroot..."
|
||||
|
||||
mkdir -p $chrootdir/{bin,dev,etc/ssh,lib,lib64,proc}
|
||||
mkdir -p $chrootdir/lib/{x86_64-linux-gnu,tls/i686/cmov,i686/cmov}
|
||||
mkdir -p $chrootdir/usr/{bin,lib,sbin}
|
||||
mkdir -p $chrootdir/usr/lib/{x86_64-linux-gnu,openssh,i686/cmov}
|
||||
mkdir -p $chrootdir/root/.ssh && chmod 700 $chrootdir/root/.ssh
|
||||
mkdir -p $chrootdir/var/{log,run/sshd}
|
||||
touch $chrootdir/var/log/{authlog,lastlog,messages,syslog}
|
||||
touch $chrootdir/etc/fstab
|
||||
|
||||
mkdir -p $chrootdir/{bin,dev,etc/ssh,lib,lib64,proc}
|
||||
mkdir -p $chrootdir/lib/{x86_64-linux-gnu,tls/i686/cmov,i686/cmov}
|
||||
mkdir -p $chrootdir/usr/{bin,lib,sbin}
|
||||
mkdir -p $chrootdir/usr/lib/{x86_64-linux-gnu,openssh,i686/cmov}
|
||||
mkdir -p $chrootdir/root/.ssh && chmod 700 $chrootdir/root/.ssh
|
||||
mkdir -p $chrootdir/var/{log,run/sshd}
|
||||
touch $chrootdir/var/log/{authlog,lastlog,messages,syslog}
|
||||
touch $chrootdir/etc/fstab
|
||||
echo "...OK"
|
||||
|
||||
echo -n "2 - Copying essential files..."
|
||||
|
||||
cp /proc/devices $chrootdir/proc
|
||||
|
||||
cp /etc/ssh/{ssh_host_rsa_key,ssh_host_dsa_key} $chrootdir/etc/ssh/
|
||||
cp etc/sshd_config $chrootdir/etc/ssh/
|
||||
cp etc/passwd $chrootdir/etc/
|
||||
cp etc/shadow $chrootdir/etc/
|
||||
cp etc/group $chrootdir/etc/
|
||||
|
||||
cp /proc/devices $chrootdir/proc
|
||||
cp /etc/ssh/{ssh_host_rsa_key,ssh_host_dsa_key} $chrootdir/etc/ssh/
|
||||
cp etc/sshd_config $chrootdir/etc/ssh/
|
||||
cp etc/passwd $chrootdir/etc/
|
||||
cp etc/shadow $chrootdir/etc/
|
||||
cp etc/group $chrootdir/etc/
|
||||
echo "...OK"
|
||||
|
||||
echo -n "3 - Copying binaries..."
|
||||
|
||||
bincopy $chrootdir
|
||||
|
||||
bincopy $chrootdir
|
||||
echo "...OK"
|
||||
|
||||
echo -n "4 - Configuring the chroot..."
|
||||
|
||||
[ -n "$port" ] && [ "$port" != "guess" ] && sed -i "s/^Port 2222/Port ${port}/" ${jail}/etc/ssh/sshd_config
|
||||
[ -n "$ip" ] && sed -i "s/IP/$ip/g" ${jail}/etc/ssh/sshd_config
|
||||
touch ${jail}/root/.ssh/authorized_keys && chmod 600 ${jail}/root/.ssh/authorized_keys && chown -R root:root ${jail}/root/.ssh/
|
||||
[ -n "$pub_key_path" ] && cat $pub_key_path >> ${jail}/root/.ssh/authorized_keys
|
||||
|
||||
[ -n "$port" ] && [ "$port" != "guess" ] && sed -i "s/^Port 2222/Port ${port}/" ${chrootdir}/etc/ssh/sshd_config
|
||||
[ -n "$ip" ] && sed -i "s/IP/$ip/g" ${chrootdir}/etc/ssh/sshd_config
|
||||
touch ${chrootdir}/root/.ssh/authorized_keys && chmod 600 ${chrootdir}/root/.ssh/authorized_keys && chown -R root:root ${chrootdir}/root/.ssh/
|
||||
[ -n "$pub_key_path" ] && cat $pub_key_path >> ${chrootdir}/root/.ssh/authorized_keys
|
||||
echo "...OK"
|
||||
|
||||
echo ""
|
||||
|
|
Loading…
Reference in a new issue