Merge improvements from Benoit (part 1)

2014-05-28 16:04:42 +02:00 · 2014-05-28 16:04:42 +02:00 · 80fc96a17f
parent d494400364
commit 80fc96a17f
3 changed files with 146 additions and 77 deletions
--- a/chroot-ssh.sh
+++ b/chroot-ssh.sh
@ -1,21 +1,10 @@
 #!/bin/bash

-# Gregory Colpart <reg@evolix.fr>
+# Gregory Colpart <reg@evolix.fr> & Benoit Serie <bserie@evolix.fr>
 # chroot script for OpenSSH
 # $Id: chroot-ssh.sh,v 1.12 2010-07-02 17:40:29 gcolpart Exp $

-# tested on Debian Etch and recently on Lenny
-# Exec this script for jail creation:
-# ./chroot-ssh.sh /backup/jails/myserver 
-# Note: etc/{sshd_config,group,passwd} files should be present
-
-# For Etch
-# Start: chroot /backup/jails/myserver /usr/sbin/sshd > /dev/null
-# Reload: kill -HUP `chroot /backup/jails/myserver cat /var/run/sshd.pid`
-# Stop: kill -9 `chroot /backup/jails/myserver cat /var/run/sshd.pid`
-# Restart: Stop + Start
-
-# For Lenny
+# new version tested only on Debian Wheezy amd64
 # Start :
 #  chroot /backup/jails/myserver mount -t proc proc-chroot /proc/
 #  chroot /backup/jails/myserver mount -t devpts devpts-chroot /dev/pts/
@ -30,17 +19,61 @@
 # sh chroot-ssh.sh updateall
 # And restart all sshd daemons

+# We suppose jails are all in /backup/jails...
+BACKUP_PATH='/backup/jails'
+
+# Are we root?
+id=$(id -u)
+if [ $id != 0 ]; then
+    echo "Error, you need to be root to install EvoBackup!"
+    exit 1
+fi
+
+usage() {
+
+    cat <<EOT
+
+Add an OpenSSH chroot.
+Usage: $0 -n chroot-dir -i ip -p port -k pub-key-path
+
+Mandatory parameters:
+-n: directory of chroot
+
+Optional parameters:
+-i: IP address of the client machine.
+-k: Path to the SSH public key of the client machine.
+-p: SSH port which chroot/jail will listen on.
+    If you set "guess", port will be guessed if there is already one chroot.
+
+EOT
+
+}
+
 bincopy() {

 chrootdir=$1

-# TODO : better detection of amd64 arch
-cp -f /lib/ld-linux.so.2 $chrootdir/lib/ || cp -f /lib64/ld-linux-x86-64.so.2 $chrootdir/lib64/
-cp /lib/libnss* $chrootdir/lib/
+# TODO : better detection of amd64 arch (or support only amd64...)
+cp -f /lib/ld-linux.so.2 $chrootdir/lib/ 2>/dev/null \
+    || cp -f /lib64/ld-linux-x86-64.so.2 $chrootdir/lib64/
+
+release=$(lsb_release -s -c)
+if [ "$release" = "squeeze" ]; then
+    cp /lib/libnss* $chrootdir/lib/
+else
+    if [ "$release" = "wheezy" ]; then
+        cp /lib/x86_64-linux-gnu/libnss* $chrootdir/lib/x86_64-linux-gnu/
+    else
+        # Others? Not tested...
+        cp /lib/x86_64-linux-gnu/libnss* $chrootdir/lib/x86_64-linux-gnu/
+    fi
+fi
+
+for dbin in /bin/bash /bin/cat /bin/chown /bin/mknod /bin/rm \
+    /bin/sed /bin/sh /bin/uname /bin/mount /usr/bin/rsync /usr/sbin/sshd \
+    /usr/lib/openssh/sftp-server; do

-for dbin in /bin/bash /bin/cat /bin/chown /bin/mknod /bin/rm /bin/sed /bin/sh /bin/uname /bin/mount /usr/bin/rsync /usr/sbin/sshd /usr/lib/openssh/sftp-server; do
    cp -f $dbin $chrootdir/$dbin;
-    # (comme dans http://www.gcolpart.com/hacks/chroot-bind.sh)
    for lib in `ldd $dbin | cut -d">" -f2 | cut -d"(" -f1`; do
        cp -p $lib $chrootdir/$lib
    done
@ -48,80 +81,116 @@ done

 }

-# synopsis
-if [ $# -ne 1 ]; then
-	echo "Vous devez indiquer un repertoire."
-	echo "Exemple : chroot-ssh.sh /backup/jails/myserver"
-	exit 0
+
+while getopts ':n:i:p:k:' opt; do
+    case $opt in
+    n)
+        jail=$OPTARG
+    ;;
+    i)
+        ip=$OPTARG
+    ;;
+    p)
+        port=$OPTARG
+    ;;
+    k)
+        pub_key_path=$OPTARG
+    ;;
+    ?)
+        usage
+    exit 1
+    ;;
+    esac
+done
+
+# Verify parameters.
+if [ -z $jail ];
+then
+    usage
+    exit 1
+fi
+# Test if the chroot exists.
+if [ -e $jail ]; then
+    echo "Error, directory to chroot already exists!"
+    exit 1
+fi
+# Verify the presence of the public key.
+if [ -n "$pub_key_path" ] && [ ! -f "$pub_key_path" ]; then
+    echo "Public key $pub_key_path not found."
+    exit 1
+fi
+# Try to guess the next port
+if [ "$port" = "guess" ]; then
+    port=$(grep -h Port ${BACKUP_PATH}/*/etc/ssh/sshd_config 2>/dev/null \
+            | grep -Eo [0-9]+ | sort -n | tail -1)
+    port=$((port+1)) 
+    if [ ! $port -gt 1 ]; then
+        echo "Sorry, port cannot be guessed."
+        exit 1
+    fi
 fi

-# are u root?
-if [ `whoami` != "root" ]; then
-	echo "Vous devez executer le script en étant root."
-	exit 0
-fi
+if [ "$jail" = "updateall" ]; then

-
-if [ -e $1 ]; then
-	echo "Le repertoire $1 existe deja..."
-fi
-
-if [ "$1" = "updateall" ]; then
-
-    for i in `ls -1 /backup/jails/*/lib/libnss_compat.so.2`; do
+    for i in `ls -1 ${BACKUP_PATH}/*/lib/x86_64-linux-gnu/libnss_compat.so.2`; do
        chrootdir=`echo $i | cut -d"/" -f1,2,3,4`
-        echo -n "MaJ $chrootdir ..."
+        echo -n "Updating $chrootdir ..."
        bincopy $chrootdir
-        echo "...OK"
+        echo "...Done!"
    done

 else

 # where is jail
-chrootdir=$1
+chrootdir=$jail

 mkdir -p $chrootdir
 chown root:root $chrootdir
-
 umask 022
-
 # create jail

-echo -n "1 - Creation de la prison..."
+echo -n "1 - Creating the chroot..."

-	mkdir -p $chrootdir/{bin,dev,etc/ssh,lib,lib64,proc}
-	mkdir -p $chrootdir/lib/{x86_64-linux-gnu,tls/i686/cmov,i686/cmov}
-	mkdir -p $chrootdir/usr/{bin,lib,sbin}
-	mkdir -p $chrootdir/usr/lib/{x86_64-linux-gnu,openssh,i686/cmov}
-	mkdir -p $chrootdir/root/.ssh
-	mkdir -p $chrootdir/var/{log,run/sshd}
-
-	touch $chrootdir/var/log/{authlog,lastlog,messages,syslog}
-	touch $chrootdir/etc/fstab
+    mkdir -p $chrootdir/{bin,dev,etc/ssh,lib,lib64,proc}
+    mkdir -p $chrootdir/lib/{x86_64-linux-gnu,tls/i686/cmov,i686/cmov}
+    mkdir -p $chrootdir/usr/{bin,lib,sbin}
+    mkdir -p $chrootdir/usr/lib/{x86_64-linux-gnu,openssh,i686/cmov}
+    mkdir -p $chrootdir/root/.ssh
+    mkdir -p $chrootdir/var/{log,run/sshd}
+    touch $chrootdir/var/log/{authlog,lastlog,messages,syslog}
+    touch $chrootdir/etc/fstab

 echo "...OK"

-echo -n "2 - Copie des donnees..."
-	cp /proc/devices $chrootdir/proc
+echo -n "2 - Copying essential files..."

-	cp /etc/ssh/{ssh_host_rsa_key,ssh_host_dsa_key} $chrootdir/etc/ssh/
-	cp etc/sshd_config $chrootdir/etc/ssh/
-	cp etc/passwd $chrootdir/etc/
-	cp etc/shadow $chrootdir/etc/
-	cp etc/group  $chrootdir/etc/
+    cp /proc/devices $chrootdir/proc

-echo ".......OK"
+    cp /etc/ssh/{ssh_host_rsa_key,ssh_host_dsa_key} $chrootdir/etc/ssh/
+    cp etc/sshd_config $chrootdir/etc/ssh/
+    cp etc/passwd $chrootdir/etc/
+    cp etc/shadow $chrootdir/etc/
+    cp etc/group  $chrootdir/etc/

-echo -n "3 - Copie des binaires..."
+echo "...OK"

-bincopy $chrootdir
+echo -n "3 - Copying binaries..."

-echo "......OK"
+    bincopy $chrootdir

-echo -n "4 - Termine."
+echo "...OK"

-# end
+echo -n "4 - Configuring the chroot..."

+    [ -n "$port" ] && [ "$port" != "guess" ] && sed -i "s/^Port 2222/Port ${port}/" ${jail}/etc/ssh/sshd_config
+    [ -n "$ip" ] && sed -i "s/IP/$ip/g" ${jail}/etc/ssh/sshd_config
+    [ -n "$pub_key_path" ] && cat $pub_key_path > ${jail}/root/.ssh/authorized_keys \
+     &&  chmod -R 600 ${jail}/root/.ssh/ && chown -R root:root ${jail}/root/.ssh/
+
+echo "...OK"
+
+echo ""
+echo "Done. OpenSSH chroot added! Restart evobackup service."
 echo ""

 fi
--- a/evobackup-inc.sh
+++ b/evobackup-inc.sh
@ -4,8 +4,8 @@
 # Evolix (c) 2007

 CONFDIR=/etc/evobackup/
-DATE=$(date +"%d-%m-%Y")
-LOGFILE=/var/log/evobackup-sync.log
+DATE=$(date +"%Y-%m-%d-%H")
+LOGFILE=/var/log/evobackup-incs.log
 TMPDIR=/tmp/evobackup/
 JAILDIR=/backup/jails/
 INCDIR=/backup/incs/
@ -16,12 +16,12 @@ mkdir -p $TMPDIR
 for i in $( ls $CONFDIR ); do

        # hard copy everyday
-	echo -n "hard copy $i begins at : " >> $LOGFILE
-	/bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE
+    echo -n "hard copy $i begins at : " >> $LOGFILE
+    /bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE
        mkdir -p "$INCDIR"$i
        cp -alx $JAILDIR$i $INCDIR$i/$DATE
-	echo -n "hard copy $i ends at : " >> $LOGFILE
-	/bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE
+    echo -n "hard copy $i ends at : " >> $LOGFILE
+    /bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE

 done | tee -a $LOGFILE | mail -s "[info] EvoBackup - create incs" $MYMAIL

--- a/evobackup-rm.sh
+++ b/evobackup-rm.sh
@ -4,7 +4,7 @@
 # Evolix (c) 2007

 CONFDIR=/etc/evobackup/
-DATE=$(date +"%d-%m-%Y")
+DATE=$(date +"%Y-%m-%d")
 LOGFILE=/var/log/evobackup-sync.log
 TMPDIR=/tmp/evobackup/
 JAILDIR=/backup/jails/
@ -24,17 +24,17 @@ for i in $( ls $CONFDIR ); do
        for j in $( cat $CONFDIR$i ); do
                MYDATE=$( echo $j | cut -d. -f1 )
                BEFORE=$( echo $j | cut -d. -f2 )
-                date -d "$(date $MYDATE) $BEFORE" "+%d-%m-%Y"
+                date -d "$(date $MYDATE) $BEFORE" "+%Y-%m-%d"
        done  > "$TMPDIR"$i.keep

        # delete obsolete inc backups
        for j in $( grep -v -f "$TMPDIR"$i.keep "$TMPDIR"$i.files ); do
-		echo -n "Delete $i/$j begins at : " >> $LOGFILE
-		/bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE
+        echo -n "Delete $i/$j begins at : " >> $LOGFILE
+        /bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE
                cd $INCDIR$i
-                rm -rf $j
-		echo -n "Delete $i/$j ends at : " >> $LOGFILE
-		/bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE
+                [ -n "$j" ] && rm -rf $j*
+        echo -n "Delete $i/$j ends at : " >> $LOGFILE
+        /bin/date +"%d-%m-%Y ; %H:%M" >> $LOGFILE
        done

 done | tee -a $LOGFILE | mail -s "[info] EvoBackup - purge incs" $MYMAIL