Hello List -
I googled around in this subject from quiet some time, tried several example
setups and got it to work. The only problem is that the sftp user still can
move around the file system.
I used the following script:
#!/bin/sh
#####################################################################
#####################################################################
##
## mkchroot.sh - set up a chroot jail.
##
##
##
#
# modified 090407 from orig. [no sender] to work for solaris 9 environment.
#
fail() {
echo "`basename $0`: fatal error" >&2
echo "$1" >&2
exit $2
}
#####################################################################
#
# Initialize - handle command-line args, and set up variables and such.
#
# $1 is the directory to make the root of the chroot jail (required)
# $2, if given, is the user who should own the jail (optional)
# $3, if given, is the permissions on the directory (optional)
#
# added for solaris to find whoami
PATH=$PATH:/usr/ucb
export PATH
if [ -z "$1" ]; then
echo "`basename $0`: error parsing command line" >&2
echo " You must specify a directory to use as the chroot jail." >&2
exit 1
fi
jail_dir="$1"
if [ -n "$2" ]; then
owner="$2"
fi
if [ -n "$3" ]; then
perms="$3"
fi
#####################################################################
#
# build the jail
#
# now make the directory
if [ ! -d "$jail_dir" ]; then
echo "Creating root jail directory."
mkdir -p "$jail_dir"
if [ $? -ne 0 ]; then
echo " `basename $0`: error creating jail directory." >&2
echo "Check permissions on parent directory." >&2
exit 2
fi
fi
if [ -n "$owner" -a `whoami` = "root" ]; then
echo "Setting owner of jail."
chown "$owner" "$jail_dir"
if [ $? -ne 0 ]; then
echo " `basename $0`: error changing owner of jail directory."
>&2
exit 3
fi
else
echo "NOT changing owner of root jail. \c"
if [ `whoami` != "root" ]; then
echo "You are not root."
else
echo
fi
fi
if [ -n "$owner" -a `whoami` = "root" ]; then
echo "Setting permissions of jail."
chmod "$perms" "$jail_dir"
if [ $? -ne 0 ]; then
echo " `basename $0`: error changing perms of jail directory." >&2
exit 3
fi
else
echo "NOT changing perms of root jail. \c"
if [ `whoami` != "root" ]; then
echo "You are not root."
else
echo
fi
fi
# copy SSH files
scp_path="/usr/local/bin/scp"
sftp_server_path="/usr/local/libexec/sftp-server"
rssh_path="/usr/local/bin/rssh"
chroot_helper_path="/usr/local/libexec/rssh_chroot_helper"
# added for solaris in order for wordexp() to work
system_shell_path="/bin/ksh"
for jail_path in `dirname "$jail_dir$scp_path"` `dirname
"$jail_dir$sftp_server_path"` `dirname "$jail_dir$chroot_helper_path"` `dirname
"$jail_dir$rssh_path"` `dirname "$jail_dir$system_shell_path"`; do
echo "setting up $jail_path"
if [ ! -d "$jail_path" ]; then
mkdir -p "$jail_path" || \
fail "Error creating $jail_path. Exiting." 4
fi
done
cp "$scp_path" "$jail_dir$scp_path" || \
fail "Error copying $scp_path. Exiting." 5
cp "$sftp_server_path" "$jail_dir$sftp_server_path" || \
fail "Error copying $sftp_server_path. Exiting." 5
cp "$rssh_path" "$jail_dir$rssh_path" || \
fail "Error copying $rssh_path. Exiting." 5
cp "$chroot_helper_path" "$jail_dir$chroot_helper_path" || \
fail "Error copying $chroot_helper_path. Exiting." 5
cp "$system_shell_path" "$jail_dir$system_shell_path" || \
fail "Error copying $system_shell_path. Exiting." 5
#####################################################################
#
# identify and copy libraries needed in the jail
#
for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path
$system_shell_path; do
echo "Copying libraries for $prog."
libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
for lib in $libs; do
mkdir -p "$jail_dir`dirname $lib`"
echo " $lib"
cp "$lib" "$jail_dir$lib"
done
done
echo "copying name service resolution libraries..."
#tar -cf - /lib/libnss_files* /lib/libnss1_files* | ( cd $jaildir ; tar -xvf -
|sed 's/^/\t/' )
(cd / ; tar -cf - ./usr/lib/nss_files*) | ( cd $jail_dir ; tar -xpvf - |sed
's/^/ /' )
#####################################################################
#
# copy config files for the dynamic linker, nsswitch.conf, and the passwd file
#
echo "Setting up /etc in the chroot jail"
mkdir -p "$jail_dir/etc"
cp /etc/nsswitch.conf "$jail_dir/etc/"
cp /etc/passwd "$jail_dir/etc/"
#cp /etc/ld.* "$jail_dir/etc/"
# added for solaris dynamic linker
cp -p /usr/lib/ld.so.1 $jail_dir/usr/lib
echo "Chroot jail configuration completed."
#echo "\nNOTE: if you are not using the passwd file for authentication,"
#echo "you may need to copy some of the /lib/libnss_* files into the jail.\n"
#####################################################################
#
# set up /dev/log
#
#
#mkdir -p "$jail_dir/dev"
#
#echo "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
#echo "with appropriate options to log to $jail_dir/dev/log. In most cases,"
#echo "you will need to start syslog as:\n"
#echo " /sbin/syslogd -a $jail_dir/dev/log\n"
#
#echo "NOTE: we make no guarantee that ANY of this will work for you... \c"
#echo "if it\ndoesn't, you're on your own. Sorry!\n"
>>>>> snip <<<<
There were several small problems to begin with, but I fix it so you can run it
on Solaris 9.
This script will only setup the jail but no a user.
Can somebody give me a example on how to setup the chroot-jail on Solaris 9 the
right way?
Including how to add users. It has to be safe. the sftp users can only see
there chroot home directory.
Thank YOU.
Ralf Wiegand
____________________________________________________________________________________
Shape Yahoo! in your own image. Join our Network Research Panel today!
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
rssh-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
