Thread: (resend) Update/modernize mkchroot.sh
Brought to you by:
xystrus
Menu
▾
▴
rssh-discuss
|
From: Ben W. <bw...@ar...> - 2011-07-13 13:26:39
|
Hi All, [Sorry for the resend. I mucked up my git send-email stuff somehow...] I installed rssh on a RHEL5 host yesterday and setup a chroot jail for a special purpose account. Although I got it running, the mkchroot.sh script needed a bit of help to get it all done. After figuring out what the script was not doing for me, I modified it with the patches that will follow this mail so that it runs without error and sets up a working environment on RHEL5. The changes I made _should_ be compatible with older machines too. I hope these patches are useful. They're based on the 2.3.3 tarball download as anonymous cvs at sourceforge has been disabled. Thanks -Ben |
|
From: Ben W. <bw...@ar...> - 2011-07-13 13:26:40
|
The linux-gate library is a virtual library injected by the kernel. It doesn't actually exist. The tr | cut filter was grabbing the memory address and then creating $jail_dir. (including the .) when trying to copy this library in. Signed-off-by: Ben Walton <bw...@ar...> --- mkchroot.sh | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/mkchroot.sh b/mkchroot.sh index 9e17d5d..ee98ed8 100755 --- a/mkchroot.sh +++ b/mkchroot.sh @@ -128,7 +128,7 @@ cp "$chroot_helper_path" "$jail_dir$chroot_helper_path" || \ for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do echo "Copying libraries for $prog." - libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3` + libs=`ldd $prog | grep -v linux-gate | tr -s ' ' | cut -d' ' -f3` for lib in $libs; do mkdir -p "$jail_dir$(dirname $lib)" echo -e "\t$lib" -- 1.7.4.1 |
|
From: Ben W. <bw...@ar...> - 2011-07-13 13:26:40
|
The linker/loader shared objects must exist inside the jail for things to function properly. These files aren't picked up by the ldd import loop as the output format of ldd differs for this special library. Copy it in explicitly. Signed-off-by: Ben Walton <bw...@ar...> --- mkchroot.sh | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/mkchroot.sh b/mkchroot.sh index e765e2f..ba141b9 100755 --- a/mkchroot.sh +++ b/mkchroot.sh @@ -136,6 +136,10 @@ for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do done done +# the loop above doesn't grab ld-linux which is needed by every binary +echo "Copying the linker loader (ld-linux...)" +cp -p /lib/ld-* "$jail_dir/lib" + echo "copying name service resolution libraries..." tar -cf - /lib/libnss*_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/' -- 1.7.4.1 |
|
From: Ben W. <bw...@ar...> - 2011-07-13 13:26:40
|
The scp program requires /dev/null. Ensure we create it inside the
jail using the major/minor device numbers of the real device.
Signed-off-by: Ben Walton <bw...@ar...>
---
mkchroot.sh | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/mkchroot.sh b/mkchroot.sh
index d2abae5..5b91b51 100755
--- a/mkchroot.sh
+++ b/mkchroot.sh
@@ -161,6 +161,8 @@ echo -e "you may need to copy some of the /lib/libnss_* files into the jail.\n"
#
mkdir -p "$jail_dir/dev"
+echo "Creating /dev/null inside the jail."
+mknod -m 0666 "${jail_dir}/dev/null" c $(stat --format "%t %T" /dev/null)
echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
echo -e "with appropriate options to log to $jail_dir/dev/log. In most cases,"
--
1.7.4.1
|
|
From: Ben W. <bw...@ar...> - 2011-07-13 13:26:40
|
libnss1_files* seems to be a legacy thing. The files don't exist on modern Linux (RHEL5) boxes. Make the import of these files generic so that on older boxes libnss1 will still be imported but no errors will be spit out on newer ones. Signed-off-by: Ben Walton <bw...@ar...> --- mkchroot.sh | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/mkchroot.sh b/mkchroot.sh index ee98ed8..d2abae5 100755 --- a/mkchroot.sh +++ b/mkchroot.sh @@ -137,7 +137,7 @@ for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do done echo "copying name service resolution libraries..." -tar -cf - /lib/libnss_files* /lib/libnss1_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/' +tar -cf - /lib/libnss*_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/' ##################################################################### # -- 1.7.4.1 |
|
From: Ben W. <bw...@ar...> - 2011-07-13 13:26:43
|
Use -pR when copying /etc/ld.* into the jail. Modern linux boxes may have /etc/ld.so.conf.d/ with files in that directory. We likely don't need them, but having them won't hurt. This makes the command run without error when the directory exists. Signed-off-by: Ben Walton <bw...@ar...> --- mkchroot.sh | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/mkchroot.sh b/mkchroot.sh index 5b91b51..e765e2f 100755 --- a/mkchroot.sh +++ b/mkchroot.sh @@ -148,7 +148,7 @@ echo "Setting up /etc in the chroot jail" mkdir -p "$jail_dir/etc" cp /etc/nsswitch.conf "$jail_dir/etc/" cp /etc/passwd "$jail_dir/etc/" -cp /etc/ld.* "$jail_dir/etc/" +cp -pR /etc/ld.* "$jail_dir/etc/" echo -e "Chroot jail configuration completed." echo -e "\nNOTE: if you are not using the passwd file for authentication," -- 1.7.4.1 |
Thanks for helping keep SourceForge clean.
X