Hosting Provided By

Re: chrooting rssh problem

From: Julian Heinbokel <heinbokel(at)unisport.etc.tu-bs.de>
Date: Fri Nov 02 2007 - 16:35:16 EDT

Am Donnerstag, 1. November 2007 07:06 schrieb Russ Allbery:
> "Bjorn Meyer" <bjorn.m.meyer@gmail.com> writes:
> > I am using debian 4.0. I'm having a problem with the setup. Once
setup,
> > I am able to sftp or scp in to the server. However it doesn't
actually
> > seem to set up the chroot. There doesn't seem to be anything logged
in
> > syslog to show why. The rssh_chroot_helper doesn't seem to be run.
>
> Did you follow the instructions in /usr/share/doc/rssh/CHROOT.gz? A
> chroot isn't enabled by default since setting up the chroot
environment is
> complex and requires the administrator to think about what they want
to
> copy into it and what they want to expose.
>

i found the instructions in /usr/share/doc/rssh/CHROOT.gz incomplete, so after a long search i copied together this (ugly) skript, but by reading it you might find the information you are missing.

(not quite sure if the above is english, i'm not a native speaker...)

#!/bin/bash

#####################################################################
#####################################################################
##
## mkchroot.sh - set up a chroot jail.

##
## This script is modified to work for Debian 4.0 "Etch", but may work on
## other systems. Or, it may not... In fact, it may not work at all. Use at

## your own risk.  :)
##
## This is a combination of the "original" mkchroot.sh-script and the
## "setup-chrootdir-rsync.sh"-script.
## These scripts can be found in the rssh-package
## (/usr/share/doc/rssh/examples/mkchroot.sh) and in the

libpam-chroot-package
## (/usr/share/doc/libpam-chroot/examples/setup-chrootdir-rsync.sh). ##

#####################################################################
#
# Initialize - handle command-line args, and set up variables and such.
#
# $1 is the directory to make the root of the chroot jail (required)

# $2 is the list of users to make home-dirs for #

if [ -z "$1" -o -z "$2" ]; then

        echo "`basename $0`: error parsing command line" >&2
        echo "  You must specify a directory to use as the chroot jail
and at least one user." >&2
        exit 1

jail_dir="$1"
jail_users="$2"

#####################################################################
#

# build the jail
#

sftp_server_path="/usr/lib/openssh/sftp-server"

DIRECTORIES="dev home lib usr/lib/openssh" FILES="usr/lib/openssh/sftp-server lib/ld-linux.so.2"

Do you need help?

# now make the directory

if [ ! -d "$jail_dir" ]; then

        echo -e "\n\E[1mCreating root jail directory.\E[0m"
        mkdir -p "$jail_dir"

        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error creating jail directory."

>&2

                echo "Check permissions on parent directory." >&2
                exit 2
        fi

        curr_dir=`pwd`
        cd $jail_dir

        # Create dirs
        echo -e "\nCreating jail directory-tree."
        echo -e "\t$DIRECTORIES"
        for d in $DIRECTORIES; do
          mkdir -p $d
        done

        # Add files
        echo -e "\nCopying rssh, sftp-server & linker."
        echo -e "\t$FILES"
        for f in $FILES; do
          cp /$f $f
        done

        cd $curr_dir

#####################################################################
#

# identify and copy libraries needed in the jail #

echo -e "\nCopying libraries for $sftp_server_path." libs=`ldd $sftp_server_path | tr -s ' ' | cut -d' ' -f3 | grep /` for lib in $libs; do

        mkdir -p "$jail_dir$(dirname $lib)"
        echo -e "\t$lib"
        cp "$lib" "$jail_dir$lib"

done

#####################################################################
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.debian.org Links
debian-announce
debian-apache
debian-arm-changes
debian-beowulf
debian-boot
debian-cd
debian-cd-vendors
debian-changes
debian-changes-digest
debian-isp
debian-kde
debian-laptop
debian-mirrors-announce
debian-news
debian-security
debian-security-announce
debian-testing
debian-user
debian-user-digest
Request more information about Pantek
#

# set up /dev/null
#

echo -e "\nCreating $jail_dir/dev/null." mknod $jail_dir/dev/null c 1 3 && chmod a+w $jail_dir/dev/null

#####################################################################
#

# set up "user-environment"
#

echo -e "\nSetting up $jail_dir/home/*." for i in $jail_users; do
mkdir $jail_dir/home/$i && chown $i:$i $jail_dir/home/$i echo -e "\t$jail_dir/home/$i"
done

#####################################################################
#

# some good advice...
#

echo -e "\n\E[1mChroot jail configuration completed.\E[0m\n" echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"

echo -e "with appropriate options to log to $jail_dir/dev/log."
echo -e "You will need to edit /etc/default/syslogd:"
echo -e "\tSYSLOGD=\"-a $jail_dir/dev/log\"\n"
echo -e "You will also need to edit /etc/rssh.conf and /etc/passwd.\n"

Received on Fri Nov 2 16:51:27 2007

This message: [ Message body ]
Next message: f.cibrario(at)pourquery.fr: "Flavien CIBRARIO est absent(e)."
Previous message: Russ Allbery: "Re: chrooting rssh problem"
Maybe in reply to: Bjorn Meyer: "chrooting rssh problem"
Next in thread: Javier Fernández-Sanguino Peña: "Re: chrooting rssh problem"
Reply: Javier Fernández-Sanguino Peña: "Re: chrooting rssh problem"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:54:15 EDT