scponly/trunk/setup_chroot.sh

   1 #!/bin/sh
   2 #
   3 # handy functions:
   4 #
   5 # a function to display a failure message and then exit
   6 fail ( ) {
   7         echo -e $@
   8         exit 1
   9 }
  10
  11 # "get with default" function
  12 # this function prompts the user with a query and default reply
  13 # it returns the user reply
  14 getwd ( ) {
  15         query="$1"
  16         default="$2"
  17         echo -en "$query [$default]" | cat >&2
  18         read response
  19         if [ x$response = "x" ]; then
  20                 response=$default
  21         fi
  22         echo $response
  23 }
  24
  25 # "get yes no" function
  26 # this function prompts the user with a query and will continue to do so
  27 # until they reply with either "y" or "n"
  28 getyn ( ) {
  29         query="$@"
  30         echo -en $query | cat >&2
  31         read response
  32         while [ x$response != "xy" -a x$response != "xn" ]; do
  33                 echo -e "\n'y' or 'n' only please...\n" | cat >&2
  34                 echo -en $query | cat >&2
  35                 read response
  36         done
  37         echo $response
  38 }
  39
  40 # configuration
  41 #
  42 # set defaults
  43 defaultusername="scponly"
  44 defaulthomedirprefix="/home"
  45 defaultwriteabledir="incoming"
  46
  47 osname=`uname -s | tr ' ' '_'`
  48 # pathname to platform/OS specific setup scripts
  49 prescript="build_extras/arch/$osname.pre.sh"
  50 postscript="build_extras/arch/$osname.post.sh"
  51
  52 # the following is a list of binaries that will be staged in the target dir
  53 BINARIES=`grep '#define PROG_' config.h | cut -f2 -d\" | grep -v ^cd$`
  54
  55 # we set the install path in a variable so the presetup script can overwrite it on systems
  56 # which require it
  57 INSTALL_PATHNAME="install -c"
  58
  59 # attempt a best guess at required libs, we can append things in the presetup script if we need to
  60 LDSOFOUND=0
  61
  62 # default to useradd, not pw
  63 USE_PW=0
  64
  65 if [ x/usr/bin/ldd = x ]; then
  66         echo "this script requires the program ldd to determine which"
  67         fail "shared libraries to copy into your chrooted dir..."
  68 fi
  69
  70 if [ x`uname -s` = "xOpenBSD" ]; then
  71         for bin in $BINARIES; do
  72                 GREP_LIST="$GREP_LIST -e $bin"
  73         done
  74         LIB_LIST=`ldd $BINARIES 2> /dev/null | /usr/bin/tr -s " " | cut -f5 -d" " | /usrgrep -v "^Name" | /usrgrep -v $GREP_LIST | /usr/bin/sort -u`
  75 else
  76         LIB_LIST=`ldd $BINARIES 2> /dev/null | cut -f2 -d\> | cut -f1 -d\( | grep "^ " | sort -u`
  77 fi
  78
  79 #
  80 #       we also need to add some form of ld.so, here are some good guesses.
  81 #
  82 LDSO_LIST="/lib/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 /usr/libexec/ld.so /lib64/ld-linux-x86-64.so.2 /lib/ld-linux-x86-64.so.2 /lib/ld-linux.so.2 /usr/libexec/ld-elf.so.1"
  83 for lib in $LDSO_LIST; do
  84         if [ -f $lib ]; then
  85                 LDSOFOUND=1;
  86                 LIB_LIST="$LIB_LIST $lib"
  87         fi
  88 done
  89
  90 #
  91 #       TODO - i've since forgotten which OS this is for, it should be relocated to a presetup script
  92 #
  93 ls /lib/libnss_compat* > /dev/null 2>&1
  94 if [ $? -eq 0 ]; then
  95         LIB_LIST="$LIB_LIST /lib/libnss_compat*"
  96 fi
  97
  98 ls /lib/libnss_files* > /dev/null 2>&1
  99 if [ $? -eq 0 ]; then
 100         LIB_LIST="$LIB_LIST /lib/libnss_files*"
 101 fi
 102
 103 # check that the configure options are correct for chrooted operation:
 104
 105 if [ x/usr/sbin/useradd = x ]; then
 106     if [ x = x ]; then
 107                 echo "this script requires the program useradd or pw to add your"
 108                 fail "chrooted scponly user."
 109         else
 110                 USE_PW=1;
 111     fi
 112 fi
 113
 114 # we need to be root
 115 if [ `id -u` != "0" ]; then
 116         fail "you must be root to run this script\n"
 117 fi
 118
 119 echo
 120 echo Next we need to set the home directory for this scponly user.
 121 echo please note that the user\'s home directory MUST NOT be writeable
 122 echo by the scponly user.  this is important so that the scponly user
 123 echo cannot subvert the .ssh configuration parameters.
 124 echo
 125 echo for this reason, a writeable subdirectory will be created that
 126 echo the scponly user can write into.
 127 echo
 128
 129 if [ "$2" != "" ] ; then
 130         targetuser=$2
 131 else
 132 targetuser=`getwd "Username to install" "$defaultusername"`
 133 fi
 134 username_collision=`id $targetuser > /dev/null 2> /dev/null; echo $?`
 135 if [ $username_collision -eq 0 ] ; then
 136         fail "the user $targetuser already exists.  please remove this user and their home directory and try again."
 137 fi
 138
 139 if [ "$1" != "" ] ; then
 140         targetdir=$1
 141 else
 142 targetdir=`getwd "home directory you wish to set for this user" "$defaulthomedirprefix/$targetuser"`
 143 fi
 144
 145 if [ "$3" != "" ] ; then
 146         writeabledir=$3
 147 else
 148 writeabledir=`getwd "name of the writeable subdirectory" "$defaultwriteabledir"`
 149 fi
 150
 151 #
 152 #       if you would like to overwrite/extend any of the variables above, do so in the system specific
 153 #       presetup script.
 154 #
 155 if [ -f "$prescript" ]; then
 156 #
 157 #       this system has a pre-chroot setup script, lets run it
 158 #
 159         . "$prescript"
 160 fi
 161
 162 # if neither the presetup script or the best guess could find ld.so, we have to bail here
 163 if [ $LDSOFOUND -eq 0 ]; then
 164         fail i cant find your equivalent of ld.so
 165 fi
 166
 167 #
 168 #       ACTUAL MODIFICATIONS BEGIN HERE
 169 #
 170
 171 # this part shouldnt strictly be requried, but i'll leave it in until i'm sure of it
 172 if [ ! -d $targetdir ]; then
 173         $INSTALL_PATHNAME -d $targetdir
 174         chmod 755 $targetdir
 175 fi
 176
 177 if [ ! -d $targetdir/etc ]; then
 178         $INSTALL_PATHNAME -d $targetdir/etc
 179         chown 0:0 $targetdir/etc
 180         chmod 755 $targetdir/etc
 181 fi
 182
 183 # add all our binaries
 184 for bin in $BINARIES; do
 185         $INSTALL_PATHNAME -d $targetdir/`/usr/bin/dirname $bin`
 186         $INSTALL_PATHNAME $bin $targetdir$bin
 187 done
 188
 189 # and the libs they require
 190 if [ "x$LIB_LIST" != "x" ]; then
 191         for lib in $LIB_LIST; do
 192                 $INSTALL_PATHNAME -d $targetdir/`/usr/bin/dirname $lib`
 193                 $INSTALL_PATHNAME $lib $targetdir/$lib
 194         done
 195 fi
 196
 197 # /dev/null is needed inside the chroot
 198 mkdir -p $targetdir/dev
 199 mknod -m 666 $targetdir/dev/null c 1 3
 200
 201 if [ "x$USE_PW" = x0 ] ; then
 202     /usr/sbin/useradd -d "$targetdir" -s "/usr/sbin/scponlyc" $targetuser
 203     if [ $? -ne 0 ]; then
 204          fail "if this user exists, remove it and try again"
 205     fi
 206 else
 207      useradd -n $targetuser -s "/usr/sbin/scponlyc" -d "$targetdir"
 208     if [ $? -ne 0 ]; then
 209          fail "if this user exists, remove it and try again"
 210     fi
 211 fi
 212
 213 #
 214 #       we must ensure certain directories are root owned.
 215 #
 216 chown 0:0 $targetdir
 217 if [ -d $targetdir/.ssh ]; then
 218         chown 0:0 $targetdir/.ssh
 219 fi
 220
 221 if [ ! -d $targetdir/$writeabledir ]; then
 222         echo -e "\ncreating  $targetdir/$writeabledir directory for uploading files"
 223         $INSTALL_PATHNAME -o $targetuser -d $targetdir/$writeabledir
 224 fi
 225
 226 #
 227 #       set the perms on the writeable dir so that the new user owns it
 228 #
 229 newuid=`id -u $targetuser`
 230 newgid=`id -g $targetuser`
 231 chown $newuid:$newgid $targetdir/$writeabledir
 232
 233 if [ -f "$postscript" ]; then
 234 #
 235 #   this system has a post-chroot setup script, lets run it
 236 #
 237     . "$postscript"
 238 else
 239 #
 240 #       otherwise, revert to the old "best guess" system, which sucks
 241 #
 242         echo
 243         echo "Your platform ($osname) does not have a platform specific setup script."
 244         echo "This install script will attempt a best guess."
 245         echo "If you perform customizations, please consider sending me your changes."
 246         echo "Look to the templates in build_extras/arch."
 247         echo " - joe at sublimation dot org"
 248         echo
 249         if [ x = x ]; then
 250         #
 251         #       ok we dont have pwd_mkdb, lets improvise:
 252         #
 253                 grep $targetuser /etc/passwd > $targetdir/etc/passwd
 254                 # Debian: copy /etc/group into the jail, for /usr/bin/groups to work
 255                 cp /etc/group $targetdir/etc/group
 256
 257         else
 258         #
 259         #       this is for systems which do have pwd_mkdb
 260         #
 261                 grep $targetuser /etc/master.passwd > $targetdir/etc/master.passwd
 262                  -d "$targetdir/etc" $targetdir/etc/master.passwd
 263                 rm -rf $targetdir/etc/master.passwd $targetdir/etc/spwd.db
 264         fi
 265 fi
 266
 267 #
 268 #   the final step is setting the password
 269 #
 270 echo "please set the password for $targetuser:"
 271 passwd $targetuser
 272
 273 echo "if you experience a warning with winscp regarding groups, please install"
 274 echo "the provided hacked out fake groups program into your chroot, like so:"
 275 echo "cp groups $targetdir/bin/groups"