#!/bin/sh # # This file has a few minor fixes necessary fixes for Solaris 9, and possibly # other platforms, made by Ralph Durkee (www.rd1.net) in Jan 2004. # It is based on the 3.9 version by Joe Boyle from http://sublimation.org/scponly/ # If there is a newer version avilable from the sublimation.org website # you are most likely better off using it. # # handy functions: # # a function to display a failure message and then exit fail ( ) { /usr/local/bin/echo -e $@ exit 1 } # "get with default" function # this function prompts the user with a query and default reply # it returns the user reply getwd ( ) { query="$1" default="$2" /usr/local/bin/echo -en "$query [$default] " | cat >&2 read response if [ x$response = "x" ]; then response=$default fi /usr/local/bin/echo $response } # "get yes no" function # this function prompts the user with a query and will continue to do so # until they reply with either "y" or "n" getyn ( ) { query="$@ " /usr/local/bin/echo -en $query | cat >&2 read response while [ x$response != "xy" -a x$response != "xn" ]; do /usr/local/bin/echo -e "\n'y' or 'n' only please...\n" | cat >&2 /usr/local/bin/echo -en $query | cat >&2 read response done echo $response } # configuration # # set defaults defaultusername="scponly" defaulthomedirprefix="/home" defaultwriteabledir="incoming" osname=`uname -s | tr ' ' '_'` # pathname to platform/OS specific setup scripts prescript="build_extras/arch/$osname.pre.sh" postscript="build_extras/arch/$osname.post.sh" # the following is a list of binaries that will be staged in the target dir BINARIES=`/usr/local/bin/grep '#define PROG_' config.h | /usr/local/bin/cut -f2 -d\" | /usr/local/bin/grep -v '^cd$'` # we set the install path in a variable so the presetup script can overwrite it on systems # which require it INSTALL_PATHNAME="/usr/local/bin/install -c" # attempt a best guess at required libs, we can append things in the presetup script if we need to LDSOFOUND=0 # default to useradd, not pw USE_PW=0 if [ x/usr/bin/ldd = x ]; then echo "this script requires the program ldd to determine which" fail "shared libraries to copy into your chrooted dir..." fi LIB_LIST=`/usr/bin/ldd $BINARIES 2> /dev/null | /usr/local/bin/cut -f2 -d\> | /usr/local/bin/cut -f1 -d\( | /usr/local/bin/grep "^[ ]" | /usr/local/bin/sort -u` # # we also need to add some form of ld.so, here are some good guesses. # LDSO_LIST="/lib/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 /usr/libexec/ld.so /lib/ld-linux.so.2 /usr/libexec/ld-elf.so.1 /usr/lib/ld.so.1" for lib in $LDSO_LIST; do if [ -f $lib ]; then LDSOFOUND=1; LIB_LIST="$LIB_LIST $lib" fi done # # TODO - i've since forgotten which OS this is for, it should be relocated to a presetup script # /bin/ls /lib/libnss_compat* > /dev/null 2>&1 if [ $? -eq 0 ]; then LIB_LIST="$LIB_LIST /lib/libnss_compat*" fi # check that the configure options are correct for chrooted operation: if [ xscponlyc = x ] || [ ! -f ./config.h ]; then echo echo 'your scponly build is not configured for chrooted operation.' echo 'please reconfigure as follows, then rebuild and reinstall:' echo echo './configure --enable-chrooted-binary (... other options)' echo exit 1 fi if [ x/usr/sbin/useradd = x ]; then if [ x = x ]; then echo "this script requires the program useradd or pw to add your" fail "chrooted scponly user." else USE_PW=1; fi fi # we need to be root if [ `/usr/local/bin/id -u` != "0" ]; then fail "you must be root to run this script\n" fi echo echo Next we need to set the home directory for this scponly user. echo please note that the user\'s home directory MUST NOT be writeable echo by the scponly user. this is important so that the scponly user echo cannot subvert the .ssh configuration parameters. echo echo for this reason, a writeable subdirectory will be created that echo the scponly user can write into. echo targetuser=`getwd "Username to install" "$defaultusername"` targetdir=`getwd "home directory you wish to set for this user" "$defaulthomedirprefix/$targetuser"` writeabledir=`getwd "name of the writeable subdirectory" "$defaultwriteabledir"` # # if you would like to overwrite/extend any of the variables above, do so in the system specific # presetup script. # if [ -f "$prescript" ]; then # # this system has a pre-chroot setup script, lets run it # . "$prescript" fi # if neither the presetup script or the best guess could find ld.so, we have to bail here if [ $LDSOFOUND -eq 0 ]; then fail i cant find your equivalent of ld.so fi # # ACTUAL MODIFICATIONS BEGIN HERE # # this part shouldnt strictly be requried, but i'll leave it in until i'm sure of it if [ ! -d $targetdir ]; then $INSTALL_PATHNAME -d $targetdir fi if [ ! -d $targetdir/etc ]; then $INSTALL_PATHNAME -d $targetdir/etc /usr/local/bin/chown 0:0 $targetdir/etc /usr/local/bin/chmod 755 $targetdir/etc fi # add all our binaries for bin in $BINARIES; do $INSTALL_PATHNAME -d $targetdir/`/usr/local/bin/dirname $bin` $INSTALL_PATHNAME $bin $targetdir$bin done # and the libs they require if [ "x$LIB_LIST" != "x" ]; then for lib in $LIB_LIST; do $INSTALL_PATHNAME -d $targetdir/`/usr/local/bin/dirname $lib` $INSTALL_PATHNAME $lib $targetdir/$lib done fi if [ "x$USE_PW" = x0 ] ; then /usr/sbin/useradd -d "$targetdir" -s "/usr/local/sbin/scponlyc" $targetuser if [ $? -ne 0 ]; then fail "if this user exists, remove it and try again" fi else useradd -n $targetuser -s "/usr/local/sbin/scponlyc" -d "$targetdir" if [ $? -ne 0 ]; then fail "if this user exists, remove it and try again" fi fi # # we must ensure certain directories are root owned. # /usr/local/bin/chown 0:0 $targetdir if [ -d $targetdir/.ssh ]; then /usr/local/bin/chown 0:0 $targetdir/.ssh fi if [ ! -d $targetdir/$writeabledir ]; then echo -e "\ncreating $targetdir/$writeabledir directory for uploading files" $INSTALL_PATHNAME -o $targetuser -d $targetdir/$writeabledir fi # # set the perms on the writeable dir so that the new user owns it # newuid=`/usr/local/bin/id -u $targetuser` newgid=`/usr/local/bin/id -g $targetuser` /usr/local/bin/chown $newuid:$newgid $targetdir/$writeabledir if [ -f "$postscript" ]; then # # this system has a post-chroot setup script, lets run it # . "$postscript" else # # otherwise, revert to the old "best guess" system, which sucks # echo echo "Your platform ($osname) does not have a platform specific setup script." echo "This install script will attempt a best guess." echo "If you perform customizations, please consider sending me your changes." echo "Look to the templates in build_extras/arch." echo " - joe at sublimation dot org" echo if [ x = x ]; then # # ok we dont have pwd_mkdb, lets improvise: # /usr/local/bin/grep $targetuser /etc/passwd > $targetdir/etc/passwd else # # this is for systems which do have pwd_mkdb # /usr/local/bin/grep $targetuser /etc/master.passwd > $targetdir/etc/master.passwd -d "$targetdir/etc" $targetdir/etc/master.passwd @PROG_RM@ -rf $targetdir/etc/master.passwd $targetdir/etc/spwd.db fi fi # # the final step is setting the password # echo "please set the password for $targetuser:" passwd $targetuser echo "if you experience a warning with winscp regarding groups, please install" echo "the provided hacked out fake groups program into your chroot, like so:" echo "cp groups $targetdir/bin/groups"