[scponly] Using scponly with Solaris 8 (sparc)
Roland Lammel
roland.lammel at kapsch.net
Fri Jul 4 11:06:33 EDT 2003
Hi there,
I needed to get a chrooted secure environment for file-transfers with scp and/or sftp, so
scponly was the thing I was looking, and despite some modifications which had to be done
for solaris it works great! (Thanks for creating such an invaluable tool)
As there might be some need for others running solaris this might help them to get it running.
On the external server we had no development tools installed (gcc/make) so I compiled it
on an internal node (with --enable-chrooted-binary and a second time with
--enable-chrooted-binary --disable-winscp-compat because of problems with the winscp-compat)
As there is no install script (besides the make install, which needes make of course) I did
the install manually by copying scponlyc to /usr/local/sbin/ and chmod'd it 4555.
I then had to do some nasty modifications to set setup_chroot.sh.in and a version which would cope
with those problems for solaris is attached. You might consider it to include it in your distribution.
There are still some improvements possible as the list of binaries requires the config.h and also
the install-sh script is needed on the target host (just if there are no develtools available).
IF you want to include those hints for solaris, I can write a README.SOLARIS if you like.
Best regards
+rl
--
Ing. Roland Lammel | Technical Assistance Services
Kapsch CarrierCom AG | Am Europaplatz 5 | 1120 Vienna | Austria
Phone +43 (0)50811 3456 | Mobile +43 664 628 3456 | Fax +43 (0)50811 3405
mailto:roland.lammel at kapsch.net | http://www.kapsch.net
-------------- next part --------------
#!/bin/sh
#
# check that the configure options are correct for chrooted operation:
if [ x at CHROOTED_NAME@ = x ] || [ ! -f ./config.h ]; then
echo
echo 'your scponly build is not configured for chrooted operation.'
echo 'please reconfigure as follows, then rebuild and reinstall:'
echo
echo './configure --enable-chrooted-binary (... other options)'
echo
exit 1
fi
# the following is a list of binaries that will be staged in the target dir
# +rl: Had to quote the regex for grep for sol8
BINARIES=`@PROG_GREP@ '#define PROG_' config.h | @PROG_CUT@ -f2 -d\" | @PROG_GREP@ -v '^cd$'`
# a function to display a failure message and then exit
fail ( ) {
echo -e $@
exit 1
}
# "get with default" function
# this function prompts the user with a query and default reply
# it returns the user reply
getwd ( ) {
query="$1"
default="$2"
echo -en "$query [$default]" | cat >&2
read response
if [ x$response = "x" ]; then
response=$default
fi
echo $response
}
# "get yes no" function
# this function prompts the user with a query and will continue to do so
# until they reply with either "y" or "n"
getyn ( ) {
query="$@"
echo -en $query | cat >&2
read response
while [ x$response != "xy" -a x$response != "xn" ]; do
echo -e "\n'y' or 'n' only please...\n" | cat >&2
echo -en $query | cat >&2
read response
done
echo $response
}
if [ x at PROG_LDD@ = x ]; then
echo "this script requires the program ldd to determine which"
fail "shared libraries to copy into your chrooted dir..."
fi
USE_PW=0;
if [ x at PROG_USERADD@ = x ]; then
USE_PW=1;
else
if [ x at PROG_PW@ = x ]; then
echo "this script requires the program useradd or pw to add your"
fail "chrooted scponly user."
fi
fi
# we need to be root
### +rl: check for correct id binary (for solaris 8)
if [ x at SOLARIS_COMPAT@ = x ]; then
PROG_ID="id -u"
else
### +rl: only the xpg4 version of id supports -u
PROG_ID="/usr/xpg4/bin/id -u"
fi
if [ `$PROG_ID` != "0" ]; then
fail "you must be root to run this script\n"
fi
echo
echo Next we need to set the home directory for this scponly user.
echo please note that the user\'s home directory MUST NOT be writable
echo by the scponly user. this is important so that the scponly user
echo cannot subvert the .ssh configuration parameters.
echo
echo for this reason, an \"incoming\" subdirectory will be created that
echo the scponly user can write into. if you want the scponly user to
echo automatically change to this incoming subdirectory upon login, you
echo can specify this when you specify the user\'s home directory as
echo follows:
echo
echo set the home dir to /chroot_path//incoming
echo
echo when scponly chroots, it will only chroot to "chroot_path" and
echo afterwards, it will chdir to incoming.
echo -n "enter the home directory you wish to set for this user: "
read targetdir
if [ "x$targetdir" = "x" ]; then
fail "need to specify a target directory"
fi
echo -n "Install for what username? "
read targetuser
if [ "x$targetuser" = "x" ]; then
fail "need to specify a username"
fi
@INSTALL@ -d $targetdir
@INSTALL@ -d $targetdir/usr
@INSTALL@ -d $targetdir/usr/bin
@INSTALL@ -d $targetdir/usr/sbin
@INSTALL@ -d $targetdir/usr/local
@INSTALL@ -d $targetdir/usr/local/lib
@INSTALL@ -d $targetdir/usr/local/bin
@INSTALL@ -d $targetdir/lib
@INSTALL@ -d $targetdir/usr/lib
@INSTALL@ -d $targetdir/usr/libexec
@INSTALL@ -d $targetdir/usr/libexec/openssh
@INSTALL@ -d $targetdir/bin
@INSTALL@ -d $targetdir/etc
### +rl: Remove -C from INSTALL as it isn't defined in install-sh
for bin in $BINARIES; do
@INSTALL@ $bin $targetdir$bin
done
### +rl: Output on solaris from ldd is different, need other way to determine
if [ x at SOLARIS_COMPAT@ = x ]; then
LIB_LIST=`@PROG_LDD@ $BINARIES 2> /dev/null | @PROG_CUT@ -f2 -d\> | @PROG_CUT@ -f1 -d\( | @PROG_GREP@ "^ " | @PROG_SORT@ -u`
else
LIB_LIST=`@PROG_LDD@ $BINARIES 2> /dev/null | @PROG_GREP@ -v ':' | @PROG_CUT@ -f2 -d\> | @PROG_SORT@ -u`
fi
LDSOFOUND=0
### +rl: Added /usr/lib/ld.so AND /usr/lib/ld.so.1 for sol8
if [ -f /usr/lib/ld.so ]; then
LIB_LIST="$LIB_LIST /usr/lib/ld.so"
LDSOFOUND=1
fi
if [ -f /usr/lib/ld.so.1 ]; then
LIB_LIST="$LIB_LIST /usr/lib/ld.so.1"
LDSOFOUND=1
fi
if [ -f /usr/libexec/ld.so ]; then
LIB_LIST="$LIB_LIST /usr/libexec/ld.so"
LDSOFOUND=1
fi
if [ -f /lib/ld-linux.so.2 ]; then
LIB_LIST="$LIB_LIST /lib/ld-linux.so.2"
LDSOFOUND=1
fi
if [ -f /usr/libexec/ld-elf.so.1 ]; then
LIB_LIST="$LIB_LIST /usr/libexec/ld-elf.so.1"
LDSOFOUND=1
fi
if [ $LDSOFOUND -eq 0 ]; then
fail i cant find your equivalent of ld.so
fi
### +rl: nss_libs are located somewhere else and nss_files is needed too
### Maybe the safest bet is to copy /usr/lib/nss_* AND /lib/libnss_* without
### checking for OS
if [ x at SOLARIS_COMPAT@ = x ]; then
/bin/ls /lib/libnss_compat* 2>&1 > /dev/null
if [ $? -eq 0 ]; then
LIB_LIST="$LIB_LIST /lib/libnss_compat* /lib/ld.so"
fi
else
/bin/ls /usr/lib/nss_compat* 2>&1 > /dev/null
if [ $? -eq 0 ]; then
LIB_LIST="$LIB_LIST /usr/lib/nss_compat* /lib/ld.so"
fi
/bin/ls /usr/lib/nss_files* 2>&1 > /dev/null
if [ $? -eq 0 ]; then
LIB_LIST="$LIB_LIST /usr/lib/nss_files* /lib/ld.so"
fi
fi
if [ "x$LIB_LIST" != "x" ]; then
for lib in $LIB_LIST; do
@INSTALL@ $lib $targetdir/$lib
done
fi
if [ $USE_PW -eq 0 ] ; then
@PROG_USERADD@ -d "$targetdir" -s "@prefix@/sbin/@CHROOTED_NAME@" $targetuser
if [ $? -ne 0 ]; then
fail "if this user exists, remove it and try again"
fi
else
if [ x at SOLARIS_COMPAT@ = x ]; then
@PROG_PW@ useradd -n $targetuser -s "@prefix@/sbin/@CHROOTED_NAME@" -d "$targetdir"
else
@PROG_PW@ useradd -s "@prefix@/sbin/@CHROOTED_NAME@" -d "$targetdir" $targetuser
fi
if [ $? -ne 0 ]; then
fail "if this user exists, remove it and try again"
fi
fi
chown 0:0 $targetdir
if [ -d $targetdir/.ssh ]; then
chown 0.0 $targetdir/.ssh
fi
if [ ! -d $targetdir/incoming ]; then
echo -e "\ncreating $targetdir/incoming directory for uploading files"
@INSTALL@ -o $targetuser -d $targetdir/incoming
fi
# the following is VERY BSD centric
# i check for pwd_mkdb before trying to use it
if [ x at PROG_PWD_MKDB@ = x ]; then
@PROG_GREP@ $targetuser /etc/passwd > $targetdir/etc/passwd
else
@PROG_GREP@ $targetuser /etc/master.passwd > $targetdir/etc/master.passwd
@PROG_PWD_MKDB@ -d "$targetdir/etc" $targetdir/etc/master.passwd
/bin/rm -rf $targetdir/etc/master.passwd $targetdir/etc/spwd.db
fi
More information about the scponly
mailing list