ISPConfig chrootssh create_chroot_env.sh

[platan]

My configuration:

• Fedora Core 8 http://www.howtoforge.com/fedora-8-s...-ftp-ispconfig,
• ISPConfig 2.2.26,
• chrootssh http://www.howtoforge.com/chroot_ssh_sftp_fedora7.

Some modifications in /root/ispconfig/scripts/shell/create_chroot_env.sh for my WinSCP compatibility.

• "scp" (also "screen" and "nano") added to "APPS=..." declaration,
• Possible bug in "HOMEDIR" discovering.
  
  Quote:

  HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME" | cut -d':' -f 6`

  Assume, I got in my "/etc/passwd" something like this:
  web4_adam:...,
  web4_ada:...,
  web4_adamek:...
  The grep command returns three lines when looking for web4_ada and two lines when looking for web4_adam!
  Adding ":" after "$CHROOT_USERNAME" prevents username mistakes.
• Added "chmod 755 usr/bin/groups" after creating this file for WinSCP compatibility.
• Adding chrooted user group to etc/group for WinSCP compatibility.

Code:

#!/bin/bash

#
# Usage: ./create_chroot_env username
#

#
# Source code from ISPConfig 2.2.26. Modified by ((2))
#

# Here specify the apps you want into the enviroment
# scp, screen, nano added ((2)) - 2008-10-04
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server /usr/bin/unzip /usr/bin/mysqldump /usr/bin/mysql /usr/bin/zip /bin/tar /usr/bin/scp /usr/bin/screen /bin/nano"

# Sanity check

if [ "$1" = "" ] ; then
        echo "    Usage: ./create_chroot_env username"
        exit
fi

# Obtain username and HomeDir
CHROOT_USERNAME=$1
# ":" added ((2)) - 2008-10-04 - prevent many users grep
#     admini, administrator, admin when promted admin 
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME:"  | cut -d':' -f 6`
cd $HOMEDIR

# Create Directories no one will do it for you
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null
chmod 666 dev/zero

# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage

echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups

# added ((2)) - 2008-10-04 - scp failed
chmod 755 usr/bin/groups

# Add some users to ./etc/paswd

grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group

if [ -x ${HOMEDIR}/ldlist ]; then 
  mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
fi

if [ -x ${HOMEDIR}/lddlist2 ]; then 
cannot find name for group ID  mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
fi

for app in $APPS;  do
  # First of all, check that this application exists
  if [ -x $app ]; then
    # Check that the directory exists; create it if not.
    app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
    if ! [ -d .$app_path ]; then
      mkdir -p .$app_path
    fi

    # If the files in the chroot are on the same file system as the
    # original files you should be able to use hard links instead of
    # copying the files, too. Symbolic links cannot be used, because the
    # original files are outside the chroot.
    cp -p $app .$app
    # get list of necessary libraries
    ldd $app >> ${HOMEDIR}/ldlist
  fi
done

# Clear out any old temporary file before we start
if [ -e ${HOMEDIR}/ldlist2 ]; then
  rm ${HOMEDIR}/ldlist2
fi
for libs in `cat ${HOMEDIR}/ldlist`; do
  frst_char="`echo $libs | cut -c1`"
  if [ "$frst_char" = "/" ]; then
    echo "$libs" >> ${HOMEDIR}/ldlist2
  fi
done

for lib in `cat ${HOMEDIR}/ldlist2`; do
  mkdir -p .`dirname $lib` > /dev/null 2>&1
  # If the files in the chroot are on the same file system as the original
  # files you should be able to use hard links instead of copying the files,
  # too. Symbolic links cannot be used, because the original files are
  # outside the chroot.
  cp $lib .$lib
done

#
# Now, cleanup the 2 files we created for the library list

#
/bin/rm -f ${HOMEDIR}/ldlist
/bin/rm -f ${HOMEDIR}/ldlist2

# From some strange reason these 3 libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/

# mysql needs the socket in the chrooted environment
mkdir ${HOMEDIR}/var
mkdir ${HOMEDIR}/var/run
mkdir ${HOMEDIR}/var/run/mysqld
ln -s /var/run/mysqld/mysqld.sock ${HOMEDIR}/var/run/mysqld/mysqld.sock

# added ((2)) - 2008-10-04 - scp failed
GROUP=`id -ng "$CHROOT_USERNAME"`
grep /etc/group -e "^$GROUP:" >> etc/group