[gentoo-server] chrooted ssh related scripts WAS: users of virtual domains - gentoo-server

From:	gentoo@××××××.com
To:	gentoo-server@l.g.o
Subject:	[gentoo-server] chrooted ssh related scripts WAS: users of virtual domains
Date:	Wed, 16 Jun 2004 09:24:12
Message-Id:	`7281.194.228.18.118.1087377845.squirrel@194.228.18.118`
In Reply to:	Re: [gentoo-server] users of virtual domains by John Barton

1

Hi ,

2

my scripts may not be usefull for everyone but I hope it would be a good

3

inspiration at least.

4

I have my chrooted env in /home/alcatraz/

5

there is one more useful tip - set up owner of /home/alcatraz/home/ to

6

root:apache with privileges 751 and it allows apache read user folders but

7

users cant read even list of other users folders.

8

9

Here are the simple scripts I use:

10

refresh_chroot:

11

#!/bin/bash

12

13

cp /lib/libresolv.so.2 /home/alcatraz/lib/

14

cp /lib/libutil.so.1 /home/alcatraz/lib/

15

cp /lib/libnsl.so.1 /home/alcatraz/lib/

16

cp /lib/libcrypt.so.1 /home/alcatraz/lib/

17

cp /lib/libc.so.6 /home/alcatraz/lib/

18

cp /lib/libdl.so.2 /home/alcatraz/lib/

19

cp /lib/ld-linux.so.2 /home/alcatraz/lib/

20

cp /usr/lib/libcrypto.so.0.9.7 /home/alcatraz//usr/lib/

21

cp /usr/lib/libz.so.1 /home/alcatraz/usr/lib/

22

23

cp /usr/lib/misc/sftp-server /home/alcatraz/usr/lib/misc/

24

25

26

cp /bin/bash /home/alcatraz/bin/

27

cp /bin/cp /home/alcatraz/bin/

28

cp /bin/ls /home/alcatraz/bin/

29

cp /bin/rm /home/alcatraz/bin/

30

cp /bin/rmdir /home/alcatraz/bin/

31

cp /bin/mkdir /home/alcatraz/bin/

32

cp /bin/mv /home/alcatraz/bin/

33

34

cp /lib/librt.so.1 /home/alcatraz/lib/

35

cp /lib/libpthread.so.0 /home/alcatraz/lib/

36

37

create_new_user:

38

#!/bin/bash

39

40

echo "username: "

41

read user

42

echo "pass: "

43

read password

44

echo "subdomain: "

45

read subdomain

46

echo "main domain: "

47

read domena

48

49

CHROOT="/home/alcatraz/./home"

50

51

#add user

52

groupadd $user

53

useradd -d "$CHROOT/$user/" -s /bin/bash -g $user $user

54

echo "$user:$password" > /root/tmp-soubor

55

/usr/sbin/chpasswd < /root/tmp-soubor

56

rm -f /root/tmp-soubor

57

echo "$user:$password" >> /root/notes/pamet

58

mkdir "$CHROOT/$user/"

59

chown $user "$CHROOT/$user/"

60

chmod 754 "$CHROOT/$user/"

61

62

echo "wil he have apache?"

63

read apache

64

65

# ********************* add apache virtual server

66

if [ $apache = "y" ]; then

67

68

    chown "$user:apache" "$CHROOT/$user/"

69

    mkdir "$CHROOT/$user/webroot/"

70

    echo "Zdravi <b>$user</b>" > $CHROOT/$user/webroot/index.html

71

    chown $user:apache $CHROOT/$user/webroot -R

72

73

    #add DNS record

74

    echo "$subdomain CNAME   $domena." >> /etc/bind/pri/$domena.dns

75

    reload-dns # tady bych mel i precist SN souboru pro NAMED a zmenit ho,

76

ale nevim jak :-(

77

78

    #add apache log files

79

    LOGS="$CHROOT/$user/logs"

80

    mkdir $LOGS

81

    chown 755 $LOGS

82

    echo "zacatek" > $LOGS/access_log

83

    chmod 644 $LOGS/access_log

84

    echo "zacatek" > $LOGS/error_log

85

    chmod 644 $LOGS/error_log

86

87

    #add apache record

88

89

    SOUBOR="/etc/apache2/conf/vhosts/$subdomain.$domena.vhost"

90

    echo "<VirtualHost $domena:80>"  >> $SOUBOR

91

    echo "  ServerName $subdomain.$domena" >> $SOUBOR

92

    echo "  DocumentRoot $CHROOT/$user/webroot" >> $SOUBOR

93

    echo "  CustomLog $LOGS/access_log combined" >> $SOUBOR

94

    echo "  ErrorLog $LOGS/error_log" >> $SOUBOR

95

    echo "</VirtualHost>" >> $SOUBOR

96

97

    /root/bin/apache-reload

98

fi;

99

100

echo "Will he have mail domain?"

101

read email

102

103

# ********************** add maildomain

104

if [ "$email" = "y" ]; then

105

    /home/vpopmail/bin/vadddomain -q -d /home/vpopmail $subdomain.$domena

106

postmaster $password

107

fi;

108

109

echo "MySQL?"

110

read mysql

111

112

# ********************** add mysql

113

if [ $mysql = "y" ]; then

114

echo "create database $user;" > /root/tmp-soubor

115

echo "GRANT ALL PRIVILEGES ON $user.* TO $user@localhost IDENTIFIED BY

116

'$password' WITH GRANT OPTION;" >> /root/tmp-soubor

117

echo "FLUSH PRIVILEGES;" >> /root/tmp-soubor

118

mysql -pR1o5o9T < /root/tmp-soubor

119

rm -f /root/tmp-soubor

120

fi;

121

122

cp /etc/passwd /home/alcatraz/etc/passwd -f

123

chmod 600 /home/alcatraz/etc/passwd

124

125

126

> I would be interested in the scripts for chroot setup, etc.

127

> Regards,

128

> -John

129

>

130

> gentoo@××××××.com wrote:

131

>

132

>> Hi,

133

>> I think, that better solution is chrootssh (it also have switch in

134

>> openssh

135

>> ebuild). I've used it for a year or so and it works well. I can send you

136

>> some scripts I use along with it (for copying libs to chroot and

137

>> creating

138

>> users).

139

>> Petr

140

>>

141

>>

142

>>

143

>>

144

>>>Ben Munat wrote:

145

>>>

146

>>>>So, my question is, is there a way to restrict her user's movements in

147

>>>>the file system? It would be nice if she were only able to work within

148

>>>>her home directory.

149

>>>

150

>>>Best is to set up a chroot environment in which the user will work.

151

>>>I think a good starting point is jailkit @

152

>>>http://olivier.sessink.nl/jailkit/

153

>>>I already have an ebuild for it in my overlay @

154

>>>http://gentoo.mirror.at.stealer.net/portage_overlay/app-admin/jailkit/

155

>>>

156

>>>Package contains a shell which will jail the user into a specific

157

>>>directory. Contains also tools to copy programs and depending libraries

158

>>>into the chroot environment.

159

>>>

160

>>>Sven

161

>>>

162

>>

163

>>

164

>

165

>

1	Hi ,
2	my scripts may not be usefull for everyone but I hope it would be a good
3	inspiration at least.
4	I have my chrooted env in /home/alcatraz/
5	there is one more useful tip - set up owner of /home/alcatraz/home/ to
6	root:apache with privileges 751 and it allows apache read user folders but
7	users cant read even list of other users folders.
8
9	Here are the simple scripts I use:
10	refresh_chroot:
11	#!/bin/bash
12
13	cp /lib/libresolv.so.2 /home/alcatraz/lib/
14	cp /lib/libutil.so.1 /home/alcatraz/lib/
15	cp /lib/libnsl.so.1 /home/alcatraz/lib/
16	cp /lib/libcrypt.so.1 /home/alcatraz/lib/
17	cp /lib/libc.so.6 /home/alcatraz/lib/
18	cp /lib/libdl.so.2 /home/alcatraz/lib/
19	cp /lib/ld-linux.so.2 /home/alcatraz/lib/
20	cp /usr/lib/libcrypto.so.0.9.7 /home/alcatraz//usr/lib/
21	cp /usr/lib/libz.so.1 /home/alcatraz/usr/lib/
22
23	cp /usr/lib/misc/sftp-server /home/alcatraz/usr/lib/misc/
24
25
26	cp /bin/bash /home/alcatraz/bin/
27	cp /bin/cp /home/alcatraz/bin/
28	cp /bin/ls /home/alcatraz/bin/
29	cp /bin/rm /home/alcatraz/bin/
30	cp /bin/rmdir /home/alcatraz/bin/
31	cp /bin/mkdir /home/alcatraz/bin/
32	cp /bin/mv /home/alcatraz/bin/
33
34	cp /lib/librt.so.1 /home/alcatraz/lib/
35	cp /lib/libpthread.so.0 /home/alcatraz/lib/
36
37	create_new_user:
38	#!/bin/bash
39
40	echo "username: "
41	read user
42	echo "pass: "
43	read password
44	echo "subdomain: "
45	read subdomain
46	echo "main domain: "
47	read domena
48
49	CHROOT="/home/alcatraz/./home"
50
51	#add user
52	groupadd $user
53	useradd -d "$CHROOT/$user/" -s /bin/bash -g $user $user
54	echo "$user:$password" > /root/tmp-soubor
55	/usr/sbin/chpasswd < /root/tmp-soubor
56	rm -f /root/tmp-soubor
57	echo "$user:$password" >> /root/notes/pamet
58	mkdir "$CHROOT/$user/"
59	chown $user "$CHROOT/$user/"
60	chmod 754 "$CHROOT/$user/"
61
62	echo "wil he have apache?"
63	read apache
64
65	# ********************* add apache virtual server
66	if [ $apache = "y" ]; then
67
68	chown "$user:apache" "$CHROOT/$user/"
69	mkdir "$CHROOT/$user/webroot/"
70	echo "Zdravi <b>$user</b>" > $CHROOT/$user/webroot/index.html
71	chown $user:apache $CHROOT/$user/webroot -R
72
73	#add DNS record
74	echo "$subdomain CNAME $domena." >> /etc/bind/pri/$domena.dns
75	reload-dns # tady bych mel i precist SN souboru pro NAMED a zmenit ho,
76	ale nevim jak :-(
77
78	#add apache log files
79	LOGS="$CHROOT/$user/logs"
80	mkdir $LOGS
81	chown 755 $LOGS
82	echo "zacatek" > $LOGS/access_log
83	chmod 644 $LOGS/access_log
84	echo "zacatek" > $LOGS/error_log
85	chmod 644 $LOGS/error_log
86
87	#add apache record
88
89	SOUBOR="/etc/apache2/conf/vhosts/$subdomain.$domena.vhost"
90	echo "<VirtualHost $domena:80>" >> $SOUBOR
91	echo " ServerName $subdomain.$domena" >> $SOUBOR
92	echo " DocumentRoot $CHROOT/$user/webroot" >> $SOUBOR
93	echo " CustomLog $LOGS/access_log combined" >> $SOUBOR
94	echo " ErrorLog $LOGS/error_log" >> $SOUBOR
95	echo "</VirtualHost>" >> $SOUBOR
96
97	/root/bin/apache-reload
98	fi;
99
100	echo "Will he have mail domain?"
101	read email
102
103	# ********************** add maildomain
104	if [ "$email" = "y" ]; then
105	/home/vpopmail/bin/vadddomain -q -d /home/vpopmail $subdomain.$domena
106	postmaster $password
107	fi;
108
109	echo "MySQL?"
110	read mysql
111
112	# ********************** add mysql
113	if [ $mysql = "y" ]; then
114	echo "create database $user;" > /root/tmp-soubor
115	echo "GRANT ALL PRIVILEGES ON $user.* TO $user@localhost IDENTIFIED BY
116	'$password' WITH GRANT OPTION;" >> /root/tmp-soubor
117	echo "FLUSH PRIVILEGES;" >> /root/tmp-soubor
118	mysql -pR1o5o9T < /root/tmp-soubor
119	rm -f /root/tmp-soubor
120	fi;
121
122	cp /etc/passwd /home/alcatraz/etc/passwd -f
123	chmod 600 /home/alcatraz/etc/passwd
124
125
126	> I would be interested in the scripts for chroot setup, etc.
127	> Regards,
128	> -John
129	>
130	> gentoo@××××××.com wrote:
131	>
132	>> Hi,
133	>> I think, that better solution is chrootssh (it also have switch in
134	>> openssh
135	>> ebuild). I've used it for a year or so and it works well. I can send you
136	>> some scripts I use along with it (for copying libs to chroot and
137	>> creating
138	>> users).
139	>> Petr
140	>>
141	>>
142	>>
143	>>
144	>>>Ben Munat wrote:
145	>>>
146	>>>>So, my question is, is there a way to restrict her user's movements in
147	>>>>the file system? It would be nice if she were only able to work within
148	>>>>her home directory.
149	>>>
150	>>>Best is to set up a chroot environment in which the user will work.
151	>>>I think a good starting point is jailkit @
152	>>>http://olivier.sessink.nl/jailkit/
153	>>>I already have an ebuild for it in my overlay @
154	>>>http://gentoo.mirror.at.stealer.net/portage_overlay/app-admin/jailkit/
155	>>>
156	>>>Package contains a shell which will jail the user into a specific
157	>>>directory. Contains also tools to copy programs and depending libraries
158	>>>into the chroot environment.
159	>>>
160	>>>Sven
161	>>>
162	>>
163	>>
164	>
165	>

Gentoo Archives: gentoo-server