1 |
Hi , |
2 |
my scripts may not be usefull for everyone but I hope it would be a good |
3 |
inspiration at least. |
4 |
I have my chrooted env in /home/alcatraz/ |
5 |
there is one more useful tip - set up owner of /home/alcatraz/home/ to |
6 |
root:apache with privileges 751 and it allows apache read user folders but |
7 |
users cant read even list of other users folders. |
8 |
|
9 |
Here are the simple scripts I use: |
10 |
refresh_chroot: |
11 |
#!/bin/bash |
12 |
|
13 |
cp /lib/libresolv.so.2 /home/alcatraz/lib/ |
14 |
cp /lib/libutil.so.1 /home/alcatraz/lib/ |
15 |
cp /lib/libnsl.so.1 /home/alcatraz/lib/ |
16 |
cp /lib/libcrypt.so.1 /home/alcatraz/lib/ |
17 |
cp /lib/libc.so.6 /home/alcatraz/lib/ |
18 |
cp /lib/libdl.so.2 /home/alcatraz/lib/ |
19 |
cp /lib/ld-linux.so.2 /home/alcatraz/lib/ |
20 |
cp /usr/lib/libcrypto.so.0.9.7 /home/alcatraz//usr/lib/ |
21 |
cp /usr/lib/libz.so.1 /home/alcatraz/usr/lib/ |
22 |
|
23 |
cp /usr/lib/misc/sftp-server /home/alcatraz/usr/lib/misc/ |
24 |
|
25 |
|
26 |
cp /bin/bash /home/alcatraz/bin/ |
27 |
cp /bin/cp /home/alcatraz/bin/ |
28 |
cp /bin/ls /home/alcatraz/bin/ |
29 |
cp /bin/rm /home/alcatraz/bin/ |
30 |
cp /bin/rmdir /home/alcatraz/bin/ |
31 |
cp /bin/mkdir /home/alcatraz/bin/ |
32 |
cp /bin/mv /home/alcatraz/bin/ |
33 |
|
34 |
cp /lib/librt.so.1 /home/alcatraz/lib/ |
35 |
cp /lib/libpthread.so.0 /home/alcatraz/lib/ |
36 |
|
37 |
create_new_user: |
38 |
#!/bin/bash |
39 |
|
40 |
echo "username: " |
41 |
read user |
42 |
echo "pass: " |
43 |
read password |
44 |
echo "subdomain: " |
45 |
read subdomain |
46 |
echo "main domain: " |
47 |
read domena |
48 |
|
49 |
CHROOT="/home/alcatraz/./home" |
50 |
|
51 |
#add user |
52 |
groupadd $user |
53 |
useradd -d "$CHROOT/$user/" -s /bin/bash -g $user $user |
54 |
echo "$user:$password" > /root/tmp-soubor |
55 |
/usr/sbin/chpasswd < /root/tmp-soubor |
56 |
rm -f /root/tmp-soubor |
57 |
echo "$user:$password" >> /root/notes/pamet |
58 |
mkdir "$CHROOT/$user/" |
59 |
chown $user "$CHROOT/$user/" |
60 |
chmod 754 "$CHROOT/$user/" |
61 |
|
62 |
echo "wil he have apache?" |
63 |
read apache |
64 |
|
65 |
# ********************* add apache virtual server |
66 |
if [ $apache = "y" ]; then |
67 |
|
68 |
chown "$user:apache" "$CHROOT/$user/" |
69 |
mkdir "$CHROOT/$user/webroot/" |
70 |
echo "Zdravi <b>$user</b>" > $CHROOT/$user/webroot/index.html |
71 |
chown $user:apache $CHROOT/$user/webroot -R |
72 |
|
73 |
#add DNS record |
74 |
echo "$subdomain CNAME $domena." >> /etc/bind/pri/$domena.dns |
75 |
reload-dns # tady bych mel i precist SN souboru pro NAMED a zmenit ho, |
76 |
ale nevim jak :-( |
77 |
|
78 |
#add apache log files |
79 |
LOGS="$CHROOT/$user/logs" |
80 |
mkdir $LOGS |
81 |
chown 755 $LOGS |
82 |
echo "zacatek" > $LOGS/access_log |
83 |
chmod 644 $LOGS/access_log |
84 |
echo "zacatek" > $LOGS/error_log |
85 |
chmod 644 $LOGS/error_log |
86 |
|
87 |
#add apache record |
88 |
|
89 |
SOUBOR="/etc/apache2/conf/vhosts/$subdomain.$domena.vhost" |
90 |
echo "<VirtualHost $domena:80>" >> $SOUBOR |
91 |
echo " ServerName $subdomain.$domena" >> $SOUBOR |
92 |
echo " DocumentRoot $CHROOT/$user/webroot" >> $SOUBOR |
93 |
echo " CustomLog $LOGS/access_log combined" >> $SOUBOR |
94 |
echo " ErrorLog $LOGS/error_log" >> $SOUBOR |
95 |
echo "</VirtualHost>" >> $SOUBOR |
96 |
|
97 |
/root/bin/apache-reload |
98 |
fi; |
99 |
|
100 |
echo "Will he have mail domain?" |
101 |
read email |
102 |
|
103 |
# ********************** add maildomain |
104 |
if [ "$email" = "y" ]; then |
105 |
/home/vpopmail/bin/vadddomain -q -d /home/vpopmail $subdomain.$domena |
106 |
postmaster $password |
107 |
fi; |
108 |
|
109 |
echo "MySQL?" |
110 |
read mysql |
111 |
|
112 |
# ********************** add mysql |
113 |
if [ $mysql = "y" ]; then |
114 |
echo "create database $user;" > /root/tmp-soubor |
115 |
echo "GRANT ALL PRIVILEGES ON $user.* TO $user@localhost IDENTIFIED BY |
116 |
'$password' WITH GRANT OPTION;" >> /root/tmp-soubor |
117 |
echo "FLUSH PRIVILEGES;" >> /root/tmp-soubor |
118 |
mysql -pR1o5o9T < /root/tmp-soubor |
119 |
rm -f /root/tmp-soubor |
120 |
fi; |
121 |
|
122 |
cp /etc/passwd /home/alcatraz/etc/passwd -f |
123 |
chmod 600 /home/alcatraz/etc/passwd |
124 |
|
125 |
|
126 |
> I would be interested in the scripts for chroot setup, etc. |
127 |
> Regards, |
128 |
> -John |
129 |
> |
130 |
> gentoo@××××××.com wrote: |
131 |
> |
132 |
>> Hi, |
133 |
>> I think, that better solution is chrootssh (it also have switch in |
134 |
>> openssh |
135 |
>> ebuild). I've used it for a year or so and it works well. I can send you |
136 |
>> some scripts I use along with it (for copying libs to chroot and |
137 |
>> creating |
138 |
>> users). |
139 |
>> Petr |
140 |
>> |
141 |
>> |
142 |
>> |
143 |
>> |
144 |
>>>Ben Munat wrote: |
145 |
>>> |
146 |
>>>>So, my question is, is there a way to restrict her user's movements in |
147 |
>>>>the file system? It would be nice if she were only able to work within |
148 |
>>>>her home directory. |
149 |
>>> |
150 |
>>>Best is to set up a chroot environment in which the user will work. |
151 |
>>>I think a good starting point is jailkit @ |
152 |
>>>http://olivier.sessink.nl/jailkit/ |
153 |
>>>I already have an ebuild for it in my overlay @ |
154 |
>>>http://gentoo.mirror.at.stealer.net/portage_overlay/app-admin/jailkit/ |
155 |
>>> |
156 |
>>>Package contains a shell which will jail the user into a specific |
157 |
>>>directory. Contains also tools to copy programs and depending libraries |
158 |
>>>into the chroot environment. |
159 |
>>> |
160 |
>>>Sven |
161 |
>>> |
162 |
>> |
163 |
>> |
164 |
> |
165 |
> |