My configuration: Fedora Core 8 http://www.howtoforge.com/fedora-8-server-lamp-email-dns-ftp-ispconfig, ISPConfig 2.2.26, chrootssh http://www.howtoforge.com/chroot_ssh_sftp_fedora7. Some modifications in /root/ispconfig/scripts/shell/create_chroot_env.sh for my WinSCP compatibility. "scp" (also "screen" and "nano") added to "APPS=..." declaration, Possible bug in "HOMEDIR" discovering. Assume, I got in my "/etc/passwd" something like this: web4_adam:..., web4_ada:..., web4_adamek:... The grep command returns three lines when looking for web4_ada and two lines when looking for web4_adam! Adding ":" after "$CHROOT_USERNAME" prevents username mistakes. Added "chmod 755 usr/bin/groups" after creating this file for WinSCP compatibility. Adding chrooted user group to etc/group for WinSCP compatibility. Code: #!/bin/bash # # Usage: ./create_chroot_env username # # # Source code from ISPConfig 2.2.26. Modified by ((2)) # # Here specify the apps you want into the enviroment # scp, screen, nano added ((2)) - 2008-10-04 APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server /usr/bin/unzip /usr/bin/mysqldump /usr/bin/mysql /usr/bin/zip /bin/tar /usr/bin/scp /usr/bin/screen /bin/nano" # Sanity check if [ "$1" = "" ] ; then echo " Usage: ./create_chroot_env username" exit fi # Obtain username and HomeDir CHROOT_USERNAME=$1 # ":" added ((2)) - 2008-10-04 - prevent many users grep # admini, administrator, admin when promted admin HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME:" | cut -d':' -f 6` cd $HOMEDIR # Create Directories no one will do it for you mkdir -p usr/lib/openssh mkdir etc mkdir etc/pam.d/ mkdir bin mkdir lib mkdir usr/bin mkdir dev mknod dev/null c 1 3 mknod dev/zero c 1 5 chmod 666 dev/null chmod 666 dev/zero # Create short version to /usr/bin/groups # On some system it requires /bin/sh, which is generally unnessesary in a chroot cage echo "#!/bin/bash" > usr/bin/groups echo "id -Gn" >> usr/bin/groups # added ((2)) - 2008-10-04 - scp failed chmod 755 usr/bin/groups # Add some users to ./etc/paswd grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group if [ -x ${HOMEDIR}/ldlist ]; then mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak fi if [ -x ${HOMEDIR}/lddlist2 ]; then cannot find name for group ID mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak fi for app in $APPS; do # First of all, check that this application exists if [ -x $app ]; then # Check that the directory exists; create it if not. app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'` if ! [ -d .$app_path ]; then mkdir -p .$app_path fi # If the files in the chroot are on the same file system as the # original files you should be able to use hard links instead of # copying the files, too. Symbolic links cannot be used, because the # original files are outside the chroot. cp -p $app .$app # get list of necessary libraries ldd $app >> ${HOMEDIR}/ldlist fi done # Clear out any old temporary file before we start if [ -e ${HOMEDIR}/ldlist2 ]; then rm ${HOMEDIR}/ldlist2 fi for libs in `cat ${HOMEDIR}/ldlist`; do frst_char="`echo $libs | cut -c1`" if [ "$frst_char" = "/" ]; then echo "$libs" >> ${HOMEDIR}/ldlist2 fi done for lib in `cat ${HOMEDIR}/ldlist2`; do mkdir -p .`dirname $lib` > /dev/null 2>&1 # If the files in the chroot are on the same file system as the original # files you should be able to use hard links instead of copying the files, # too. Symbolic links cannot be used, because the original files are # outside the chroot. cp $lib .$lib done # # Now, cleanup the 2 files we created for the library list # /bin/rm -f ${HOMEDIR}/ldlist /bin/rm -f ${HOMEDIR}/ldlist2 # From some strange reason these 3 libraries are not in the ldd output, but without them # some stuff will not work, like usr/bin/groups cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/ cp /etc/hosts etc/ cp /etc/resolv.conf etc/ cp /etc/pam.d/* etc/pam.d/ cp -r /lib/security lib/ cp -r /etc/security etc/ cp /etc/login.defs etc/ cp /usr/lib/libgssapi_krb5.so.2 usr/lib/ cp /usr/lib/libkrb5.so.3 usr/lib/ cp /usr/lib/libk5crypto.so.3 usr/lib/ cp /lib/libcom_err.so.2 lib/ cp /usr/lib/libkrb5support.so.0 usr/lib/ # mysql needs the socket in the chrooted environment mkdir ${HOMEDIR}/var mkdir ${HOMEDIR}/var/run mkdir ${HOMEDIR}/var/run/mysqld ln -s /var/run/mysqld/mysqld.sock ${HOMEDIR}/var/run/mysqld/mysqld.sock # added ((2)) - 2008-10-04 - scp failed GROUP=`id -ng "$CHROOT_USERNAME"` grep /etc/group -e "^$GROUP:" >> etc/group
