Thursday, September 9, 2010

Building a chroot environment for sftp and sshd (OpenSSH)

This is useful when you don't trust your users, and still must provide sftp service.

The following script creates a chroot enviroment at the specified path.
It has been adapted to run on OSX. Use it with:
  > ./create_chroot_env_osx /tmp/testdirectory
  > sudo chroot /tmp/testdirectory

# Usage: ./create_chroot_env_osx destinationPath

# Specify HERE the apps you want into the enviroment
# /usr/lib/dyld is mandatory
APPS="/usr/lib/dyld /bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm"

# Sanity check
if [ "$1" = "" ] ; then
   echo "     Usage: $0 destinationPath"

# Go to the destination directory
if [ ! -d $1 ]; then mkdir $1; fi
cd $1

# Create Directories no one will do it for you
mkdir etc
mkdir bin
mkdir usr
mkdir usr/bin
mkdir usr/lib
mkdir usr/lib/system

# Add some users to ./etc/paswd
grep /etc/passwd -e "^root" > etc/passwd
grep /etc/group -e "^root" > etc/group

# Copy the apps and the related libs
for prog in $APPS;  do
   cp $prog ./$prog

   # obtain a list of related libraryes
   ldd $prog > /dev/null
   if [ "$?" = 0 ] ; then
      LIBS=`ldd $prog | grep version | awk '{ print $1 }'`
      for l in $LIBS; do
         cp $l ./$l
         # second level of dependent libraryes
         LLIBS=`ldd $l | grep version | awk '{ print $1 }'`
         for ll in $LLIBS; do
            cp $ll ./$ll

No comments:

Post a Comment