Tag Archives: chroot

Lousy jailed-lighttpd scripts

Now, jailed has its own automated scripts to generate its own proper fully-contained jails (as far as “jails” on GNU/Linux go, that is; they’re chroots, actually).

The following scripts are leftovers from me trying to do the same, before finding out that the utilities are already there. They have been lying around for quite some time. I’m just copying them here so I can delete them from the home dir.

=====

jailed-lighttpd-install
—–

#!/bin/sh
# Create a jail for lighttpd

jail=/jail/lighttpd

mkdir -p $jail
cd $jail

mkdir tmp
chmod 1777 tmp

mkdir -p        var/log/lighttpd var/run/lighttpd home/http
chown http:http var/log/lighttpd var/run/lighttpd home/http
chmod a+rx      var/log/lighttpd var/run/lighttpd home/http

mkdir etc
cp -avr /etc/php etc/
cp -v /etc/hosts /etc/nsswitch.conf /etc/resolv.conf /etc/services /etc/localtime etc/
cp -v /etc/group /etc/host.conf /etc/passwd /etc/protocols etc/

mkdir -p usr/bin
cp /usr/bin/php /usr/bin/php-cgi usr/bin/

# read l2chroot before use
./l2chroot /usr/bin/php
./l2chroot /usr/bin/php-cgi

# just in case some permissions were forgotten...
chmod a+rx $jail

=====

jailed-lighttpd.rc
—–

#!/bin/bash

# general config
. /etc/rc.conf
. /etc/rc.d/functions

jailroot=/jail/lighttpd
function jailcmd () {
su http -c "$*"
}

PID=`pidof -o %PPID /usr/sbin/lighttpd`

case "$1" in
start)
stat_busy "Starting jailed lighttpd Daemon"
[ -z "$PID" ] && jk_chrootlaunch -j $jailroot -x /usr/sbin/lighttpd -- -f /etc/lighttpd/lighttpd.conf 2>&1
if [ $? -gt 0 ]; then
stat_fail
else
add_daemon lighttpd
stat_done
fi
;;
stop)
stat_busy "Stopping jailed lighttpd Daemon"
[ ! -z "$PID" ] && jailcmd kill $PID &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
rm_daemon lighttpd
rm -f $jailroot/var/run/lighttpd/lighttpd.pid
stat_done
fi
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac

=====

l2chroot
—–

#!/bin/bash
# Use this script to copy shared (libs) files to Apache/Lighttpd chrooted
# jail server.
# ----------------------------------------------------------------------------
# Written by nixCraft <http://www.cyberciti.biz/tips/>
# (c) 2006 nixCraft under GNU GPL v2.0+
# + Added ld-linux support
# + Added error checking support
# ------------------------------------------------------------------------------
# See url for usage:
# http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
# -------------------------------------------------------------------------------
# Set CHROOT directory name
BASE="/jail/lighttpd"

if [ $# -eq 0 ]; then
echo "Syntax : $0 /path/to/executable"
echo "Example: $0 /usr/bin/php5-cgi"
exit 1
fi

[ ! $BASE ] && mkdir -p $BASE || :

# iggy ld-linux* file as it is not shared one
FILES="$(ldd $1 | awk '{ print $3 }' |egrep -v ^'\(')"

echo "Copying shared files/libs to $BASE..."
for i in $FILES
do
d="$(dirname $i)"
[ ! -d $BASE$d ] && mkdir -p $BASE$d || :
/bin/cp $i $BASE$d
done

# copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir
# get ld-linux full file location
sldl="$(ldd $1 | grep 'ld-linux' | awk '{ print $1}')"
# now get sub-dir
sldlsubdir="$(dirname $sldl)"

if [ ! -f $BASE$sldl ];
then
echo "Copying $sldl $BASE$sldlsubdir..."
/bin/cp $sldl $BASE$sldlsubdir
else
:
fi

=====

There. Sorry for the tabbing, it went AWOL.

Advertisements

Lighttpd in jailkit chroot environment

[lighttpd]
comment = LigHTTPd HTTP server
paths = /usr/sbin/lighttpd, /usr/sbin/lighttpd-angel, /usr/lib/lighttpd, /etc/lighttpd
emptydirs = /tmp, /srv/http, /var/log/lighttpd, /var/run/lighttpd
devices = /dev/urandom, /dev/null
users = http
groups = http
includesections = uidbasics, netbasics, logbasics

[php]
comment = PHP 5
paths = /usr/bin/php, /usr/bin/php-cgi, /usr/bin/cgi-fcgi, /usr/bin/spawn-fcgi, /etc/php
includesections = netbasics, logbasics

Permissions need to be changed in your jaildir.

jailed-lighttpd:

(include file lost, sorry)

Stock FTP with chroot (FreeBSD 7.0)

I was having really weird problems trying to set up a user that would be properly chrooted. Here are some traps/pitfalls.

1) The stock ftpd is not native! It’s merged in from NetBSD (I think). If you look for /usr/share/examples/ftpd/ftpd.conf, you won’t find it.

2) Make sure /home can be executed by anyone. I had everything (“rwx”) disabled for “others”, so that users can’t see who else exists on the system. Well, I had to put the “x” permission back on (in my case, “r” suffices).

3) There might be confusion on what the /etc/ftpXXX files actually do. man ftpchroot says:

The ftpusers file provides user access control for ftpd(8) by defining which users may login.

But if you read further, the file actually defines which users may not login.

Funny thing is, it also says the ftpchroot has the same format; but putting

retard yes

in it caused user retard not to be able to be chrooted upon entering the password. Putting a simple

retard

did the trick.