Hi Everyone, my name is Luis. I happen to be one of the countless individuals which have found RSSH useful and have proceeded to implement it. I have successfully re-configured the CHROOT script to work off the Source RPM (rssh-2.3.2-1.rf.src.rpm) on <http://dag.wieers.com/rpm/packages/rssh/>. I have proceeded to do this since to date I have been using the Source Tarball (rssh-2.3.2.tar.gz) provided on <http://www.pizzashack.org/rssh/downloads.shtml> across all RHEL systems. Though when I finally came to install it on a RHEL5 64-bit system, I received Segmentation Faults. At this point I found the Packages website above and installed the RHEL5 64-bit RPM (rssh-2.3.2-1.2.el5.rf.x86_64.rpm) without any issues whatsoever. So it seems the RSSH binaries were distinct between the Source Tarball and the RHEL5 64-bit RPM. I wanted the flexibility to compile my own RSSH build based on any future RHEL systems and hence came to where I am now. The updated CHROOT script has been tested with the Source Tarball and RPM across RHEL3 32-bit, RHEL4 32-bit, RHEL5 32-bit and RHEL5 64-bit systems. I hope you find this works for you as it did for me and that it helps to streamline the CHROOT setup in conjunction with RSSH. Please read the README_MKCHROOT.txt file which contains further notes on how to run this script. As always I am happy to hear of comments and/or suggestions with improving the configuration process. This is my way of saying thank you to Derek for creating RSSH and hope others can benefit from the configuration change.
Mkchroot update for 32/64-bit RHEL Systems support by Luis Iafigliola.
Dated 29th June 2010.
As such the CHROOT script will configure the Jail with the following runtime
parameters:
./mkchroot.sh <Jail Directory> <CHROOT User> <CHROOT Jail Directory
Permissions> <CHROOT Group>
For example:
./mkchroot.sh /var/www/html/websites webuser 2775 webgroup
The sequential changes (as presented in the CHROOT script) include:
1) Specifying the GROUP parameter.
I added this in order to have a common group in which all RSSH users will
reside.
The idea behind this is that the control of filesystem access is achieved at
the group level.
From the permissions parameter above, you can see that the group has WRITE
access.
This allows the CHROOT group to have common access to the relevant set of
files (more on this in
Step 3 below).
2) Detection of whether it is being run on an x86 64-bit system.
This will then pinpoint the location of the libraries directory on the
filesystem.
3) Setting the GROUP parameter when the script is being run only as the root
user.
I set an SGID, as any files created within the Jail by the CHROOT User
should be owned by this common
group for shared access.
4) I believe in RHEL5 32-bit at least, that the shared libraries output may
contain an "0x" value.
This breaks the copy of dependent libraries required by the specified
binaries in the Jail.
There is a flag which has been set to capture the "0x" value and bypass it.
I believe I ran into this bit of code somewhere on the net, so kudos to the
original author.
5) Particular libraries which are required for proper dependency resolution.
Once again I ran into these somewhere on the net, so my thanks go out to the
original author.
6) Slight change to copy the CHROOT User into the Jail passwd file, rather than
the whole file itself.
The same goes for the CHROOT group.
7) Set the relevant CHROOT directories within the Jail to be executable to all
and not readable.
I prefered the approach where the CHROOT User did not need to concern
themselves with the contents
of these directories.
NOTE. A catch with Item 7 is that the CHROOT User should first create the
relevant directory structure
required in the Jail. If the CHROOT User happens to view a CHROOT
directory within an SFTP
session, they will not be allowed. If they then try to refresh the
directory listing, the session
does not recover. So it is more of a gotcha rather than a bug when
setting the CHROOT directories
in the Jail as executable only (as per my reasoning in Step 7). The
workaround requires that the
CHROOT User proceeds to create their intended directory structure.
Thereafter if attempting to
access the CHROOT directories, they should as their last action attempt
to access their created
directory structure. Any refresh will then be allowed and not break the
SFTP session. Otherwise as
an alternative, the CHROOT script can be changed to NOT set these CHROOT
directories to read-only
for group and others. This is explained as further comment within the
code.
Finally the CHROOT script has been configured to allow SCP, SFTP and RSYNC for
the relevant Jail.
Ideally you should only really need RSYNC for automated copies with mirroring
or SFTP if a manual approach is required.
mkchroot.sh
Description: Bourne shell script
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
