You said at beginning of your comments now i don't use
firefox (or any 'modern browser)
may I ask which browser you like to use? And for what reasons?
thanks in advance
On Thu, Mar 19, 2015 at 7:56 PM, dan mclaughlin thev...@openmailbox.org
wrote:
here are the scripts i wrote to make this easier. these really were made
for my own use, but i hope others may find them useful. i would be
interested to know if anyone else actually does find them useful. would
also be glad to know of any errors/problems/things that can go wrong i
didn't think of.
the first one (jail_new) creates a new jail (and possibly the user).
the second one (jail_pkgadd) adds a package and its dependencies to an
existing jail. they are expected to be in the same directory (jail_new
cannot add packages (-p) otherwise).
to relate to my earlier examples:
$ jail_new -tu _inmate:_chaingang /home/jail
will create the jail in /home/jail and also the user _inmate and group
_chaingang. this case it will be just be a regular shell account (just
chrooted).
$ jail_new -t _inmate:_chaingang /home/jail
will create the jail, but will not create the user:group.
a real case:
$ jail_new -tux -k /home/null/.ssh/id_rsa.pub -p w3m,feh:/usr/release/pkg
browse /home/browse w3m -B
this command sets up the terminal (-t) and X (-x) in a directory (here
/home/browse), creates a user (-u) (in this case 'browse'), uses the given
key file (-k) for the authorized keys, installs the packages (-p) w3m and
feh (and all of their dependencies) from directory /usr/release/pkg, and
sets 'w3m -B' to run automatically via ForceCommand in sshd_config.
this is the equivalent of:
$ jail_new -tux -k /home/null/.ssh/id_rsa.pub browse /home/browse w3m -B
$ jail_pkgadd -p /usr/release/pkg w3m /home/browse
$ jail_pkgadd -p /usr/release/pkg feh /home/browse
if you want bzip2 in there as well, you can always add it later:
$ jail_pkgadd -p /usr/release/pkg bzip2 /home/browse
or, if PKG_PATH is set (and not remote) you can omit -p
$ jail_pkgadd bzip2 /home/browse
if PKG_PATH is set, and is remote, you need:
$ jail_pkgadd -r bzip2 /home/browse
(note: will only allow a single directory for PKG_PATH)
this can be used by running:
$ Xephyr :1 env DISPLAY=:1 ssh -X browse@localhost
(side note: w3m runs 'display' to display an image, so i create a symlink
to feh to view images)
another case:
$ jail_new -tuxr -k /home/null/.ssh/id_rsa.pub -p
xpdf:scp://null@node02/usr/release/pkg
pdf /home/pdf
you need to specify -r (remote) directly to use remote pkg src.
which is the equivalent of:
$ jail_new -tux -k /home/null/.ssh/id_rsa.pub pdf /home/pdf
$ jail_pkgadd -r -p scp://null@node02/usr/release/pkg xpdf /home/pdf
which can be used:
$ cp test.pdf /home/pdf/tmp
$ Xephyr :1 env DISPLAY=:1 ssh -X browse@localhost xpdf -fullscreen
/tmp/test.pdf
(in this case it may be best not to use ForceCommand, since you may want to
open multiple documents.)
WARNING use at your own peril. if you can't read the scripts, you probably
shouldn't use them, and then i am certain there are other glaring security
flaws you need to know about. i include these because it is a dull pain in
the ass to do this manually, and hopefully someone may get some use out of
them.
other than that, do with it what you wish.
they are as fool-proof as i could make them, so that i don't shoot myself
in
the foot accidently (and i have been around long enough to have done that a
few times, even while being careful). but you never know.
jail_new:
--
#!/bin/ksh
USAGE=${0##*/} [-jrtux] [-k authkeys] [-p pkg[,pkg2...][:pkgpath]]
user[:group] path [cmd [args ...]]
[[ $1 = -h ]] { echo USAGE $USAGE; return 0; }
#-t sets PermitTTY and copies files for term
#-x sets X11Forwarding and copies files for X (fonts,xauth)
#-u creates user; fails if user exists
#-j joins group; needed to join existing group
#-p pkg[,pkg2...][:pkgpath]
#-r allows remote pkg access
#uses existing PKG_PATH
#pkgpath arg overrides PKG_PATH
#only accepts a lone pkgpath
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echov() { eval echo \\$$1\; }
isemptyv() { eval [ \${#$1} -eq 0 ]; }
notemptyv() { eval [ \${#$1} -gt 0 ]; }
alias xt='set -o xtrace'
alias xt-='set +o xtrace'
if [ $(id -u) -eq 0 ];then
echo ERR cannot run as root
return 1
fi
_sshd_config=/etc/ssh/sshd_config
_sshd_config_tmp=/tmp/sshd_config
trap rm -f $_sshd_config_tmp 0 2
#for convenience
_fontdir=/usr/X11R6/lib/X11/fonts
_terminfo=/usr/share/misc/terminfo.db
_termcap=/usr/share/misc/termcap
_do_x=no
_do_tty=no
_do_useradd=
_do_joingrp=
_do_remote=
_authkeys=
_pkg=
_pkgpath=
_userhome=/home/cell
while getopts :jrtuxk:p: _opt;do
case $_opt in
j) _do_joingrp=yes ;;
r) _do_remote=-r ;;
t) _do_tty=yes ;;
u) _do_useradd=yes ;;
x) _do_x=yes ;;
k) _authkeys=$OPTARG
if [ ! -f