From 9a1282201244f18446cacd78874d6f8affae55a7 Mon Sep 17 00:00:00 2001 From: edwin Date: Wed, 3 Oct 2007 13:07:09 +0000 Subject: scponlyc sftp support doesn't work without minimal devfs in chroot dir I'm finding that recently-created scponlyc chroots do not provide a sufficient environment for /usr/libexec/sftp-server to run. The sftp client symptom is just: $ sftp user@www Connecting to www... Password: Connection closed $ The cause appears to be that recent versions of /usr/libexec/sftp-server will complain about of lack of access to /dev/null and exit, resulting in the closed connection witnessed by the remote client. The solution appears to be to create a devfs in the scponlyc chroot. To automatically create at boot time a devfs in the home directory of each user of scponlyc, I have chosen to put a script in /usr/local/etc/rc.d. PR: ports/108009 Submitted by: Jim Long Approved by: maintainer timeout --- shells/scponly/Makefile | 19 +++++++------- shells/scponly/files/scponlyc.in | 56 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 9 deletions(-) create mode 100644 shells/scponly/files/scponlyc.in (limited to 'shells') diff --git a/shells/scponly/Makefile b/shells/scponly/Makefile index 88f32af3173a..7720ba1b6536 100644 --- a/shells/scponly/Makefile +++ b/shells/scponly/Makefile @@ -88,15 +88,15 @@ GNU_CONFIGURE= yes PATCH_STRIP= -p1 OPTIONS= SCPONLY_WILDCARDS "wildcards processing" on \ - SCPONLY_GFTP "gftp compatibility" on \ - SCPONLY_CHROOT "chroot functionality" off \ - SCPONLY_RSYNC "rsync compatibility" off \ - SCPONLY_SCP "vanilla scp compatibility" off \ - SCPONLY_SFTP_LOGGING "sftp logging compatibility" off \ - SCPONLY_SVN "subversion compatibility" off \ - SCPONLY_SVNSERVE "subversion compatibility svn+ssh://" off \ - SCPONLY_UNISON "unison compatibility" off \ - SCPONLY_WINSCP "WinSCP compatibility" off + SCPONLY_GFTP "gftp compatibility" on \ + SCPONLY_CHROOT "chroot functionality" off \ + SCPONLY_RSYNC "rsync compatibility" off \ + SCPONLY_SCP "vanilla scp compatibility" off \ + SCPONLY_SFTP_LOGGING "sftp logging compatibility" off \ + SCPONLY_SVN "subversion compatibility" off \ + SCPONLY_SVNSERVE "subversion compatibility svn+ssh://" off \ + SCPONLY_UNISON "unison compatibility" off \ + SCPONLY_WINSCP "WinSCP compatibility" off .include @@ -115,6 +115,7 @@ CONFIGURE_ARGS+=--disable-gftp-compat .if defined(WITH_SCPONLY_CHROOT) PLIST_SUB+= SCPONLY_CHROOT="" CONFIGURE_ARGS+=--enable-chrooted-binary +USE_RC_SUBR= scponlyc .else PLIST_SUB+= SCPONLY_CHROOT="@comment " .endif diff --git a/shells/scponly/files/scponlyc.in b/shells/scponly/files/scponlyc.in new file mode 100644 index 000000000000..69b65dd08f6f --- /dev/null +++ b/shells/scponly/files/scponlyc.in @@ -0,0 +1,56 @@ +#!/bin/sh + +ETCSHELLS="${ETCSHELLS:-/etc/shells}" +ETCPASSWD="${ETCPASSWD:-/etc/passwd}" + +# script to create devfs filesystems at boot time for scponlyc +# chroot'ed users. We will read ${ETCSHELLS} to determine +# where scponlyc is installed. Then we'll iterate through +# each user in ${ETCPASSWD} to find users whose shell is set to +# scponlyc. For each such user found, we will create a +# minimal devfs under ~/dev. + +make_devfs() { + # $1 is the user name whose home directory needs a minimal + # devfs created. If ~/dev exists, it will be deleted. + + eval DEV="~$1/dev" + while /sbin/umount "${DEV}" 2>/dev/null; do :; done + rm -rf "${DEV}" + mkdir -p "${DEV}" + if /sbin/mount_devfs devfs "${DEV}"; then + /sbin/devfs -m "${DEV}" rule -s 1 applyset && \ + /sbin/devfs -m "${DEV}" rule -s 2 applyset || \ + /sbin/umount "${DEV}" 2>/dev/null + fi +} + + +scponlyc_startup() { + # $1 is the path to the /etc/passwd file + + grep "^[^#]*:.*:.*:.*:.*:.*:${SCPONLYC}$" < "$1" | + /usr/bin/awk -F: {'print $1'} | + while read USER; do + make_devfs "${USER}" + done +} + +SCPONLYC=`/usr/bin/grep "/scponlyc$" ${ETCSHELLS} 2>/dev/null | /usr/bin/tail -1` + +if [ "x${SCPONLYC}" = "x" ]; then + echo scponlyc is not defined in ${ETCSHELLS} >&2 + exit 1 +fi + +case "$1" in +start) + scponlyc_startup "${ETCPASSWD}" + echo -n ' scponlyc' + ;; +*) + echo "Usage: `basename $0` start" >&2 + ;; +esac + +exit 0 -- cgit