Solaris 10 in jail


Well I took a stab @ this one last week… although it seems to be lacking in one respect… It is a good start.  If you didn’t already notice, I have decided to start mocking up scripts from the steps I am taking to perform these little diddy’s to complete the automation/repetitive goal of administration.

#!/bin/sh
# Solaris FTP chroot jail
cd /
mkdir /ftpjail
cd /ftpjail
mkdir -p dev etc etc/ftpd etc/default usr/bin usr/sbin usr/lib/security usr/lib/locale usr/lib/security/sparcv9 usr/lib usr/share/lib/zoneinfo upload ftpuser
chmod 100 usr/sbin
chmod 444 dev etc/default usr/share usr/share/lib usr/share/lib/zoneinfo
chmod 555 etc etc/ftpd usr usr/bin usr/lib usr/lib/locale usr/lib/security
chmod 777 upload
ln -s usr/bin bin
cd /ftpjail/dev
mknod conslog c 21 0
mknod null c 13 2
mknod zero c 13 12
mknod tcp c 42 0
mknod ticlts c 105 2
mknod ticotsord c 105 1
mknod udp c 41 0
chmod 666 conslog null tcp ticlts ticotsord udp zero
cd ..
# vi etc/group
# “etc/group” [New file]
touch etc/group
echo “other::1:root” >> etc/group
echo “ftp::30000:” >> etc/group
#
# vi etc/pam.conf
# “etc/pam.conf” [New file]
touch etc/pam
echo “ftp auth required /usr/lib/security/pam_unix.so.1” >> etc/pam.conf
echo “ftp account required /usr/lib/security/pam_unix.so.1” >> etc/pam.conf
echo “ftp session required /usr/lib/security/pam_unix.so.1” >> etc/pam.conf
#
# vi etc/passwd
# “etc/passwd” [New file]
touch etc/passwd
echo “root:x:0:1:::” >> etc/passwd
echo “ftp:x:30000:30000::/upload:/bin/false” >> etc/passwd
echo “ftpuser:x:30000:30000::/ftpuser:/bin/sh” >> etc/passwd
#
# vi etc/shadow
# “etc/shadow” [New file]
touch etc/shadow
echo “root:*LK*:6445::::::” >> etc/shadow
echo “ftp:*LK*:13651::::::” >> etc/shadow
echo “ftpuser:cdHH60rUQrF3Q:13651::::::” >> etc/shadow # passwd = “ftpuser”
#
# vi etc/shells
# “etc/shells” [New file]
touch etc/shells
echo “/bin/sh” >> etc/shells
#
# vi etc/ftpd/ftpaccess
# “etc/ftpd/ftpaccess” [New file]
touch etc/ftpd/ftpaccess
echo “hostname ftpserver” >> etc/ftpd/ftpaccess
echo “defaultserver private” >> etc/ftpd/ftpaccess
echo “class   all   real,guest,anonymous  *” >> etc/ftpd/ftpaccess
echo “# all the following default to “yes” for everybody” >> etc/ftpd/ftpaccess
echo “delete          no      real,guest,anonymous” >> etc/ftpd/ftpaccess
echo “overwrite       no      real,guest,anonymous” >> etc/ftpd/ftpaccess
echo “rename          no      real,guest,anonymous” >> etc/ftpd/ftpaccess
echo “chmod           no      real,guest,anonymous” >> etc/ftpd/ftpaccess
echo “umask           no      real,guest,anonymous” >> etc/ftpd/ftpaccess
echo “# specify the upload directory information” >> etc/ftpd/ftpaccess
echo “upload  /       *       no” >> etc/ftpd/ftpaccess
echo “upload  /       /upload yes” >> etc/ftpd/ftpaccess
echo “greeting terse” >> etc/ftpd/ftpaccess
echo “noretrieve” >> etc/ftpd/ftpaccess
echo “#allow-retrieve /upload/” >> etc/ftpd/ftpaccess
echo “defumask 777” >> etc/ftpd/ftpaccess
#
useradd ftpuser
sed -i ‘s/ftpuser:*LK*:::::::/ftpuser:cdHH60rUQrF3Q:14722::::::/’ /etc/shadow
echo “/usr/sbin/in.ftpd -P 2020 -p 2021 -S -u 022 -W -a -Q” >> usr/bin/runme
#
cd /ftpjail/etc
chmod 444 group pam.conf passwd shadow shells /ftpjail/etc/ftpd/ftpaccess
chmod 100 /ftpjail/usr/bin/runme
#
cp -p /etc/default/init default/init
cp /usr/bin/sh /ftpjail/usr/bin/sh; chmod 111 /ftpjail/usr/bin/sh
cp /usr/sbin/in.ftpd /ftpjail/usr/sbin/in.ftpd; chmod 6100 /ftpjail/usr/sbin/in.ftpd; chown 30000:30000 /ftpjail/usr/sbin/in.ftpd
cp -rp /usr/lib/locale/* /ftpjail/usr/lib/locale
cp -rp /usr/share/lib/zoneinfo/* usr/share/lib/zoneinfo
cd /ftpjail/usr/lib
cp -p /usr/lib/libbsm.so.1 .
cp -p /usr/lib/libc.so.1 .
cp -p /usr/lib/libcmd.so.1 .
cp -p /usr/lib/libdl.so.1 .
cp -p /usr/lib/libgen.so.1 .
cp -p /usr/lib/libmd5.so.1 .
cp -p /usr/lib/libmp.so.2 .
cp -p /usr/lib/libnsl.so.1 .
cp -p /usr/lib/libpam.so.1 .
cp -p /usr/lib/libresolv.so.2 .
cp -p /usr/lib/libsecdb.so.1 .
cp -p /usr/lib/libsocket.so.1 .
cp -p /usr/lib/ld.so.1 .
cp -p /usr/lib/nss_user.so.1 .
cp -p /usr/lib/nss_files.so.1 .
chmod 555 *
cd /ftpjail/usr/lib/security
cp -p /usr/lib/security/crypt_bsdbf.so.1 .
cp -p /usr/lib/security/crypt_bsdmd5.so.1 .
cp -p /usr/lib/security/crypt_sunmd5.so.1 .
cp -p /usr/lib/security/pam* .
cd /ftpjail/usr/lib/security/sparcv9
cp -p /usr/lib/security/sparcv9/* .
# Give out the ‘ls’ command
cp /usr/bin/ls /ftpjail/usr/bin/ls; chmod 111 /ftpjail/usr/bin/ls
# Test commands
# chroot /ftpjail /usr/bin/sh
# If the above is successful, start up the server:
chroot /ftpjail /usr/bin/sh -c runme
# Check to see if the server has started:
ps -ef|grep ftpd
#
# ftp 192.168.11.34 2021
# login ftpuser/ftpuser
# EOF

So that’s basically it…

Advertisements

, , , , , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: