current/SOURCES/dhcpd-chroot.sh

#!/bin/bash
#
# dhcpd-chroot.sh is a modified bind-chroot.sh script that enables the 
# dhcpd server to run in a chroot jail under an unprivileged user 
# account (dhcpd).  It requires that the ISC DHCP software is patched
# with the paranoia patch (listed below) by Ari Edelkind.
#
# http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch
#
# The current ISC DHCP software should have this patch applied,
# otherwise you shouldn't be able to lurk in here reading this.
#
# Copyright Fri Dec 24 2004:
#
#            bind-chroot.sh:  Florin Grad <florin@mandrakesoft.com>
#            dhcpd-chroot.sh: Oden Eriksson <oeriksson@mandrakesoft.com>
# 
# GPL License

# Source function library.
. /etc/rc.d/init.d/functions

[ -f /etc/sysconfig/dhcpd ] && . /etc/sysconfig/dhcpd

# chroot
if [ "$1" == "-s" -o "$1" == "--status" ]; then

        if [ -n "${ROOTDIR}" ]; then
                echo ""
                echo "ROOTDIR is defined in your /etc/sysconfig/dhcpd file." 
                echo "You already appear to have a chroot ISC DHCPD setup."
                echo "ROOTDIR=${ROOTDIR}" 
                exit
        else
                echo "Your ISC DHCPD server is not chrooted."
        fi
                
elif [ "$1" == "-c" -o "$1" == "--chroot" -o "$1" == "-i" -o "$1" == "--interactive" ]; then

        if [ -n "${ROOTDIR}" ]; then
                echo ""
                echo "In your /etc/sysconfig/dhcpd file: ROOTDIR=${ROOTDIR} exists" 
                echo "You already appear to have a chroot ISC DHCPD setup."
                exit

        #interactive
        elif [ "$1" == "-i" -o "$1" == "--interactive" ]; then
                echo ""
                echo "Please enter the  ROOTDIR path (ex: /var/lib/dhcpd-chroot):"
                # can't use ctrl-c, we trap all signal.
                read answer;
                export ROOTDIR="$answer"
        #non interactive
        elif [ "$1" == "-c" -a -n "$2" -o "$1" == "--chroot" -a -n "$2" ]; then
                export ROOTDIR="$2"
        else 
                echo ""
                echo "Missing path for chroot."
        fi

        echo "I have to stop the ISC DHCP server before continuing..."
        PIDFILE="/var/run/dhcpd/dhcpd.pid"
        [ -f ${PIDFILE} ] && kill -9 `cat ${PIDFILE}` >/dev/null 2>&1
        [ -f ${ROOTDIR}/${PIDFILE} ] && kill -9 `cat ${ROOTDIR}/${PIDFILE}` >/dev/null 2>&1
        usleep 3600; rm -f ${PIDFILE} ${ROOTDIR}/${PIDFILE} >/dev/null 2>&1

        # add the dhcpd user
        /usr/sbin/useradd -r -M -s /dev/false -c "system user for dhcpd" -d ${ROOTDIR} dhcpd 2> /dev/null || :

        # create directories and set permissions
        mkdir -p ${ROOTDIR}
        chmod 700 ${ROOTDIR}
        cd ${ROOTDIR}
        mkdir -p dev etc var/run/dhcpd var/lib/dhcp
        [ -e dev/null ] || mknod dev/null c 1 3
        [ -e dev/random ] || mknod dev/random c 1 8
        cp /etc/localtime etc/
#       [ -f /etc/dhcpd.conf ] && cp -f /etc/dhcpd.conf etc/
        [ -f /var/lib/dhcp/dhcpd.leases ] && cp -f /var/lib/dhcp/dhcpd.leases var/lib/dhcp/
        [ -f /var/lib/dhcp/dhcpd.leases~ ] && cp -f /var/lib/dhcp/dhcpd.leases~ var/lib/dhcp/
        chown -R dhcpd:dhcpd ${ROOTDIR}

        #update the OPTIONS in /etc/sysconfig/dhcpd
        if grep -q ^OPTIONS= /etc/sysconfig/dhcpd; then
                if sed 's!^\(OPTIONS=".*\)"$!\1 -user dhcpd -group dhcpd"!' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new; then
                        mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
                fi
        else
                echo "Updating OPTIONS in /etc/sysconfig/dhcpd"
                echo "OPTIONS=\"-user dhcpd -group dhcpd\"" >> /etc/sysconfig/dhcpd
        fi

        #update the ROOTDIR in /etc/sysconfig/dhcpd
        echo "Updating ROOTDIR in /etc/sysconfig/dhcpd"
        echo "ROOTDIR=\"${ROOTDIR}\"" >> /etc/sysconfig/dhcpd

        echo ""
        echo "Chroot configuration for ISC DHCPD is complete."
        echo "You should review your ${ROOTDIR}/etc/dhcpd.conf"
        echo "and make any necessary changes."
        echo ""
        echo "Run \"/sbin/service dhcpd restart\" when you are done."
        echo ""

# unchroot
elif [ "$1" == "-u" -o "$1" == "--unchroot" ]; then

        if ! grep -q "^ROOTDIR=" /etc/sysconfig/dhcpd; then
                echo ""
                echo "Your dhcpd is not currently chrooted"
                echo ""
                exit
        fi

        echo "I have to stop the ISC DHCP server before continuing..."
        PIDFILE="/var/run/dhcpd/dhcpd.pid"
        [ -f ${PIDFILE} ] && kill -9 `cat ${PIDFILE}` >/dev/null 2>&1
        [ -f ${ROOTDIR}/${PIDFILE} ] && kill -9 `cat ${ROOTDIR}/${PIDFILE}` >/dev/null 2>&1
        usleep 3600; rm -f ${PIDFILE} ${ROOTDIR}/${PIDFILE} >/dev/null 2>&1

        echo ""
        echo "Removing ROOTDIR from /etc/sysconfig/dhcpd"
        sed -e '/^\(ROOTDIR=".*\)"$/d' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new
        mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
        echo "Cleaning the OPTIONS in /etc/sysconfig/dhcpd"
        sed -e 's|-user dhcpd -group dhcpd[ ]*||' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new
        mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
        sed -e 's|[ ][ ]*"|"|' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new
        mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
        echo ""
        echo "Moving the following files to their original location :"
#       echo "/etc/dhcpd.conf"
        echo "/var/lib/dhcp/dhcpd.leases"
        echo "/var/lib/dhcp/dhcpd.leases~"
#       [ -f /etc/dhcpd.conf ] || mv -f ${ROOTDIR}/etc/dhcpd.conf /etc/
        [ -f /var/lib/dhcp/dhcpd.leases~ ] || mv -f ${ROOTDIR}/var/lib/dhcp/dhcpd.leases~ /var/lib/dhcp/
        [ -f /var/lib/dhcp/dhcpd.leases ] || mv -f ${ROOTDIR}/var/lib/dhcp/dhcpd.leases /var/lib/dhcp/
        #chown -R dhcpd:dhcpd /var/run/dhcpd

        echo ""
        echo "Removing the ${ROOTDIR}"
        rm -rf ${ROOTDIR}
        echo "Your dhcpd server is not chrooted anymore."
        echo ""
        echo "Run \"/sbin/service dhcpd restart\" when you are done."
        echo ""

#usage 
else 
        echo ""
        echo "Usage: $0 [arguments]"
        echo ""
        echo -e "\t-s, --status (current dhcpd configuration type)"
        echo ""
        echo "arguments:"
        echo -e "\t-i, --interactive (so you can choose your path)"
        echo ""
        echo -e "\t-c, --chroot (choose a chroot location. ex: /var/lib/dhcpd-chroot)"
        echo ""
        echo -e "\t-u, --unchroot (back to the original configuration)"
        echo ""
fi
1	#!/bin/bash
2	#
3	# dhcpd-chroot.sh is a modified bind-chroot.sh script that enables the
4	# dhcpd server to run in a chroot jail under an unprivileged user
5	# account (dhcpd). It requires that the ISC DHCP software is patched
6	# with the paranoia patch (listed below) by Ari Edelkind.
7	#
8	# http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch
9	#
10	# The current ISC DHCP software should have this patch applied,
11	# otherwise you shouldn't be able to lurk in here reading this.
12	#
13	# Copyright Fri Dec 24 2004:
14	#
15	# bind-chroot.sh: Florin Grad <florin@mandrakesoft.com>
16	# dhcpd-chroot.sh: Oden Eriksson <oeriksson@mandrakesoft.com>
17	#
18	# GPL License
19
20	# Source function library.
21	. /etc/rc.d/init.d/functions
22
23	[ -f /etc/sysconfig/dhcpd ] && . /etc/sysconfig/dhcpd
24
25	# chroot
26	if [ "$1" == "-s" -o "$1" == "--status" ]; then
27
28	if [ -n "${ROOTDIR}" ]; then
29	echo ""
30	echo "ROOTDIR is defined in your /etc/sysconfig/dhcpd file."
31	echo "You already appear to have a chroot ISC DHCPD setup."
32	echo "ROOTDIR=${ROOTDIR}"
33	exit
34	else
35	echo "Your ISC DHCPD server is not chrooted."
36	fi
37
38	elif [ "$1" == "-c" -o "$1" == "--chroot" -o "$1" == "-i" -o "$1" == "--interactive" ]; then
39
40	if [ -n "${ROOTDIR}" ]; then
41	echo ""
42	echo "In your /etc/sysconfig/dhcpd file: ROOTDIR=${ROOTDIR} exists"
43	echo "You already appear to have a chroot ISC DHCPD setup."
44	exit
45
46	#interactive
47	elif [ "$1" == "-i" -o "$1" == "--interactive" ]; then
48	echo ""
49	echo "Please enter the ROOTDIR path (ex: /var/lib/dhcpd-chroot):"
50	# can't use ctrl-c, we trap all signal.
51	read answer;
52	export ROOTDIR="$answer"
53	#non interactive
54	elif [ "$1" == "-c" -a -n "$2" -o "$1" == "--chroot" -a -n "$2" ]; then
55	export ROOTDIR="$2"
56	else
57	echo ""
58	echo "Missing path for chroot."
59	fi
60
61	echo "I have to stop the ISC DHCP server before continuing..."
62	PIDFILE="/var/run/dhcpd/dhcpd.pid"
63	[ -f ${PIDFILE} ] && kill -9 `cat ${PIDFILE}` >/dev/null 2>&1
64	[ -f ${ROOTDIR}/${PIDFILE} ] && kill -9 `cat ${ROOTDIR}/${PIDFILE}` >/dev/null 2>&1
65	usleep 3600; rm -f ${PIDFILE} ${ROOTDIR}/${PIDFILE} >/dev/null 2>&1
66
67	# add the dhcpd user
68	/usr/sbin/useradd -r -M -s /dev/false -c "system user for dhcpd" -d ${ROOTDIR} dhcpd 2> /dev/null \|\| :
69
70	# create directories and set permissions
71	mkdir -p ${ROOTDIR}
72	chmod 700 ${ROOTDIR}
73	cd ${ROOTDIR}
74	mkdir -p dev etc var/run/dhcpd var/lib/dhcp
75	[ -e dev/null ] \|\| mknod dev/null c 1 3
76	[ -e dev/random ] \|\| mknod dev/random c 1 8
77	cp /etc/localtime etc/
78	# [ -f /etc/dhcpd.conf ] && cp -f /etc/dhcpd.conf etc/
79	[ -f /var/lib/dhcp/dhcpd.leases ] && cp -f /var/lib/dhcp/dhcpd.leases var/lib/dhcp/
80	[ -f /var/lib/dhcp/dhcpd.leases~ ] && cp -f /var/lib/dhcp/dhcpd.leases~ var/lib/dhcp/
81	chown -R dhcpd:dhcpd ${ROOTDIR}
82
83	#update the OPTIONS in /etc/sysconfig/dhcpd
84	if grep -q ^OPTIONS= /etc/sysconfig/dhcpd; then
85	if sed 's!^\(OPTIONS=".*\)"$!\1 -user dhcpd -group dhcpd"!' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new; then
86	mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
87	fi
88	else
89	echo "Updating OPTIONS in /etc/sysconfig/dhcpd"
90	echo "OPTIONS=\"-user dhcpd -group dhcpd\"" >> /etc/sysconfig/dhcpd
91	fi
92
93	#update the ROOTDIR in /etc/sysconfig/dhcpd
94	echo "Updating ROOTDIR in /etc/sysconfig/dhcpd"
95	echo "ROOTDIR=\"${ROOTDIR}\"" >> /etc/sysconfig/dhcpd
96
97	echo ""
98	echo "Chroot configuration for ISC DHCPD is complete."
99	echo "You should review your ${ROOTDIR}/etc/dhcpd.conf"
100	echo "and make any necessary changes."
101	echo ""
102	echo "Run \"/sbin/service dhcpd restart\" when you are done."
103	echo ""
104
105	# unchroot
106	elif [ "$1" == "-u" -o "$1" == "--unchroot" ]; then
107
108	if ! grep -q "^ROOTDIR=" /etc/sysconfig/dhcpd; then
109	echo ""
110	echo "Your dhcpd is not currently chrooted"
111	echo ""
112	exit
113	fi
114
115	echo "I have to stop the ISC DHCP server before continuing..."
116	PIDFILE="/var/run/dhcpd/dhcpd.pid"
117	[ -f ${PIDFILE} ] && kill -9 `cat ${PIDFILE}` >/dev/null 2>&1
118	[ -f ${ROOTDIR}/${PIDFILE} ] && kill -9 `cat ${ROOTDIR}/${PIDFILE}` >/dev/null 2>&1
119	usleep 3600; rm -f ${PIDFILE} ${ROOTDIR}/${PIDFILE} >/dev/null 2>&1
120
121	echo ""
122	echo "Removing ROOTDIR from /etc/sysconfig/dhcpd"
123	sed -e '/^\(ROOTDIR=".*\)"$/d' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new
124	mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
125	echo "Cleaning the OPTIONS in /etc/sysconfig/dhcpd"
126	sed -e 's\|-user dhcpd -group dhcpd[ ]*\|\|' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new
127	mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
128	sed -e 's\|[ ][ ]*"\|"\|' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new
129	mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd
130	echo ""
131	echo "Moving the following files to their original location :"
132	# echo "/etc/dhcpd.conf"
133	echo "/var/lib/dhcp/dhcpd.leases"
134	echo "/var/lib/dhcp/dhcpd.leases~"
135	# [ -f /etc/dhcpd.conf ] \|\| mv -f ${ROOTDIR}/etc/dhcpd.conf /etc/
136	[ -f /var/lib/dhcp/dhcpd.leases~ ] \|\| mv -f ${ROOTDIR}/var/lib/dhcp/dhcpd.leases~ /var/lib/dhcp/
137	[ -f /var/lib/dhcp/dhcpd.leases ] \|\| mv -f ${ROOTDIR}/var/lib/dhcp/dhcpd.leases /var/lib/dhcp/
138	#chown -R dhcpd:dhcpd /var/run/dhcpd
139
140	echo ""
141	echo "Removing the ${ROOTDIR}"
142	rm -rf ${ROOTDIR}
143	echo "Your dhcpd server is not chrooted anymore."
144	echo ""
145	echo "Run \"/sbin/service dhcpd restart\" when you are done."
146	echo ""
147
148	#usage
149	else
150	echo ""
151	echo "Usage: $0 [arguments]"
152	echo ""
153	echo -e "\t-s, --status (current dhcpd configuration type)"
154	echo ""
155	echo "arguments:"
156	echo -e "\t-i, --interactive (so you can choose your path)"
157	echo ""
158	echo -e "\t-c, --chroot (choose a chroot location. ex: /var/lib/dhcpd-chroot)"
159	echo ""
160	echo -e "\t-u, --unchroot (back to the original configuration)"
161	echo ""
162	fi