1 |
#!/bin/bash |
2 |
# |
3 |
# dhcpd-chroot.sh is a modified bind-chroot.sh script that enables the |
4 |
# dhcpd server to run in a chroot jail under an unprivileged user |
5 |
# account (dhcpd). It requires that the ISC DHCP software is patched |
6 |
# with the paranoia patch (listed below) by Ari Edelkind. |
7 |
# |
8 |
# http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch |
9 |
# |
10 |
# The current ISC DHCP software should have this patch applied, |
11 |
# otherwise you shouldn't be able to lurk in here reading this. |
12 |
# |
13 |
# Copyright Fri Dec 24 2004: |
14 |
# |
15 |
# bind-chroot.sh: Florin Grad <florin@mandrakesoft.com> |
16 |
# dhcpd-chroot.sh: Oden Eriksson <oeriksson@mandrakesoft.com> |
17 |
# |
18 |
# GPL License |
19 |
|
20 |
# Source function library. |
21 |
. /etc/rc.d/init.d/functions |
22 |
|
23 |
[ -f /etc/sysconfig/dhcpd ] && . /etc/sysconfig/dhcpd |
24 |
|
25 |
# chroot |
26 |
if [ "$1" == "-s" -o "$1" == "--status" ]; then |
27 |
|
28 |
if [ -n "${ROOTDIR}" ]; then |
29 |
echo "" |
30 |
echo "ROOTDIR is defined in your /etc/sysconfig/dhcpd file." |
31 |
echo "You already appear to have a chroot ISC DHCPD setup." |
32 |
echo "ROOTDIR=${ROOTDIR}" |
33 |
exit |
34 |
else |
35 |
echo "Your ISC DHCPD server is not chrooted." |
36 |
fi |
37 |
|
38 |
elif [ "$1" == "-c" -o "$1" == "--chroot" -o "$1" == "-i" -o "$1" == "--interactive" ]; then |
39 |
|
40 |
if [ -n "${ROOTDIR}" ]; then |
41 |
echo "" |
42 |
echo "In your /etc/sysconfig/dhcpd file: ROOTDIR=${ROOTDIR} exists" |
43 |
echo "You already appear to have a chroot ISC DHCPD setup." |
44 |
exit |
45 |
|
46 |
#interactive |
47 |
elif [ "$1" == "-i" -o "$1" == "--interactive" ]; then |
48 |
echo "" |
49 |
echo "Please enter the ROOTDIR path (ex: /var/lib/dhcpd-chroot):" |
50 |
# can't use ctrl-c, we trap all signal. |
51 |
read answer; |
52 |
export ROOTDIR="$answer" |
53 |
#non interactive |
54 |
elif [ "$1" == "-c" -a -n "$2" -o "$1" == "--chroot" -a -n "$2" ]; then |
55 |
export ROOTDIR="$2" |
56 |
else |
57 |
echo "" |
58 |
echo "Missing path for chroot." |
59 |
fi |
60 |
|
61 |
echo "I have to stop the ISC DHCP server before continuing..." |
62 |
PIDFILE="/var/run/dhcpd/dhcpd.pid" |
63 |
[ -f ${PIDFILE} ] && kill -9 `cat ${PIDFILE}` >/dev/null 2>&1 |
64 |
[ -f ${ROOTDIR}/${PIDFILE} ] && kill -9 `cat ${ROOTDIR}/${PIDFILE}` >/dev/null 2>&1 |
65 |
usleep 3600; rm -f ${PIDFILE} ${ROOTDIR}/${PIDFILE} >/dev/null 2>&1 |
66 |
|
67 |
# add the dhcpd user |
68 |
/usr/sbin/useradd -r -M -s /dev/false -c "system user for dhcpd" -d ${ROOTDIR} dhcpd 2> /dev/null || : |
69 |
|
70 |
# create directories and set permissions |
71 |
mkdir -p ${ROOTDIR} |
72 |
chmod 700 ${ROOTDIR} |
73 |
cd ${ROOTDIR} |
74 |
mkdir -p dev etc var/run/dhcpd var/lib/dhcp |
75 |
[ -e dev/null ] || mknod dev/null c 1 3 |
76 |
[ -e dev/random ] || mknod dev/random c 1 8 |
77 |
cp /etc/localtime etc/ |
78 |
# [ -f /etc/dhcpd.conf ] && cp -f /etc/dhcpd.conf etc/ |
79 |
[ -f /var/lib/dhcp/dhcpd.leases ] && cp -f /var/lib/dhcp/dhcpd.leases var/lib/dhcp/ |
80 |
[ -f /var/lib/dhcp/dhcpd.leases~ ] && cp -f /var/lib/dhcp/dhcpd.leases~ var/lib/dhcp/ |
81 |
chown -R dhcpd:dhcpd ${ROOTDIR} |
82 |
|
83 |
#update the OPTIONS in /etc/sysconfig/dhcpd |
84 |
if grep -q ^OPTIONS= /etc/sysconfig/dhcpd; then |
85 |
if sed 's!^\(OPTIONS=".*\)"$!\1 -user dhcpd -group dhcpd"!' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new; then |
86 |
mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd |
87 |
fi |
88 |
else |
89 |
echo "Updating OPTIONS in /etc/sysconfig/dhcpd" |
90 |
echo "OPTIONS=\"-user dhcpd -group dhcpd\"" >> /etc/sysconfig/dhcpd |
91 |
fi |
92 |
|
93 |
#update the ROOTDIR in /etc/sysconfig/dhcpd |
94 |
echo "Updating ROOTDIR in /etc/sysconfig/dhcpd" |
95 |
echo "ROOTDIR=\"${ROOTDIR}\"" >> /etc/sysconfig/dhcpd |
96 |
|
97 |
echo "" |
98 |
echo "Chroot configuration for ISC DHCPD is complete." |
99 |
echo "You should review your ${ROOTDIR}/etc/dhcpd.conf" |
100 |
echo "and make any necessary changes." |
101 |
echo "" |
102 |
echo "Run \"/sbin/service dhcpd restart\" when you are done." |
103 |
echo "" |
104 |
|
105 |
# unchroot |
106 |
elif [ "$1" == "-u" -o "$1" == "--unchroot" ]; then |
107 |
|
108 |
if ! grep -q "^ROOTDIR=" /etc/sysconfig/dhcpd; then |
109 |
echo "" |
110 |
echo "Your dhcpd is not currently chrooted" |
111 |
echo "" |
112 |
exit |
113 |
fi |
114 |
|
115 |
echo "I have to stop the ISC DHCP server before continuing..." |
116 |
PIDFILE="/var/run/dhcpd/dhcpd.pid" |
117 |
[ -f ${PIDFILE} ] && kill -9 `cat ${PIDFILE}` >/dev/null 2>&1 |
118 |
[ -f ${ROOTDIR}/${PIDFILE} ] && kill -9 `cat ${ROOTDIR}/${PIDFILE}` >/dev/null 2>&1 |
119 |
usleep 3600; rm -f ${PIDFILE} ${ROOTDIR}/${PIDFILE} >/dev/null 2>&1 |
120 |
|
121 |
echo "" |
122 |
echo "Removing ROOTDIR from /etc/sysconfig/dhcpd" |
123 |
sed -e '/^\(ROOTDIR=".*\)"$/d' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new |
124 |
mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd |
125 |
echo "Cleaning the OPTIONS in /etc/sysconfig/dhcpd" |
126 |
sed -e 's|-user dhcpd -group dhcpd[ ]*||' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new |
127 |
mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd |
128 |
sed -e 's|[ ][ ]*"|"|' < /etc/sysconfig/dhcpd > /etc/sysconfig/dhcpd.new |
129 |
mv -f /etc/sysconfig/dhcpd.new /etc/sysconfig/dhcpd |
130 |
echo "" |
131 |
echo "Moving the following files to their original location :" |
132 |
# echo "/etc/dhcpd.conf" |
133 |
echo "/var/lib/dhcp/dhcpd.leases" |
134 |
echo "/var/lib/dhcp/dhcpd.leases~" |
135 |
# [ -f /etc/dhcpd.conf ] || mv -f ${ROOTDIR}/etc/dhcpd.conf /etc/ |
136 |
[ -f /var/lib/dhcp/dhcpd.leases~ ] || mv -f ${ROOTDIR}/var/lib/dhcp/dhcpd.leases~ /var/lib/dhcp/ |
137 |
[ -f /var/lib/dhcp/dhcpd.leases ] || mv -f ${ROOTDIR}/var/lib/dhcp/dhcpd.leases /var/lib/dhcp/ |
138 |
#chown -R dhcpd:dhcpd /var/run/dhcpd |
139 |
|
140 |
echo "" |
141 |
echo "Removing the ${ROOTDIR}" |
142 |
rm -rf ${ROOTDIR} |
143 |
echo "Your dhcpd server is not chrooted anymore." |
144 |
echo "" |
145 |
echo "Run \"/sbin/service dhcpd restart\" when you are done." |
146 |
echo "" |
147 |
|
148 |
#usage |
149 |
else |
150 |
echo "" |
151 |
echo "Usage: $0 [arguments]" |
152 |
echo "" |
153 |
echo -e "\t-s, --status (current dhcpd configuration type)" |
154 |
echo "" |
155 |
echo "arguments:" |
156 |
echo -e "\t-i, --interactive (so you can choose your path)" |
157 |
echo "" |
158 |
echo -e "\t-c, --chroot (choose a chroot location. ex: /var/lib/dhcpd-chroot)" |
159 |
echo "" |
160 |
echo -e "\t-u, --unchroot (back to the original configuration)" |
161 |
echo "" |
162 |
fi |