scponlyc sftp support doesn't work without minimal devfs in chroot dir

I'm finding that recently-created scponlyc chroots do not provide a sufficient environment for /usr/libexec/sftp-server to run. The sftp client symptom is just: $ sftp user@www Connecting to www... Password: Connection closed $ The cause appears to be that recent versions of /usr/libexec/sftp-server will complain about of lack of access to /dev/null and exit, resulting in the closed connection witnessed by the remote client. The solution appears to be to create a devfs in the scponlyc chroot. To automatically create at boot time a devfs in the home directory of each user of scponlyc, I have chosen to put a script in /usr/local/etc/rc.d. PR: ports/108009 Submitted by: Jim Long <list@museum.rain.com> Approved by: maintainer timeout
svn path=/head/; revision=200733
2024-12-21 04:06:46 +00:00 · 2007-10-03 13:07:09 +00:00 · 2007-10-03 13:07:09 +00:00 · 6c06b5f993 · 2021-03-31 03:12:20 +00:00
commit 6c06b5f993
parent af1f6eecce
2 changed files with 66 additions and 9 deletions
--- a/shells/scponly/Makefile
+++ b/shells/scponly/Makefile
@ -88,15 +88,15 @@ GNU_CONFIGURE=	yes
 PATCH_STRIP=	-p1

 OPTIONS=	SCPONLY_WILDCARDS "wildcards processing" on \
-	SCPONLY_GFTP "gftp compatibility" on \
-	SCPONLY_CHROOT "chroot functionality" off \
-	SCPONLY_RSYNC "rsync compatibility" off \
-	SCPONLY_SCP "vanilla scp compatibility" off \
-	SCPONLY_SFTP_LOGGING "sftp logging compatibility" off \
-	SCPONLY_SVN "subversion compatibility" off \
-	SCPONLY_SVNSERVE "subversion compatibility svn+ssh://" off \
-	SCPONLY_UNISON "unison compatibility" off \
-	SCPONLY_WINSCP "WinSCP compatibility" off
+		SCPONLY_GFTP "gftp compatibility" on \
+		SCPONLY_CHROOT "chroot functionality" off \
+		SCPONLY_RSYNC "rsync compatibility" off \
+		SCPONLY_SCP "vanilla scp compatibility" off \
+		SCPONLY_SFTP_LOGGING "sftp logging compatibility" off \
+		SCPONLY_SVN "subversion compatibility" off \
+		SCPONLY_SVNSERVE "subversion compatibility svn+ssh://" off \
+		SCPONLY_UNISON "unison compatibility" off \
+		SCPONLY_WINSCP "WinSCP compatibility" off

 .include <bsd.port.pre.mk>

@ -115,6 +115,7 @@ CONFIGURE_ARGS+=--disable-gftp-compat
 .if defined(WITH_SCPONLY_CHROOT)
 PLIST_SUB+=	SCPONLY_CHROOT=""
 CONFIGURE_ARGS+=--enable-chrooted-binary
+USE_RC_SUBR=	scponlyc
 .else
 PLIST_SUB+=	SCPONLY_CHROOT="@comment "
 .endif
--- a/shells/scponly/files/scponlyc.in
+++ b/shells/scponly/files/scponlyc.in
@ -0,0 +1,56 @@
+#!/bin/sh
+
+ETCSHELLS="${ETCSHELLS:-/etc/shells}"
+ETCPASSWD="${ETCPASSWD:-/etc/passwd}"
+
+# script to create devfs filesystems at boot time for scponlyc
+# chroot'ed users. We will read ${ETCSHELLS} to determine
+# where scponlyc is installed. Then we'll iterate through
+# each user in ${ETCPASSWD} to find users whose shell is set to
+# scponlyc. For each such user found, we will create a
+# minimal devfs under ~/dev.
+
+make_devfs() {
+	# $1 is the user name whose home directory needs a minimal
+	# devfs created. If ~/dev exists, it will be deleted.
+
+	eval DEV="~$1/dev"
+	while /sbin/umount "${DEV}" 2>/dev/null; do :; done
+	rm -rf "${DEV}"
+	mkdir -p "${DEV}"
+	if /sbin/mount_devfs devfs "${DEV}"; then
+		/sbin/devfs -m "${DEV}" rule -s 1 applyset && \
+		/sbin/devfs -m "${DEV}" rule -s 2 applyset || \
+		/sbin/umount "${DEV}" 2>/dev/null
+	fi
+}
+
+
+scponlyc_startup() {
+	# $1 is the path to the /etc/passwd file
+
+	grep "^[^#]*:.*:.*:.*:.*:.*:${SCPONLYC}$" < "$1" |
+		/usr/bin/awk -F: {'print $1'} |
+		while read USER; do
+			make_devfs "${USER}"
+		done
+}
+
+SCPONLYC=`/usr/bin/grep "/scponlyc$" ${ETCSHELLS} 2>/dev/null | /usr/bin/tail -1`
+
+if [ "x${SCPONLYC}" = "x" ]; then
+	echo scponlyc is not defined in ${ETCSHELLS} >&2
+	exit 1
+fi
+
+case "$1" in
+start)
+	scponlyc_startup "${ETCPASSWD}"
+	echo -n ' scponlyc'
+	;;
+*)
+	echo "Usage: `basename $0` start" >&2
+	;;
+esac
+
+exit 0