Script to strip chroot passwd file

Oliver Fromme olli at lurza.secnetix.de
Fri Apr 21 10:08:57 UTC 2006 

Skye Poier <skye at f4.ca> wrote:
 > I'm running Apache in a chroot jail with suPHP.  It needs an /etc/ 
 > passwd in the chroot so that suPHP can setuid to the owner of the PHP  
 > script, but there's nothing that requires the passwords to be valid.
 > 
 > Does anyone have a script strips passwords out of master.passwd, sets  
 > all shells to nologin, etc and writes it to the chroot etc dir?

That's pretty easy to do.

ETCDIR=/your/chroot/etc
SRCPWD=/etc/master.passwd
DSTPWD=$ETCDIR/master.passwd
AWKCMD='{ $2="*"; $10="/usr/sbin/nologin"; print; }'
awk -F: -v OFS=: "$AWKCMD" $SRCPWD > $DSTPWD
pwd_mkdb -p -d $ETCDIR $DSTPWD

 > I've
 > looked around but not found anything.  If it strips out certain UID  
 > ranges,

Just add a filter to the awk command, e.g. to get only UIDs
from 100 to 65000:

AWKCMD='$3 >= 100 && $3 <= 65000 {$2="*"; $10="/usr/sbin/nologin"; print}'

 > and watches the master file's modification time so it can be  
 > run out of cron as well, even better!

I think it's not a good idea to do such things out of cron.
I'd rather do it manually (immediately) whenever the master
file is changed.

But if you really want, it's not difficult either.  Just
wrap the awk and pwd_mkdb lines in an "if" statement:

ETCDIR=/your/chroot/etc
SRCPWD=/etc/master.passwd
DSTPWD=$ETCDIR/master.passwd
if [ -n "$(find $SRCPWD -newer $DSTPWD)" ]; then
        AWKCMD=...
        awk -F: -v OFS=: "$AWKCMD" $SRCPWD > $DSTPWD
        pwd_mkdb -p -d $ETCDIR $DSTPWD
fi

 > If no such thing exists, I'll write one and share it with the group  
 > if there's interest.

I guess the problem is that everybody wants or needs his
own special features, so everyone ends up writing his own
script anyway.  :-)

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"If you think C++ is not overly complicated, just what is a protected
abstract virtual base pure virtual private destructor, and when was the
last time you needed one?"
        -- Tom Cargil, C++ Journal

More information about the freebsd-security mailing list