Commit | Line | Data |
---|---|---|
a4edb895 TM |
1 | #!/bin/sh |
2 | #env; exit 0 | |
3 | ||
4 | jail_dir="/var/chroot-jails" | |
5 | jail_system="/var/chroot-sys" | |
6 | ||
7 | user="$PAM_USER" | |
8 | home="$(getent passwd "$user" | cut -f6 -d:)" | |
9 | home_system="$jail_system/$home" | |
10 | home_chroot="$jail_dir/$user/$home"; | |
11 | ||
12 | echo "$PAM_USER, $PAM_SERVICE, $PAM_TTY, $PAM_RHOST, $PAM_TYPE" | |
13 | ||
14 | [ "$user" = "root" ] && { | |
15 | echo "no chroots for roots" | |
16 | exit 0; | |
17 | } | |
18 | ||
19 | #TODO: test if $home is in /home/ | |
20 | ||
21 | mkdir -p "$home_system" | |
22 | mkdir -p "$jail_dir/$user" | |
23 | chown "$user:$user" "$home_system" | |
24 | chown -R root:root "$jail_system" | |
25 | ||
26 | function is_mounted() { | |
27 | dir=$(echo "$1" | sed -e 's/\/\/*/\//g; s/\/$//g;') | |
28 | cut -d ' ' -f 2 /proc/mounts | grep "^$dir$" >/dev/null | |
29 | } | |
30 | ||
31 | function bind() { | |
32 | from="$1" | |
33 | to="$2" | |
34 | opt="$3" | |
35 | ||
36 | is_mounted "$to" || { | |
37 | echo "Mounting: $from to $to"; | |
38 | mount -o bind "$from" "$to" | |
39 | } | |
40 | [ -n "$opt" ] && mount -o remount,bind,"$opt" "$to" | |
41 | is_mounted "$to" || { | |
42 | echo "Not mounted: $to" | |
43 | return 1 | |
44 | } | |
45 | return 0 | |
46 | } | |
47 | ||
48 | case "$PAM_TYPE" in | |
49 | close_session) | |
50 | #TODO: unmount if not busy | |
51 | #umount "$jail_dir/$user" && umount "$home_chroot" | |
52 | exit 0 | |
53 | ;; | |
54 | *) | |
55 | bind "$jail_system" "$jail_dir/$user" ',ro' || exit 1 | |
56 | bind "$home" "$home_chroot" || exit 2 | |
57 | ;; | |
58 | esac | |
59 | ||
60 | exit 0 |