#!/bin/sh ##=====================================================================## ## Copyright (c) 2001-2004 Stephen Zarkos. All rights reserved. ## Obsid@Sentry.net ## ## Please see file: COPYRIGHT for further copyright information and ## disclaimer. Or online at http://www.SentryFirewall.com/files/COPYRIGHT ##=====================================================================## ## File: mkrootdsk.sh ## Script to Build a rootdisk. ## Read the script first, see what it does, and use with caution. ## Please see file: http://www.SentryFirewall.com/files/COPYRIGHT for ## important copyright and disclaimer information. ##=====================================================================## ## INTRO ## Please alter the variables below to match your environment. In short, ## the script does the following things: ## It first zeros out a file($base_dir/$rootdsk), formats that file, and ## then mounts it on $new_root(declared below), via a loopback device. It ## then precedes to copy the necessary files to the newly created rootdisk. ## By default, the script pulls the files from the Sentry Firewall CD-ROM, ## assumed to be mounted on /cdrom. The script assumes several things; /cdrom ## is mounted, and your kernel has loopback device support. ## IMPORTANT NOTES ## When the script finishes building the rootdisk it will prompt you to ## umount and gzip the disk image. If you would like to view or modify the ## rootdisk before copying it to the proper directory (/isolinux) then you ## can answer 'n' at that point. You will then need to umount and gzip the ## rootdisk($base_dir/$rootdsk) manually. ## In any case, as long as the environment is normal and all the directories ## are in the right place, this script should be able to pull all the files it ## needs to rebuild the rootdisk from the Sentry CD-ROM. ##=====================================================================## ## Variables ## The initial rootdisk size(in bytes). ## Warning: If you change this value will also need to change the ## "ramdisk_size" variable in isolinux.cfg. rootdisk_size="7500800" ## Directory to put the rootdisk image that will be created. base_dir="/root/rootdisk" ## Place to put files from the CDROM. This directory will be ## tar/gzipped and placed on the rootdisk. root_files="root" ## This variable should not be changed. new_root="${base_dir}/${root_files}" ## Place to mount rootdisk image once created/formatted. mnt_dir="${base_dir}/mnt" ## File name of the rootdisk image. rootdsk="initrd.img" ## Temp dir to use. temp="/tmp" ## Where we mounted the Sentry Firewall CD-ROM. cdrom="/cdrom" ## Directory to get /bin binaries from(to put on rootdisk). bin_dir="${cdrom}/bin" ## Directory to get /sbin binaries from(to put on rootdisk). sbin_dir="${cdrom}/sbin" ## Directory to get /etc stuff from(to put on rootdisk). etc_dir="${cdrom}/etc" ## Directory to get /lib stuff from(to put on rootdisk). lib_dir="${cdrom}/lib" ## Directory to get /var stuff from(to put on rootdisk). var_dir="${cdrom}/var" ## Directory to get /dev stuff from(to put on rootdisk). dev_stuff="${cdrom}/etc/dev_stuff" ## Directory to get certain modified /etc files from(to put on rootdisk). ## Usually leave this alone as well. sys_files="${cdrom}/etc/sys_files" ## UID/GID variables, used for chowning files/dir with users ## that may not exist on the development system, but do on a ## default Sentry Firewall system. snort_uid="104" snort_gid="104" squid_uid="108" squid_gid="108" lp_uid="4" lp_gid="7" nobody_uid="99" nobody_gid="98" mail_uid="8" mail_gid="12" smmsp_uid="25" smmsp_gid="25" named_uid="106" named_gid="106" sentry_uid="1000" sentry_gid="1000" wheel_gid="10" mysql_uid="27" mysql_gid="27" slocate_gid="21" ## Kernel versions. Used to bundle ethernet drivers on the rootdisk ## for network configuration support. #kern_22="2.2.25-ow1" kern_24="2.4.28GENERIC" ## Done with variables. ##=====================================================================## ##=====================================================================## ## Init stuff. PATH=/sbin:/bin:/usr/sbin:/usr/bin umask 022 echo echo "Sentry Firewall CD-ROM: mkrootdsk.sh" echo "Copyright (C) Stephen A. Zarkos, Obsid@Sentry.net" echo "Ok, let's get to it..." echo ## $base_fir directory checks. if [ ! -x "$base_dir" ]; then if [ ! -f "$base_dir" ]; then echo -n "[+] Creating ${base_dir}... " mkdir $base_dir if [ -x "$base_dir" ]; then echo "Done." else echo echo "[-] Creation of $base_dir failed, please check your variables. Exiting." echo exit fi else echo "[-] $base_dir exists, but is not executable. Exiting." echo exit fi fi ## $root_files directory checks. if [ $root_files != "root" ]; then echo "[-] ERROR: The root_files variable was changed from the" echo " default value of \"root\". This will cause problems" echo " since the linuxrc script expects this directory to be" echo " called \"root\". Exiting." exit fi ## $new_root directory checks. if [ ! -x "$new_root" ]; then if [ ! -f "$new_root" ]; then echo -n "[+] Creating ${new_root}... " mkdir $new_root if [ -x "$new_root" ]; then echo "Done." else echo echo "[-] Creation of $new_root failed, please check your variables. Exiting." exit echo fi else echo "[-] $new_root exists, but is not executable. Exiting." echo exit fi fi ## Check to see if $new_root is full of crap. if [ ! `ls $new_root | head -n 1` = "" ]; then echo "[-] $new_root is not empty. Please consider cleaning this directory" echo " before running this script. Exiting." fi ## $mnt_dir directory checks. if [ ! -x "$mnt_dir" ]; then if [ ! -f "$mnt_dir" ]; then echo -n "[+] Creating ${mnt_dir}... " mkdir $mnt_dir if [ -x "$mnt_dir" ]; then echo "Done." else echo echo "[-] Creation of $mnt_dir failed, please check your variables. Exiting." exit echo fi else echo "[-] $mnt_dir exists, but is not executable. Exiting." echo exit fi fi ##===============================================================## ## Lets start copying stuff to ${base_dir}/${new_root}. echo "[+] Ok, starting to copy stuff to the rootdisk... " dir_array="root dev proc etc sbin bin lib mnt mnt1 mnt2 mnt3 mnt4 \ opt cdrom floppy tmp tmp/drivers var initrd" echo -n "[+] Making directories:" for dir in ${dir_array}; do echo -n " $dir" mkdir ${new_root}/${dir} done echo "... Done." ## Copy all the dev stuff we need echo -n "[+] Copying /dev files... " cp -Rdp ${dev_stuff}/* ${new_root}/dev echo "Done." ## Basic symlinks ln -s /cdrom/boot ${new_root}/boot ln -s /cdrom/usr ${new_root}/usr ##===============================================================## ## Create /var echo -n "[+] Working in /var... " ## Make directories. var_dirs="cache lock log man named pid run spool state tmp yp net-snmp ftp empty \ cache/proxy lock/subsys state/dhcp \ log/mount log/ftpd log/routed log/apache log/setup log/cups \ log/setup/tmp log/setup/apache \ spool/atjobs spool/atspool \ spool/cron spool/cron/crontabs \ spool/locate spool/lpd spool/mail spool/mqueue spool/pop \ spool/pcnfs spool/rwho spool/samba spool/clientmqueue spool/cups spool/cups/tmp \ www www/cgi-bin www/htdocs www/htdocs/firewall www/htdocs/snort \ run/stunnel run/samba run/proftpd run/named webmin \ lib lib/mysql lib/nfs lib/pcmcia lib/slocate lib/logrotate lib/firewall-jay \ lib/shorewall chroot chroot/named chroot/snort" for dir in ${var_dirs}; do mkdir ${new_root}/var/${dir} done unset var_dirs unset dir ## Make some empty files(logs, etc). empty_files="run/utmp \ state/dhcp/dhcpd.leases \ log/cron log/debug log/messages log/secure log/maillog log/firewall log/syslog log/wtmp \ log/log.smb log/log.nmb log/proftpd.log log/xferlog \ log/access.log log/cache.log log/store.log log/SENTRY_LOG \ webmin/miniserv.error webmin/miniserv.log webmin/webmin.log" for file in ${empty_files}; do touch ${new_root}/var/${file} done ## Fix perms ## Misc. chown 0.2 ${new_root}/var/run chmod 775 ${new_root}/var/run chmod 700 ${new_root}/var/empty ## var/tmp chmod 1777 ${new_root}/var/tmp ## var/log chmod 600 ${new_root}/var/log/SENTRY_LOG chmod 644 ${new_root}/var/log/cron chmod 644 ${new_root}/var/log/{log.smb,log.nmb,wtmp} chmod 640 ${new_root}/var/log/{debug,messages,syslog} chmod 640 ${new_root}/var/log/{cache.log,access.log,store.log} chown ${squid_uid}.${squid_gid} ${new_root}/var/log/{access.log,cache.log,store.log} ## var/spool chown 2.2 ${new_root}/var/spool/{atjobs,atspool} chmod 700 ${new_root}/var/spool/{atjobs,atspool} chown 0.${wheel_gid} ${new_root}/var/spool/cron chmod 751 ${new_root}/var/spool/cron chown 0.${wheel_gid} ${new_root}/var/spool/cron/crontabs chmod 750 ${new_root}/var/spool/cron/crontabs chown ${nobody_uid}.1 ${new_root}/var/spool/locate chown 0.${lp_gid} ${new_root}/var/spool/lpd chmod 775 ${new_root}/var/spool/lpd chown 0.${mail_gid} $new_root/var/spool/mail chmod 1777 ${new_root}/var/spool/mail chmod 700 ${new_root}/var/spool/mqueue chown 0.${mail_gid} ${new_root}/var/spool/mqueue chmod 770 ${new_root}/var/spool/clientmqueue chown ${smmsp_uid}.${smmsp_gid} ${new_root}/var/spool/clientmqueue chmod 710 ${new_root}/var/spool/cups chmod 1770 ${new_root}/var/spool/cups/tmp chmod 700 ${new_root}/var/spool/pop ## var/cache chown ${squid_uid}.${squid_gid} ${new_root}/var/cache ## var/run chown nobody.nogroup ${new_root}/var/run/stunnel chown ${named_uid}.${named_gid} ${new_root}/var/run/named ## var/lib chown ${mysql_uid}.${mysql_gid} ${new_root}/var/lib/mysql chown .${slocate_gid} ${new_root}/var/lib/slocate ## var/chroot chmod 755 ${new_root}/var/chroot chmod 700 ${new_root}/var/chroot/{named,snort} chown ${named_uid}.${named_gid} ${new_root}/var/chroot/named chown ${snort_uid}.${snort_gid} ${new_root}/var/chroot/snort ## var/webmin chown root.bin ${new_root}/var/webmin chmod 700 ${new_root}/var/webmin chown root.bin ${new_root}/var/webmin/* chmod 600 ${new_root}/var/webmin/* ## Misc. symlinks ln -s log ${new_root}/var/adm ln -s spool/mail ${new_root}/var/mail ln -s /var/spool/rwho ${new_root}/var/rwho ln -s /usr/libexec ${new_root}/var/www/libexec ln -s /var/log/apache ${new_root}/var/www/logs ln -s /etc/apache ${new_root}/var/www/conf ln -s SENTRY_LOG ${new_root}/var/log/config_log ## cd-config log files ln -s /var/chroot/snort/var/log/SNORT ${new_root}/var/log/SNORT ln -s SNORT ${new_root}/var/log/snort ## /var/www/htdocs/firewall mkdir ${new_root}/var/www/htdocs/firewall/fwanalog.out ln -s /cdrom/SENTRY/scripts/firewall/FIREWALL_SCRIPTS ${new_root}/var/www/htdocs/firewall/FIREWALL_SCRIPTS ln -s /cdrom/SENTRY/scripts/firewall/PHP_SCRIPTS ${new_root}/var/www/htdocs/firewall/PHP_SCRIPTS ln -s /cdrom/SENTRY/scripts/firewall/README ${new_root}/var/www/htdocs/firewall/README ## /var/lib/firewall-jay cp -p ${var_dir}/lib/firewall-jay/* ${new_root}/var/lib/firewall-jay ## Other cp -p ${var_dir}/spool/cron/crontabs/* ${new_root}/var/spool/cron/crontabs/ cp -p ${var_dir}/log/lastlog ${new_root}/var/log/lastlog ##-----------------------------------------------------------------------------------## ## Squid. mkdir ${new_root}/var/lib/squid chown ${squid_uid}.${squid_gid} ${new_root}/var/lib/squid ln -s ../../cache ${new_root}/var/lib/squid/cache ln -s ../../log ${new_root}/var/lib/squid/logs ##-----------------------------------------------------------------------------------## ##-----------------------------------------------------------------------------------## ## Chrooted named. chroot_dir="${new_root}/var/chroot/named" dirs="dev etc etc/namedb etc/namedb/slave usr usr/sbin var var/run \ var/log" for i in $dirs; do mkdir ${chroot_dir}/${i} done ## named.conf cp -p ${sys_files}/named.conf ${chroot_dir}/etc/named.conf ## /var/{named,namedb} ln -s ../etc/namedb ${chroot_dir}/var/named ln -s ../etc/namedb ${chroot_dir}/var/namedb ## Default zone/hints files. cp -p ${var_dir}/chroot/named/var/named/named.hints ${chroot_dir}/var/named/named.hints cp -p ${var_dir}/chroot/named/var/named/named.localhost ${chroot_dir}/var/named/named.localhost cp -p ${var_dir}/chroot/named/var/named/0.0.127.in-addr.arpa ${chroot_dir}/var/named/0.0.127.in-addr.arpa ## /var/log touch ${chroot_dir}/var/log/named.security chown ${named_uid}.${named_gid} ${chroot_dir}/var/log/named.security ## /var/{run,named/slave} chown ${named_uid}.${named_gid} ${chroot_dir}/var/run chmod 755 ${chroot_dir}/var/run chmod 755 ${chroot_dir}/var/named/slave ## /etc/namedb, /var/named is also often used. chown ${named_uid}.${named_gid} ${chroot_dir}/etc/namedb/slave chmod 755 ${chroot_dir}/etc/namedb/slave ## named8 binaries. ln -s /cdrom/var/chroot/named/usr/sbin/named8 ${chroot_dir}/usr/sbin/named8 cp -p ${var_dir}/chroot/named/usr/sbin/named-xfer8 ${chroot_dir}/usr/sbin/named-xfer ## Other files needed for chroot. cp -p ${etc_dir}/localtime ${chroot_dir}/etc/localtime grep 'named' ${sys_files}/passwd > ${chroot_dir}/etc/passwd grep 'named' ${sys_files}/group > ${chroot_dir}/etc/group mknod ${chroot_dir}/dev/null c 1 3 mknod ${chroot_dir}/dev/random c 1 8 chmod 666 ${chroot_dir}/dev/{null,random} ## Done with named chroot. ##-----------------------------------------------------------------------------------## ##-----------------------------------------------------------------------------------## ## Chrooted snort. chroot_dir="${new_root}/var/chroot/snort" dirs="dev etc etc/snort var var/run var/log var/log/SNORT" for i in $dirs; do mkdir ${chroot_dir}/${i} done ## snort.conf cp -p ${sys_files}/snort.conf ${chroot_dir}/etc/snort.conf ## /etc/snort chown .${snort_gid} ${chroot_dir}/etc/snort chmod 710 ${chroot_dir}/etc/snort cp -p ${etc_dir}/snort/* ${chroot_dir}/etc/snort/ ln -s /var/chroot/snort/etc/snort ${new_root}/etc/snort ## /etc/snort -> $chroot_dir/etc/snort ## /var/log/SNORT chown ${snort_uid}.${snort_gid} ${chroot_dir}/var/log/SNORT chmod 750 ${chroot_dir}/var/log/SNORT ## /var/run chown .${snort_gid} ${chroot_dir}/var/run ## Other files needed for chroot. cp -p ${etc_dir}/localtime ${chroot_dir}/etc/localtime grep 'snort' ${sys_files}/passwd > ${chroot_dir}/etc/passwd grep 'snort' ${sys_files}/group > ${chroot_dir}/etc/group mknod ${chroot_dir}/dev/null c 1 3 chmod 666 ${chroot_dir}/dev/null ## Done with snort chroot. ##--------------------------------------------------------------------------------------------## echo "Done." ## Done with var ##================================================================## ##================================================================## ## /home stuff echo -n "[+] Working in /home... " ## /home/sentry mkdir ${new_root}/{home,home/sentry} chown ${sentry_uid}.${sentry_gid} ${new_root}/home/sentry chmod 755 ${new_root}/home chmod 711 ${new_root}/home/sentry touch ${new_root}/home/sentry/.bash_history chown ${sentry_uid}.${sentry_gid} ${new_root}/home/sentry/.bash_history chmod 600 ${new_root}/home/sentry/.bash_history ln -s /cdrom/SENTRY ${new_root}/home/sentry/SENTRY ln -s /cdrom/SENTRY/docs ${new_root}/home/sentry/docs files=".less .lessrc .screenrc" for file in ${files}; do cp -p ${etc_dir}/skel/${file} ${new_root}/home/sentry/ done ## /root chmod 700 ${new_root}/root touch ${new_root}/root/.bash_history chown 0.0 ${new_root}/root/.bash_history chmod 600 ${new_root}/root/.bash_history ln -s /cdrom/SENTRY ${new_root}/root/SENTRY ln -s /cdrom/SENTRY/docs ${new_root}/root/docs files=".less .lessrc .screenrc" for file in ${files}; do cp -p ${etc_dir}/skel/${file} ${new_root}/root/ done ## /home/ftp mkdir ${new_root}/home/ftp echo "Done." ## Done with /home stuff ##================================================================## ##================================================================## ## /bin /sbin stuff echo -n "[+] Working in /bin... " bin_binaries="busybox login stty cut mount cp grep gzip ls mv \ rm umount bash tar" for binary in ${bin_binaries}; do cp -p ${bin_dir}/${binary} ${temp} strip ${temp}/${binary} cp -p ${temp}/${binary} ${new_root}/bin rm -f ${temp}/${binary} done ## Stuff we want in /bin but are normally in /usr/bin bin_binaries="tail sed perl" dir="`echo "$bin_dir" | sed "s/\/bin//"`/usr/bin" for binary in ${bin_binaries}; do cp -p ${dir}/${binary} ${temp} strip ${temp}/${binary} cp -p ${temp}/${binary} ${new_root}/bin/${binary} rm -f ${temp}/${binary} done ## Modified ssh binary to use with scp/sftp network config support, removed ## after configuration. files="ssh scp sftp wget" for file in ${files}; do cp ${etc_dir}/tmp_bins/${file}.tmp.bz2 ${new_root}/bin/${file}.bz2 bzip2 -d ${new_root}/bin/${file}.bz2 chmod 700 ${new_root}/bin/${file} done ## busybox symlinks bbox_bin_array="cat chgrp chmod chown date dd df dmesg du echo false \ free hostname kill killall ln mkdir mknod more pwd rmdir sleep \ sync touch true uname" for link in ${bbox_bin_array}; do ln -s busybox ${new_root}/bin/${link} done bbox_sbin_array="mkswap nameif swapon swapoff" for link in ${bbox_sbin_array}; do ln -s /bin/busybox ${new_root}/sbin/${link} done ## Copying Symlinks pwd="`pwd`" cd $bin_dir for i in *; do if [ -h "${bin_dir}/${i}" ]; then if [ ! -e "${new_root}/bin/${i}" ]; then cp -dp ${bin_dir}/${i} ${new_root}/bin/${i} fi fi done cd $pwd ## Process stuff in $bin_dir. ## Only want executable stuff. No symlinks, directories, etc. pwd=`pwd` cd $bin_dir for i in *; do if [ ! -d $i ]; then ## No directories. if [ ! -h $i ]; then ## No symlinks. if [ ! -b $i ]; then ## No block device files. if [ ! -c $i ]; then ## No character device files. if [ ! -p $i ]; then ## No named pipes. if [ -x $i ]; then ## Must be executable. bin_list="`echo -n $bin_list` $i" fi fi fi fi fi fi done cd $pwd # bin_list=`ls -la $bin_dir | perl -e ' # my @in = <>; # foreach (@in) { # if($_ =~ /^-/) { # chomp($_); # $_=~ s/^\s+//; # $_=~ s/\s+$//; # $_=~ s/[-rwxs]+\s+\d{1}\s+\w+\s+\w+\s+\d+\s\w+\s+\d+\s+[\d:]+\s//; # $_ =~ s/\*$//; # print "$_ "; # } # }'` ## heh... I love this stuff. ## Let's Recap: ## $bin_binaries == List if binaries actually going to be copied to $new_root/bin ## $bbox_array == List of symlinks in $new_root/bin to be made to busybox ## $bin_list == actual list of binaries in /bin, the we want symlinks made to ## from $new_root/bin to /cdrom/bin. NEW=`echo "$bbox_array : $bin_list : $bin_binaries"|perl -e ' my $in = <>; my($bbox_array,$bin_list,$bin_binaries) = split(/:/,$in); @bbox_array = split(/\s+/,$bbox_array); @bin_list = split(/\s+/,$bin_list); @bin_binaries = split(/\s+/,$bin_binaries); ## Ok, we now have three arrays. Since we will be making ## symlinks from /bin to /cdrom/bin for every binary in ## $bin_list, we want to make sure those binaries in ## $bin_list do not appear in $bin_binaries or $bbox_array. foreach $bin (@bbox_array) { foreach (@bin_list) { ($_ = "") if ($_ eq "$bin"); } } foreach $bin (@bin_binaries) { foreach (@bin_list) { ($_ = "") if ($_ eq "$bin"); } } foreach (@bin_list) { if (($_) && ($_ ne "")) { print "$_ "; } } '` for binary in $NEW; do if [ ! -e "${new_root}/bin/${binary}" ]; then if [ ! -h "${new_root}/bin/${binary}" ]; then ln -s /cdrom/bin/${binary} ${new_root}/bin/${binary} fi fi done sync echo "Done." ## Done with /bin ##----------------------------------------------------------------## ##----------------------------------------------------------------## ## /sbin Stuff echo -n "[+] Working in /sbin... " sbin_binaries="agetty blockdev dhcpcd hwclock depmod ifconfig \ init insmod route ip" for binary in ${sbin_binaries}; do cp -p ${sbin_dir}/${binary} ${temp} strip ${temp}/${binary} cp -p ${temp}/${binary} ${new_root}/sbin rm -f ${temp}/${binary} done ## Other non-binary stuff(iproute2 scripts, etc) files="routef routel rtpr ifcfg" for binary in ${files}; do cp -p ${sbin_dir}/${binary} ${new_root}/sbin done ## Copying Symlinks pwd=`pwd` cd $sbin_dir for i in *; do if [ -h "${sbin_dir}/${i}" ]; then if [ ! -e "${new_root}/sbin/${i}" ]; then cp -dp ${sbin_dir}/${i} ${new_root}/sbin/${i} fi fi done cd $pwd ## Process stuff in $sbin_dir. ## Only want executable stuff. No symlinks, directories, etc. pwd=`pwd` cd $sbin_dir for i in *; do if [ ! -d $i ]; then ## No directories. if [ ! -h $i ]; then ## No symlinks. if [ ! -b $i ]; then ## No block device files. if [ ! -c $i ]; then ## No character device files. if [ ! -p $i ]; then ## No named pipes. if [ -x $i ]; then ## Must be executable. bin_list="`echo -n $bin_list` $i" fi fi fi fi fi fi done cd $pwd # bin_list=`ls -la $sbin_dir|perl -e ' # @in = <>; # foreach (@in) { # if($_ =~ /^-/) { # chomp($_); # $_=~ s/^\s+//; # $_=~ s/\s+$//; # $_=~ s/[-rwxs]+\s+\d{1}\s+\w+\s+\w+\s+\d+\s\w+\s+\d+\s+[\d:]+\s//; # $_ =~ s/\*$//; # print "$_ "; # } # }'` NEW=`echo "$bin_list : $sbin_binaries"|perl -e ' my $in = <>; my($bin_list,$sbin_binaries) = split(/:/,$in); @bin_list = split(/\s+/,$bin_list); @sbin_binaries = split(/\s+/,$sbin_binaries); foreach $bin (@sbin_binaries) { foreach (@bin_list) { ($_ = "") if ($_ eq "$bin"); } } foreach (@bin_list) { if (($_) && ($_ ne "")) { print "$_ "; } } '` for binary in $NEW; do if [ ! -e "${new_root}/sbin/${binary}" ]; then if [ ! -h "${new_root}/sbin/${binary}" ]; then ln -s /cdrom/sbin/${binary} ${new_root}/sbin/${binary} fi fi done ## Copy mkconfig to $new_root/sbin cp ${cdrom}/SENTRY/scripts/MK-CONFIG/mkconfig ${new_root}/sbin/ chmod 755 ${new_root}/sbin/mkconfig sync echo "Done." ## Done with /sbin stuff ##================================================================## ##================================================================## ## /lib stuff echo -n "[+] Working in /lib... " GLIBC_VERSION="2.3.2" ## Important! ## Copy files and symlinks from /lib to $new_root/lib ## NOTE: It's extremely important that the ld.so.cache we copy(see below) ## matches these libs, otherwise the basic things like /bin/ash won't run. libs="libc-${GLIBC_VERSION}.so \ ld-${GLIBC_VERSION}.so \ libcrypt-${GLIBC_VERSION}.so \ libm-${GLIBC_VERSION}.so \ libnsl-${GLIBC_VERSION}.so \ libdl-${GLIBC_VERSION}.so \ libutil-${GLIBC_VERSION}.so \ libtermcap.so.2.0.8 \ libresolv-${GLIBC_VERSION}.so \ librt-${GLIBC_VERSION}.so \ libnss_files-${GLIBC_VERSION}.so \ libnss_dns-${GLIBC_VERSION}.so \ libpthread-0.10.so" for file in ${libs}; do objcopy --strip-debug ${lib_dir}/${file} ${temp}/${file} chmod 755 ${temp}/${file} cp -p ${temp}/${file} ${new_root}/lib rm -f ${temp}/${file} done tmp="`pwd`" cd $lib_dir for i in *; do if [ -L "$i" ]; then ## Look in $lib_dir and copy the symbolic links ## to the rootdisk cp -dp ${lib_dir}/${i} ${new_root}/lib/${i} else ## Otherwise, they must be real files, so just make ## symlinks to the cdrom. if [ ! "$i" = "modules" ]; then if [ ! -e "${new_root}/lib/${i}" ]; then ln -s /cdrom/lib/${i} ${new_root}/lib/${i} fi fi fi done cd $tmp mkdir ${new_root}/lib/modules sync echo "Done." ## Done with /lib stuff. ##================================================================## ##================================================================## ## /etc stuff echo -n "[+] Working in /etc... " ## Make a directory called "default" in $new_root/etc ## This is where the default /etc files will go mkdir ${new_root}/etc/default ## Make a few other needed directories dir_array="dhcpc mail msgs ppp skel slip ssh ssl rc.d apache \ mysql profile.d samba ucd-snmp syslog-ng squid zebra pcmcia iproute2 \ ntp wlan cron.daily cron.hourly cron.monthly cron.weekly stunnel \ logrotate.d hotplug ipsec.d joe webmin shorewall portsentry firewall-jay \ sysconfig openvpn eciadsl ss5 l2tp analog proxy-suite bluetooth cups" for dir in ${dir_array}; do mkdir ${new_root}/etc/${dir} mkdir ${new_root}/etc/default/${dir} cd ${etc_dir}/${dir} for i in *; do if [ -e "${etc_dir}/${dir}/${i}" ]; then cp -Rdp ${etc_dir}/${dir}/${i} ${new_root}/etc/default/${dir}/ fi done done ## Copy default files to $new_root/etc/default files="at.deny \ dnsmasq.conf \ bootptab \ csh.cshrc \ csh.login \ dhclient-script dhclient.conf dhcpd.conf \ exports \ ethertypes \ fdprm \ ftpaccess ftpconversions \ gateways \ host.conf \ hosts.allow hosts.deny hosts.equiv \ hosts.lpd \ login.access login.defs \ identd.conf \ ifhp.conf \ knockdaemon.conf \ knockclient.conf \ ld.so.conf \ logrotate.conf \ lpd.conf \ lpd.perms \ minicom.users minirc.dfl \ modules.conf \ mail.rc \ netgroup networks \ nntpserver \ nrpe.cfg \ nsswitch.conf nsswitch.conf-nis \ newsyslog.conf \ ntp.conf \ pear.conf powerd.conf \ printcap \ protocols services \ pptpd.conf \ radvd.conf \ random-seed \ rpc \ securetty \ serial.conf \ syslog.conf \ ulogd.conf \ vsftpd.conf \ wgetrc \ gated.conf \ ipsec.conf ipsec.secrets" for file in ${files}; do cp -p ${etc_dir}/${file} ${new_root}/etc/default/${file} done ## Important system and config files. files="fstab group passwd shadow profile inetd.conf inetd.conf.none \ proftpd.conf shells hosts resolv.conf named.conf ftpusers" for file in $files; do cp -p ${sys_files}/${file} ${new_root}/etc/default/$file done ## Copy other files to /etc and /etc/default ## Most of these would not need to be modified files="DIR_COLORS \ NETWORKING \ inittab \ ioctl.save \ ld.so.cache \ magic \ slackware-version \ termcap \ termcap-BSD \ termcap-Linux CDversion" for file in ${files}; do cp -p ${etc_dir}/${file} ${new_root}/etc/${file} done ## Create /etc/default/HOSTNAME echo "fw-v1.sentry.net" > ${new_root}/etc/default/HOSTNAME ## Create some empty files # touch ${new_root}/etc/default/{issue,issue.net,motd} touch ${new_root}/etc/mtab touch ${new_root}/etc/default/mtab touch ${new_root}/etc/mactab touch ${new_root}/etc/default/mactab ln -s /sbin/rmt ${new_root}/etc/rmt ## Temporary files required to use ftp:// with wget for configuration. ## passwd/shadow/group files with just a single root account(disabled). files="passwd shadow group" for file in $files; do cp -p ${etc_dir}/${file}.tmp ${new_root}/etc/${file} done ##----------------------------------------------------------------------## ## /etc/ipsec.d mkdir ${new_root}/etc/ipsec.d/{cacerts,certs,crls,ocspcerts,policies,private} ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/ppp mkdir ${new_root}/etc/ppp/{peer,plugins} ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/bluetooth mkdir ${new_root}/etc/bluetooth/firmware ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/cups mkdir ${new_root}/etc/cups/{ppd,interfaces,certs} ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/pcmcia mkdir ${new_root}/etc/pcmcia/cis ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/samba mkdir ${new_root}/etc/samba/private ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/ssl mkdir ${new_root}/etc/ssl/{certs,lib,misc,private} ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/apache mkdir ${new_root}/etc/apache/{ssl.crl,ssl.csr,ssl.prm,ssl.crt,ssl.key} chmod 700 ${new_root}/etc/default/apache/ssl.key ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/codepages(samba) mkdir ${new_root}/etc/codepages mkdir ${new_root}/etc/default/codepages CD=`pwd` cd ${etc_dir}/codepages/ for i in *; do ln -s /cdrom/etc/codepages/${i} ${new_root}/etc/default/codepages/${i} done cd $CD ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/squid ln -s /cdrom/usr/share/errors ${new_root}/etc/default/squid/errors ln -s /cdrom/usr/share/icons ${new_root}/etc/default/squid/icons ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/snort ln -s /var/chroot/snort/etc/snort.conf ${new_root}/etc/default/snort.conf ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/zebra chmod 750 ${new_root}/etc/{default/zebra/,zebra/} ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/rc.d ## Copy the perl config scripts to /etc/rc.d/SENTRY mkdir ${new_root}/etc/rc.d/SENTRY cp -p ${cdrom}/SENTRY/scripts/cd-config/* ${new_root}/etc/rc.d/SENTRY/ ## Symlink /etc/default/sentry.conf to /etc/rc.d/SENTRY/sentry.conf ln -s /etc/rc.d/SENTRY/sentry.conf ${new_root}/etc/default/sentry.conf ## rc.S must be present in /etc/rc.d on the rootdisk. cp -p ${etc_dir}/rc.d/rc.S ${new_root}/etc/rc.d/ ##----------------------------------------------------------------------## ##----------------------------------------------------------------------## ## /etc/skel files=".less .lessrc .screenrc" for file in $files; do cp -p ${etc_dir}/skel/${file} ${new_root}/etc/skel/ done ##----------------------------------------------------------------------## sync echo "Done." ##================================================================## ## Working in /opt. mkdir ${new_root}/opt/nagios mkdir ${new_root}/opt/nagios/{plugins,libexec} PWD="`pwd`" cd ${cdrom}/opt/nagios/libexec for i in *; do ln -s ${cdrom}/opt/nagios/libexec/${i} ${new_root}/opt/nagios/libexec/${i} done cd $PWD ##================================================================## ## Create or copy drivers.tar.gz, used to support network devices ## during configuration. if [ ! -x "${new_root}/tmp/drivers" ]; then mkdir ${new_root}/tmp/drivers fi ## 2.2 ## # if [ -f $lib_dir/drivers-2.2.tar.gz ]; then # cp -p $lib_dir/drivers-2.2.tar.gz $new_root/tmp/drivers/ # # else # ## Create drivers-2.2.tar.gz, file that contains kernel modules # ## used if configuring over a network. # modules="3c501 3c503 3c507 3c505 3c509 3c515 lance wd smc-ultra smc9194 \ # smc-ultra32 ni5010 ni65 ni52 rtl8139 at1700 e2100 depca ewrk3 \ # eexpress eepro fmv18x hp-plus hp100 hp eth16i ne starfire ac3200 \ # cs89x0 tlan dmfe dgrs lne390 ne3210 sis900 es3210 epic100 yellowfin \ # acenic sk98lin 3c59x pcnet32 de4x5 tulip eepro100 ne2k-pci via-rhine \ # 8139too" # # if [ ! -x ${temp}/modules ]; then # mkdir ${temp}/modules # fi # # pwd="`pwd`" # err="0" # cd ${temp}/modules # # echo "[+] Building drivers-2.2.tar.gz(network config support)." # echo " [+] Using ${lib_dir}/modules/${kern_22}." # # for i in $modules; do # if [ -f ${lib_dir}/modules/${kern_22}/net/${i}.o ]; then # cp -p ${lib_dir}/modules/${kern_22}/net/${i}.o ${temp}/modules/ # else # err="1" # fi # done # tar -cf drivers-2.2.tar * # gzip -9 drivers-2.2.tar # cp -p drivers-2.2.tar.gz ${new_root}/tmp/drivers/ # rm -rf ${temp}/modules # # if [ "$err" = "1" ]; then # echo " [-] One or more errors occured while building drivers-2.2.tar.gz." # fi # # cd $pwd # fi ## 2.4 ## if [ -f "${lib_dir}/drivers-2.4.tar.gz" ]; then cp -p ${lib_dir}/drivers-2.4.tar.gz ${new_root}/tmp/drivers/ else ## Create drivers-2.4.tar.gz, file that contains kernel modules ## used if configuring over a network. modules="3c501 3c507 3c505 3c503 3c509 3c515 lance wd smc9194 \ smc-ultra smc-ultra32 ni5010 ni65 ni52 at1700 depca \ hp100 e2100 ewrk3 eexpress eepro hp hp-plus eth16i ne \ starfire ac3200 cs89x0 dgrs dmfe lne390 ne3210 es3210 \ sis900 tlan epic100 winbond-840 acenic hamachi yellowfin \ sundance 3c59x pcnet32 de4x5 tulip eepro100 ne2k-pci via-rhine \ 8139too typhoon amd8111e e100 natsemi 8139cp fealnx" if [ ! -x "${temp}/modules" ]; then mkdir ${temp}/modules fi pwd="`pwd`" err="0" cd ${temp}/modules echo "[+] Building drivers-2.4.tar.gz(network config support)." echo " [+] Using ${lib_dir}/modules/${kern_24}." for i in ${modules}; do if [ -f "${lib_dir}/modules/${kern_24}/kernel/drivers/net/${i}.o" ]; then cp -p ${lib_dir}/modules/${kern_24}/kernel/drivers/net/${i}.o ${temp}/modules/ elif [ "${i}" = "tulip" -o "${i}" = "e100" ]; then if [ -f "${lib_dir}/modules/${kern_24}/kernel/drivers/net/${i}/${i}.o" ]; then cp -p ${lib_dir}/modules/${kern_24}/kernel/drivers/net/${i}/${i}.o ${temp}/modules/ else err="1" fi else err="1" fi done deps="drivers/net/mii.o drivers/net/8390.o lib/crc32.o" for i in $deps; do if [ -f "${lib_dir}/modules/${kern_24}/kernel/${i}" ]; then cp -p ${lib_dir}/modules/${kern_24}/kernel/${i} ${temp}/modules/ else err="1" fi done tar -cf drivers-2.4.tar * gzip -9 drivers-2.4.tar cp -p drivers-2.4.tar.gz ${new_root}/tmp/drivers/ rm -rf ${temp}/modules if [ "$err" = "1" ]; then echo " [-] One or more errors occured while building drivers-2.4.tar.gz." fi cd $pwd fi sync ##===============================================================## ## Now tar/gzip ${new_root} ## Tar/Gzip ${new_root} echo -n "[+] Tar/Gzipping ${new_root}... " cd $base_dir tar -cf ${root_files}.tar ${root_files} sync gzip -9 ${root_files}.tar if [ -e "${new_root}" ]; then rm -rf ${new_root} fi echo "Done." ##===============================================================## ## Zero out a file to use as the new rootdisk. BS=512 let COUNT=${rootdisk_size}/${BS} echo -n "[+] Zeroing out file: ${base_dir}/${rootdsk}... " dd if=/dev/zero of=${base_dir}/${rootdsk} bs=${BS} count=${COUNT} 1>/dev/null 2>/dev/null if [ ! -f "${base_dir}/${rootdsk}" ]; then echo echo "[-] Oops, tried to create file ${base_dir}/${rootdsk}," echo " but file does not exist. Exiting." exit else echo "Done." fi ##===============================================================## ## Make an ext2 file system on file. echo -n "[+] Creating ext2 file system on ${base_dir}/${rootdsk}... " mke2fs -Fq -c -m0 ${base_dir}/${rootdsk} 1>/dev/null 2>/dev/null echo "Done." ##===============================================================## ## Mount this new rootdisk on the loopback device. echo -n "[+] Mounting ${rootdsk} on ${mnt_dir}... " /bin/mount | grep "on ${mnt_dir} " 1>/dev/null 2>/dev/null if [ "$?" = "0" ]; then echo echo "[-] Oops, ${mnt_dir} already mounted. Exiting." exit else mount -o loop -t ext2 ${base_dir}/${rootdsk} ${mnt_dir} if [ $? -gt 0 ] ; then echo echo "[-] Uh oh, something went wrong trying to mount" echo " ${base_dir}/${rootdsk} on ${mnt_dir}. Exiting." exit else echo "Done." fi fi ##================================================================## ## Copy file to $mnt_dir echo -n "[+] Copying files to rootdisk..." rm -rf ${mnt_dir}/lost+found mv ${new_root}.tar.gz $mnt_dir mkdir ${mnt_dir}/{dev,bin,root} mknod -m666 ${mnt_dir}/dev/null c 5 1 mknod -m600 ${mnt_dir}/dev/console c 1 3 mknod -m640 ${mnt_dir}/dev/ram0 b 1 0 ln -s busybox ${mnt_dir}/bin/chroot ln -s busybox ${mnt_dir}/bin/sh ln -s busybox ${mnt_dir}/bin/sync cp ${etc_dir}/tmp_bins/busybox.tmp.bz2 ${temp}/ bzip2 -d ${temp}/busybox.tmp.bz2 mv ${temp}/busybox.tmp ${mnt_dir}/bin/busybox chmod 755 ${mnt_dir}/bin/busybox cp -p ${sys_files}/linuxrc ${mnt_dir} chmod 755 ${mnt_dir}/linuxrc echo " Done." ##================================================================## ## Prompt to unmount ${base_dir}/${rootdsk} echo echo "[+] ${base_dir}/${rootdsk} is still mounted, do you want me" echo -n " to unmount it? (y/n) " read -n 1 blah if [ "$blah" = "y" ]; then echo echo -n " [+] Unmounting ${mnt_dir}... " umount $mnt_dir 1>/dev/null 2>/dev/null if [ $? -gt 0 ] ; then echo echo " [-] Uh oh, something went wrong while unmounting ${mnt_dir}. Exiting." echo exit else sleep 1 echo "Done." echo -n " [+] Gzipping ${base_dir}/${rootdsk}... " gzip -9 ${base_dir}/${rootdsk} mv ${base_dir}/${rootdsk}.gz ${base_dir}/${rootdsk} echo "Done." echo echo "Location of new rootdisk --> ${base_dir}/${rootdsk}" fi else echo echo "[-] Ok, ${base_dir}/${rootdsk} still mounted on ${mnt_dir}. Exiting." echo exit fi sync echo ## _EOF_ ##