#!/bin/bash -- ## Build chrooted ntpd environment. ## Written by Stray Penguin (http://www.asahi-net.or.jp/~aa4t-nngk/) ## Ver.1.0.1 ## Setting variables. # Directory to chroot to. chroot_base=/var/chroot/ntpd # Name of the MD5 key file. Older versions called it `ntp.keys'. keyfile="keys" # User and group to run ntpd as. ntp_user=ntp ntp_group=ntp # Key generate utility path. NTPKEYGEN=/usr/sbin/ntp-keygen #-- Only for newer NTP which has /etc/ntp/crypto directory -- # Key passwords gen_passwd=secret read_passwd=${gen_passwd} ## Procedure. function is_link () { file $1 |grep -Eq "symbolic .*${chroot_base}" return $? } if [ ! "$(id -u)" = "0" ]; then echo "You must become root before run me. exitting.." >&2 exit 1 fi # Internal variables (You need not change these). MYHOST=$(/bin/hostname) HAVE_CRYPTO=0 ENCRYPTO=0 KEYSTORE="etc/ntp" NTP_OWNER=${ntp_user}':'${ntp_group} if [ -z "$ntp_user" ]; then echo "ntp_user not set. I don't like it. exitting.." >&2 exit 1 fi if [ -n "$gen_passwd" ]; then if [ -z "$read_passwd" ]; then echo "read_passwd not set. I don't like it. exitting.." >&2 exit 1 fi ENCRYPTO=1 KEYGENOPT="-p ${gen_passwd} -q ${read_passwd}" fi if [ -d /etc/ntp/crypto -a $ENCRYPTO -eq 1 ]; then KEYSTORE="${KEYSTORE}/crypto" HAVE_CRYPTO=1 fi # Construct the jail directory structure. mkdir -p $chroot_base cd $chroot_base mkdir -p etc/ntp var/lib/ntp var/run dev if [ ${HAVE_CRYPTO} -eq 1 ]; then mkdir -p etc/crypto chown root:${ntp_group} etc/crypto chmod 750 etc/crypto fi chown ${NTP_OWNER} var/lib/ntp # Copy files. cp -pf /etc/localtime ${chroot_base}/etc is_link /etc/ntp.conf if [ $? -ne 0 ]; then cp -p /etc/ntp.conf{,.bak} cp -pf /etc/ntp.conf ${chroot_base}/etc fi # Generate key files and make symlinks. cd ${chroot_base}/$KEYSTORE rm -f ntpkey_* $keyfile if [ ${HAVE_CRYPTO} -eq 1 ]; then echo "crypto pw ${read_passwd}" >${chroot_base}/${KEYSTORE}/pw chmod 600 ${chroot_base}/${KEYSTORE}/pw $NTPKEYGEN -M $KEYGENOPT chmod 600 ntpkey_MD5key_${MYHOST}.* ntpkey_RSAkey_${MYHOST}.* cd ${chroot_base}/etc/ntp ln -sf crypto/ntpkey_MD5_${MYHOST} $keyfile else $NTPKEYGEN -M chmod 600 ntpkey_MD5key_${MYHOST}.* cd ${chroot_base}/etc/ntp ln -s ntpkey_MD5_${MYHOST} $keyfile fi cd /etc/ntp if [ -f $keyfile ]; then is_link $keyfile || cp -p ${keyfile}{,.bak} fi ln -sf ${chroot_base}/etc/ntp/$keyfile cd /$KEYSTORE ln -sf ${chroot_base}/${KEYSTORE}/ntpkey_MD5_${MYHOST} ln -sf ${chroot_base}/${KEYSTORE}/ntpkey_host_${MYHOST} ln -sf ${chroot_base}/${KEYSTORE}/ntpkey_cert_${MYHOST} if [ -f pw ]; then is_link pw || cp -p pw{,.bak} fi if [ ${HAVE_CRYPTO} -eq 1 ]; then ln -sf ${chroot_base}/${KEYSTORE}/pw fi cd /etc ln -sf ${chroot_base}/etc/ntp.conf exit