proj/gentoo: Initial commit

This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.

This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.

Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed

5 files changed, 507 insertions, 0 deletions

diff --git a/net-misc/scponly/Manifest b/net-misc/scponly/Manifest
new file mode 100644
index 000000000000..38d1c303bef7
--- /dev/null
+++ b/net-misc/scponly/Manifest
@@ -0,0 +1 @@
+DIST scponly-4.8.tgz 101687 SHA256 1693dd678355749c5d9e48ecdd4628dbfe71d82955afde950ee8d88b5adc01cf SHA512 134c008a7377cef7b8e0be483df8413e162a515967147f561d23b72bdef3dfbe70a8313811dfff6372b88f15c1ac8a4385831fcf329261276993c64d5040f29b WHIRLPOOL 31ed4fda62484dbaa6eb678635a916db3e191ab98bb7ed0e7f6e794ef7d0dac0251e51bf7e627d48c00b17d550ce6dc0ed196fdfa3c2379ca7feec5544b200ba
diff --git a/net-misc/scponly/files/scponly-4.8-gcc4.4.0.patch b/net-misc/scponly/files/scponly-4.8-gcc4.4.0.patch
new file mode 100644
index 000000000000..d08ce28b93b5
--- /dev/null
+++ b/net-misc/scponly/files/scponly-4.8-gcc4.4.0.patch
@@ -0,0 +1,15 @@
+--- helper.c.orig	2009-05-11 00:33:08.000000000 -0600
++++ helper.c	2009-05-11 00:39:59.000000000 -0600
+@@ -259,11 +259,11 @@
+ 							PROG_RSYNC, logstamp());
+ 						return 1;
+ 				}
+ #endif /* RSYNC_COMPAT */
+ 
+-#elif /* HAVE_GETOPT */
++#else /* HAVE_GETOPT */
+ 				/*
+ 				 * make sure that processing doesn't continue if we can't validate a rsync check
+ 				 * and if the getopt flag is set.
+ 				 */
+ 				syslog(LOG_ERR, "a getopt() argument check could not be performed for %s, recompile scponly without support for %s or rebuild scponly with getopt", av[0], av[0]);
diff --git a/net-misc/scponly/files/scponly-4.8-rsync.patch b/net-misc/scponly/files/scponly-4.8-rsync.patch
new file mode 100644
index 000000000000..40ca5e44f215
--- /dev/null
+++ b/net-misc/scponly/files/scponly-4.8-rsync.patch
@@ -0,0 +1,212 @@
+diff -Naur scponly-4.8.orig/CHANGELOG scponly-4.8/CHANGELOG
+--- scponly-4.8.orig/CHANGELOG	2008-01-15 15:26:13.000000000 +0900
++++ scponly-4.8/CHANGELOG	2009-03-18 21:29:48.000000000 +0900
+@@ -1,3 +1,9 @@
++CVS
++	Update the SECURITY document to include a reference to /etc/popt and ~/.popt as
++		they relate to rsync.
++	Fix for rsync-3.0 which now uses a short -e option, with an optional argument as
++		a server side option indicating protocol compatibility.
++
+ scponly v4.8 - jan 14 2008
+ 	fix support for quota and passwd when running within the chroot (exec pre-chroot)
+ 	disallow rsync and svnserve from being run as daemons that listen on a port
+diff -Naur scponly-4.8.orig/SECURITY scponly-4.8/SECURITY
+--- scponly-4.8.orig/SECURITY	2008-01-15 15:26:13.000000000 +0900
++++ scponly-4.8/SECURITY	2009-03-18 21:29:48.000000000 +0900
+@@ -28,6 +28,10 @@
+ 
+ 	  svn, svnserve, rsync, and unison
+ 
++	  Note specifically that rsync uses popt for parsing command line arguments
++	  and popt explicitly checks /etc/popt and $HOME/.popt for aliases. Thus,
++	  users can likely bypass argument checking for rsync.
++
+ 4) Make sure that all files required for the chroot have the IMMUTABLE and
+    UNDELETABLE bits set.  Other bits might also be prudent. See: man 1 chattr.
+ 
+@@ -39,13 +43,16 @@
+    ~/.ssh, ~/.unison, ~/.subversion
+ 
+    NOTE: depending on file permissions in the above, ssh, unison, and
+-   subversion may not work correctly.
++   subversion may not work correctly.  Also note that the location of the
++   above directories is sometimes system dependent, so please check the
++   documentation specific to your system.
+ 
+ 7) Make sure that every directory the users have write permissions to are
+    on a filesystem that is mounted NODEV, NOEXEC.  Eg. Make sure that they
+    cannot execute files that they have permissions to upload.  They should
+    also not need permissions to create any devices.  If the user can't execute
+-   any files that he has access to upload, then you need not worry about the
++   any files that he has access to upload and the executable files on the
++   system are not considered harmful, then you need not worry about the
+    security problems referencing svn/svnserve above!
+ 
+ 8) Monitor your logs!  If you start to see something funny, odd, or strange in
+diff -Naur scponly-4.8.orig/helper.c scponly-4.8/helper.c
+--- scponly-4.8.orig/helper.c	2008-01-15 15:26:13.000000000 +0900
++++ scponly-4.8/helper.c	2009-03-18 21:29:48.000000000 +0900
+@@ -6,17 +6,15 @@
+ #include <sys/types.h>	/* for stat, getpwuid */
+ #include <sys/stat.h>	/* for stat */
+ #include <unistd.h>	/* for exit, access, getpwuid, execve, getopt */
+-#ifdef HAVE_GETOPT_H
+-#include <getopt.h> /* for getopt */
+-#endif
+ #include <errno.h>	/* for debugging */
+ #include <pwd.h>	/* to get username for config parsing */
+ #include <time.h>	/* time */
+ #include <libgen.h>	/* basename */
+ #include <stdlib.h>	/* realloc */
+ #include <syslog.h>
+-#include "scponly.h"
++
+ #include "config.h"
++#include "scponly.h" /* includes getopt */
+ 
+ #ifdef HAVE_GLOB
+ #include <glob.h>	/* for glob() */
+@@ -26,6 +24,11 @@
+ #endif
+ #endif
+ 
++#ifdef RSYNC_COMPAT
++#define RSYNC_ARG_SERVER 0x01
++#define RSYNC_ARG_EXECUTE 0x02
++#endif
++
+ #define MAX(x,y)	( ( x > y ) ? x : y )
+ #define MIN(x,y)	( ( x < y ) ? x : y )
+ 
+@@ -164,6 +167,13 @@
+ 	int			ch;
+ 	int			ac=0;
+ 	int			longopt_index = 0;
++#ifdef RSYNC_COMPAT
++	/* 
++	 * bitwise flag: 0x01 = server, 0x02 = -e.
++	 * Thus 0x03 is allowed and 0x01 is allowed, but 0x02 is not allowed
++	 */
++	int			rsync_flags = 0; 
++#endif /* RSYNC_COMPAT */
+ 
+ 	while (cmdarg != NULL)
+ 	{
+@@ -207,7 +217,7 @@
+ 				 *	otherwise, try a glibc-style reset of the global getopt vars
+ 				 */
+ 				optind=0;
+-#endif
++#endif /* HAVE_OPTRESET */
+ 				/*
+ 				 *	tell getopt to only be strict if the 'opts' is well defined
+ 				 */
+@@ -216,28 +226,49 @@
+ 					
+ 					debug(LOG_DEBUG, "getopt processing returned '%c' (%s)", ch, logstamp());
+ 					
++#ifdef RSYNC_COMPAT
++					if (exact_match(cmdarg->name, PROG_RSYNC) && (ch == 's' || ch == 'e')) {
++						if (ch == 's')
++							rsync_flags |= RSYNC_ARG_SERVER;
++						else
++							/* -e */
++							rsync_flags |= RSYNC_ARG_EXECUTE;
++						debug(LOG_DEBUG, "rsync_flags are now set to: %0x", rsync_flags);
++					}
++					else
++#endif /* RSYNC_COMPAT */
++
+ 					/* if the character is found in badarg, then it's not a permitted option */
+ 					if (cmdarg->badarg != NULL && (strchr(cmdarg->badarg, ch) != NULL))
+ 					{
+ 						syslog(LOG_ERR, "option '%c' or a related long option is not permitted for use with %s (arg was %s) (%s))", 
+-							ch, cmdarg->name, optarg, logstamp());
++							ch, cmdarg->name, (optarg!=NULL ? optarg : "<NULL>"), logstamp());
+ 						return 1;
+ 					}
+ 					else if (cmdarg->strict && ch == '?')
+ 					{
+ 						syslog(LOG_ERR, "an unrecognized option was encountered while processing cmd %s (arg was %s) (%s))", 
+-							cmdarg->name, optarg, logstamp());
++							cmdarg->name, (optarg!=NULL ? optarg : "<NULL>"), logstamp());
+ 						return 1;
+ 					}
+ 				}
+-#elif
++#ifdef RSYNC_COMPAT
++				/* it's not safe if the execute flag was set and server was not set */
++				if ((rsync_flags & RSYNC_ARG_EXECUTE) != 0 && (rsync_flags & RSYNC_ARG_SERVER) == 0) {
++						syslog(LOG_ERR, "option 'e' is not allowed unless '--server' is also set with cmd %s (%s)", 
++							PROG_RSYNC, logstamp());
++						return 1;
++				}
++#endif /* RSYNC_COMPAT */
++
++#elif /* HAVE_GETOPT */
+ 				/*
+ 				 * make sure that processing doesn't continue if we can't validate a rsync check
+ 				 * and if the getopt flag is set.
+ 				 */
+ 				syslog(LOG_ERR, "a getopt() argument check could not be performed for %s, recompile scponly without support for %s or rebuild scponly with getopt", av[0], av[0]);
+ 				return 1;
+-#endif
++#endif /* HAVE_GETOPT */
+ 			}
+ 			else
+ 			/*
+diff -Naur scponly-4.8.orig/scponly.c scponly-4.8/scponly.c
+--- scponly-4.8.orig/scponly.c	2008-01-15 15:28:24.000000000 +0900
++++ scponly-4.8/scponly.c	2009-03-18 21:29:48.000000000 +0900
+@@ -91,16 +91,18 @@
+ 
+ #ifdef RSYNC_COMPAT
+ struct option rsync_longopts[] = {
++	/* options we need to know about that are safe */
++	{"server",			0,	0,		(int)'s'},
+ 	/* I use 'e' for val here because that's what's listed in cmd_arg_t->badarg  */
+-	{"rsh", 			1,	0,		(int)'e'},
++	{"rsh", 			1,	0,		(int)'r'},
+ 	/* the following are disabled because they use daemon mode */
+-	{"daemon",			0,	0,		(int)'e'},
+-	{"rsync-path",		1,	0,		(int)'e'},
+-	{"address",			1,	0,		(int)'e'},
+-	{"port",			1,	0,		(int)'e'},
+-	{"sockopts",		1,	0,		(int)'e'},
+-	{"config",			1,	0,		(int)'e'},
+-	{"no-detach",		0,	0,		(int)'e'},
++	{"daemon",			0,	0,		(int)'d'},
++	{"rsync-path",		1,	0,		(int)'d'},
++	{"address",			1,	0,		(int)'d'},
++	{"port",			1,	0,		(int)'d'},
++	{"sockopts",		1,	0,		(int)'d'},
++	{"config",			1,	0,		(int)'d'},
++	{"no-detach",		0,	0,		(int)'d'},
+ 	{ NULL,				0,	NULL,	0 },
+ 	};
+ #endif
+@@ -157,7 +159,7 @@
+ 	{ PROG_SCP, 		1, 				1,				"SoF",			"dfl:prtvBCc:i:P:q1246S:o:F:", empty_longopts },
+ #endif
+ #ifdef RSYNC_COMPAT
+-	{ PROG_RSYNC, 		1, 				0,				"e",			"e:",			rsync_longopts },
++	{ PROG_RSYNC, 		1, 				0,				"rde",			"e::",			rsync_longopts },
+ #endif	
+ #ifdef UNISON_COMPAT	
+ 	{ PROG_UNISON, 		0, 				0,				"-rshcmd",		NULL, 			empty_longopts },
+diff -Naur scponly-4.8.orig/scponly.h scponly-4.8/scponly.h
+--- scponly-4.8.orig/scponly.h	2008-01-15 15:26:13.000000000 +0900
++++ scponly-4.8/scponly.h	2009-03-18 21:29:48.000000000 +0900
+@@ -1,6 +1,9 @@
+ #include <stdio.h>	/* FILENAME_MAX */
+-#include <getopt.h> /* struct option */ 
+-#include "config.h"
++#include "config.h" /* include before most other files */
++
++#ifdef HAVE_GETOPT_H
++#include <getopt.h> /* for struct option for getopt */
++#endif
+ 
+ #define MAX_USERNAME 32
+ #define MAX_REQUEST (1024)		/* any request exceeding this is truncated */
diff --git a/net-misc/scponly/metadata.xml b/net-misc/scponly/metadata.xml
new file mode 100644
index 000000000000..0237ba9cc5f0
--- /dev/null
+++ b/net-misc/scponly/metadata.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer>
+		<email>maintainer-needed@gentoo.org</email>
+	</maintainer>
+	<longdescription lang="en">
+		scponly is an alternative 'shell' (of sorts) for system administrators
+		who would like to provide access to remote users to both read and write
+		local files without providing any remote execution priviledges.
+		Functionally, it is best described as a wrapper to the tried and true
+		ssh suite of applications.
+	</longdescription>
+	<use>
+		<flag name="rsync">Enables rsync compatibility with potential security risks</flag>
+		<flag name="unison">Enables Unison compatibility with potential security risks</flag>
+		<flag name="subversion">Enables Subversion compatibility with potential security risks</flag>
+		<flag name="winscp">Enables WinSCP 2.0 compatibility with potential security risks</flag>
+		<flag name="scp">Enables scp compatibility with potential security risks</flag>
+		<flag name="sftp">Enables SFTP compatibility</flag>
+		<flag name="gftp">Enables gFTP compatibility</flag>
+		<flag name="quota">Enables quota compatibility</flag>
+		<flag name="passwd">Enables passwd compatibility</flag>
+		<flag name="logging">Enables SFTP logging compatibility</flag>
+		<flag name="wildcards">Enables wildcard processing with potential security risks</flag>
+	</use>
+	<upstream>
+		<remote-id type="sourceforge">scponly</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/net-misc/scponly/scponly-4.8-r5.ebuild b/net-misc/scponly/scponly-4.8-r5.ebuild
new file mode 100644
index 000000000000..a39e354d2af1
--- /dev/null
+++ b/net-misc/scponly/scponly-4.8-r5.ebuild
@@ -0,0 +1,249 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit eutils multilib readme.gentoo toolchain-funcs user
+
+DESCRIPTION="A tiny pseudoshell which only permits scp and sftp"
+HOMEPAGE="http://www.sublimation.org/scponly/"
+SRC_URI="mirror://sourceforge/scponly/${P}.tgz"
+
+LICENSE="BSD-2"
+SLOT="0"
+KEYWORDS="amd64 ppc sparc x86"
+IUSE="+sftp scp winscp gftp rsync unison subversion wildcards quota passwd logging"
+REQUIRED_USE="
+	|| ( sftp scp winscp rsync unison subversion )
+"
+
+RDEPEND="
+	sys-apps/sed
+	net-misc/openssh
+	quota? ( sys-fs/quota )
+	rsync? ( net-misc/rsync )
+	subversion? ( dev-vcs/subversion )
+"
+DEPEND="${RDEPEND}"
+
+myuser="scponly"
+myhome="/home/${myuser}"
+mysubdir="/pub"
+
+DOC_CONTENTS="
+	You might want to run\n
+	emerge --config =${CATEGORY}/${PF}\n
+	\nto setup the chroot. Otherwise you will have to setup chroot manually
+	Please read the docs in /usr/share/doc/${PF} for more informations, also
+	the SECURITY file.
+"
+
+src_prepare() {
+	epatch "${FILESDIR}/${P}-rsync.patch"
+	# bug #269242
+	epatch "${FILESDIR}/${P}-gcc4.4.0.patch"
+}
+
+src_configure() {
+	CFLAGS="${CFLAGS} ${LDFLAGS}" econf \
+		--with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \
+		--disable-restrictive-names \
+		--enable-chrooted-binary \
+		--enable-chroot-checkdir \
+		$(use_enable winscp winscp-compat) \
+		$(use_enable gftp gftp-compat) \
+		$(use_enable scp scp-compat) \
+		$(use_enable sftp sftp) \
+		$(use_enable quota quota-compat) \
+		$(use_enable passwd passwd-compat) \
+		$(use_enable rsync rsync-compat) \
+		$(use_enable unison unison-compat) \
+		$(use_enable subversion svn-compat) \
+		$(use_enable subversion svnserv-compat) \
+		$(use_enable logging sftp-logging-compat) \
+		$(use_enable wildcards wildcards)
+}
+
+src_compile() {
+	emake CC=$(tc-getCC)
+}
+
+src_install() {
+	emake DESTDIR="${D}" install
+
+	dodoc AUTHOR BUILDING-JAILS.TXT CHANGELOG CONTRIB README SECURITY TODO
+
+	# don't compress setup-script, so it is usable if necessary
+	insinto /usr/share/doc/${PF}/chroot
+	doins setup_chroot.sh config.h
+
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	# two slashes ('//') are used by scponlyc to determine the chroot point.
+	enewgroup "${myuser}"
+	enewuser "${myuser}" -1 /usr/sbin/scponlyc "${myhome}//" "${myuser}"
+
+	readme.gentoo_print_elog
+}
+
+pkg_config() {
+	# pkg_postinst is based on ${S}/setup_chroot.sh.
+
+	einfo "Collecting binaries and libraries..."
+
+	# Binaries launched in sftp compat mode
+	if has_version "=${CATEGORY}/${PF}[sftp]" ; then
+		BINARIES="/usr/$(get_libdir)/misc/sftp-server"
+	fi
+
+	# Binaries launched by vanilla- and WinSCP modes
+	if has_version "=${CATEGORY}/${PF}[scp]" || \
+		has_version "=${CATEGORY}/${PF}[winscp]" ; then
+		BINARIES="${BINARIES} /usr/bin/scp /bin/ls /bin/rm /bin/ln /bin/mv"
+		BINARIES="${BINARIES} /bin/chmod /bin/chown /bin/chgrp /bin/mkdir /bin/rmdir"
+	fi
+
+	# Binaries launched in WinSCP compatibility mode
+	if has_version "=${CATEGORY}/${PF}[winscp]" ; then
+		BINARIES="${BINARIES} /bin/pwd /bin/groups /usr/bin/id /bin/echo"
+	fi
+
+	# Rsync compatability mode
+	if has_version "=${CATEGORY}/${PF}[rsync]" ; then
+		BINARIES="${BINARIES} /usr/bin/rsync"
+	fi
+
+	# Unison compatability mode
+	if has_version "=${CATEGORY}/${PF}[unison]" ; then
+		BINARIES="${BINARIES} /usr/bin/unison"
+	fi
+
+	# subversion cli/svnserv compatibility
+	if has_version "=${CATEGORY}/${PF}[subversion]" ; then
+		BINARIES="${BINARIES} /usr/bin/svn /usr/bin/svnserve"
+	fi
+
+	# passwd compatibility
+	if has_version "=${CATEGORY}/${PF}[passwd]" ; then
+		BINARIES="${BINARIES} /bin/passwd"
+	fi
+
+	# quota compatibility
+	if has_version "=${CATEGORY}/${PF}[quota]" ; then
+		BINARIES="${BINARIES} /usr/bin/quota"
+	fi
+
+	# build lib dependencies
+	LIB_LIST=$(ldd ${BINARIES} | sed -n 's:.* => \(/[^ ]\+\).*:\1:p' | sort -u)
+
+	# search and add ld*.so
+	for LIB in /$(get_libdir)/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1 \
+		/usr/libexec/ld.so /$(get_libdir)/ld-linux*.so.2 /usr/libexec/ld-elf.so.1; do
+		[ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}"
+	done
+
+	# search and add libnss_*.so
+	for LIB in /$(get_libdir)/libnss_{compat,files}*.so.*; do
+		[ -f "${LIB}" ] && LIB_LIST="${LIB_LIST} ${LIB}"
+	done
+
+	# create base dirs
+	if [ ! -d "${myhome}" ]; then
+		einfo "Creating ${myhome}"
+		install -o0 -g0 -m0755 -d "${myhome}"
+	else
+		einfo "Setting owner for ${myhome}"
+		chown 0:0 "${myhome}"
+	fi
+
+	if [ ! -d "${myhome}/etc" ]; then
+		einfo "Creating ${myhome}/etc"
+		install -o0 -g0 -m0755 -d "${myhome}/etc"
+	fi
+
+	if [ ! -d "${myhome}/$(get_libdir)" ]; then
+		einfo "Creating ${myhome}/$(get_libdir)"
+		install -o0 -g0 -m0755 -d "${myhome}/$(get_libdir)"
+	fi
+
+	if [ ! -e "${myhome}/lib" ]; then
+		einfo "Creating ${myhome}/lib"
+		ln -snf $(get_libdir) "${myhome}/lib"
+	fi
+
+	if [ ! -d "${myhome}/usr/$(get_libdir)" ]; then
+		einfo "Creating ${myhome}/usr/$(get_libdir)"
+		install -o0 -g0 -m0755 -d "${myhome}/usr/$(get_libdir)"
+	fi
+
+	if [ ! -e "${myhome}/usr/lib" ]; then
+		einfo "Creating ${myhome}/usr/lib"
+		ln -snf $(get_libdir) "${myhome}/usr/lib"
+	fi
+
+	if [ ! -d "${myhome}${mysubdir}" ]; then
+		einfo "Creating ${myhome}${mysubdir} directory for uploading files"
+		install -o${myuser} -g${myuser} -m0755 -d "${myhome}${mysubdir}"
+	fi
+
+	# create /dev/null (Bug 135505)
+	if [ ! -e "${myhome}/dev/null" ]; then
+		install -o0 -g0 -m0755 -d "${myhome}/dev"
+		mknod -m0777 "${myhome}/dev/null" c 1 3
+	fi
+
+	# install binaries
+	for BIN in ${BINARIES}; do
+		einfo "Install ${BIN}"
+		install -o0 -g0 -m0755 -d "${myhome}$(dirname ${BIN})"
+		if [ "${BIN}" = "/bin/passwd" ]; then  # needs suid
+			install -p -o0 -g0 -m04711 "${BIN}" "${myhome}/${BIN}"
+		else
+			install -p -o0 -g0 -m0755 "${BIN}" "${myhome}/${BIN}"
+		fi
+	done
+
+	# install libs
+	for LIB in ${LIB_LIST}; do
+		einfo "Install ${LIB}"
+		install -o0 -g0 -m0755 -d "${myhome}$(dirname ${LIB})"
+		install -p -o0 -g0 -m0755 "${LIB}" "${myhome}/${LIB}"
+	done
+
+	# create ld.so.conf
+	einfo "Creating /etc/ld.so.conf"
+	for LIB in ${LIB_LIST}; do
+		dirname ${LIB}
+	done | sort -u | while read DIR; do
+		if ! grep 2>/dev/null -q "^${DIR}$" "${myhome}/etc/ld.so.conf"; then
+			echo "${DIR}" >> "${myhome}/etc/ld.so.conf"
+		fi
+	done
+	ldconfig -r "${myhome}"
+
+	# update shells
+	einfo "Updating /etc/shells"
+	grep 2>/dev/null -q "^/usr/bin/scponly$" /etc/shells \
+		|| echo "/usr/bin/scponly" >> /etc/shells
+
+	grep 2>/dev/null -q "^/usr/sbin/scponlyc$" /etc/shells \
+		|| echo "/usr/sbin/scponlyc" >> /etc/shells
+
+	# create /etc/passwd
+	if [ ! -e "${myhome}/etc/passwd" ]; then
+		(
+			echo "root:x:0:0:root:/:/bin/sh"
+			sed -n "s|^\(${myuser}:[^:]*:[^:]*:[^:]*:[^:]*:\).*|\1${mysubdir}:/bin/sh|p" /etc/passwd
+		) > "${myhome}/etc/passwd"
+	fi
+
+	# create /etc/group
+	if [ ! -e "${myhome}/etc/group" ]; then
+		(
+			echo "root:x:0:"
+			sed -n "s|^\(${myuser}:[^:]*:[^:]*:\).*|\1|p" /etc/group
+		) > "${myhome}/etc/group"
+	fi
+}