From owner-freebsd-questions@FreeBSD.ORG Fri Sep 24 15:51:02 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E7D316A4D7; Fri, 24 Sep 2004 15:51:02 +0000 (GMT) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2232443D53; Fri, 24 Sep 2004 15:51:02 +0000 (GMT) (envelope-from David.Bear@asu.edu) Received: from conversion.post5.inre.asu.edu by asu.edu (PMDF V6.1-1X6 #30769) id <0I4J00B01YJ62V@asu.edu>; Fri, 24 Sep 2004 08:47:30 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) <0I4J009JNYJ5T5@asu.edu>; Fri, 24 Sep 2004 08:47:30 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i8OFlO71013402; Fri, 24 Sep 2004 08:47:24 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id 3CAD9DF6; Fri, 24 Sep 2004 08:46:55 -0700 (MST) Received: from post1.inre.asu.edu (post1.inre.asu.edu [129.219.110.72]) by imap1.asu.edu (8.11.0/8.11.0/asu_cyrus,tcp_wrapped) with ESMTP id g6J85OE11269 for ; Fri, 19 Jul 2002 01:05:24 -0700 (MST) Received: from conversion.post1.inre.asu.edu by asu.edu (PMDF V6.1 #40110) david.bear@asu.edu) ; Fri, 19 Jul 2002 01:05:25 -0700 (MST) Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by asu.edu (PMDF V6.1 #40110) with ESMTP id <0GZH00KN5L509V@asu.edu> for iddwb@IMAP1.ASU.EDU (ORCPT david.bear@asu.edu); Fri, 19 Jul 2002 01:05:25 -0700 (MST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 11A8A558CF; Fri, 19 Jul 2002 01:02:29 -0700 Received: by hub.freebsd.org (Postfix, from userid 538) id D736A37B401; Fri, 19 Jul 2002 01:02:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id 543852E8021; Fri, 19 Jul 2002 01:02:23 -0700 (PDT) Received: by hub.freebsd.org (bulk_mailer v1.12); Fri, 19 Jul 2002 01:02:23 -0700 Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E75337B400; Fri, 19 Jul 2002 01:02:18 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id C624743E6A; Fri, 19 Jul 2002 01:02:16 -0700 Received: from happy-idiot-talk.infracaninophile.co.uk smtp.infracaninophile.co.uk (8.12.5/8.12.5) with ESMTP id g6J81VXZ005392; Fri, 19 Jul 2002 09:01:31 +0100 Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.5/8.12.5/Submit) id g6J81Pru005391; Fri, 19 Jul 2002 09:01:25 +0100 (BST) From: Matthew Seaman In-reply-to: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> Sender: owner-freebsd-security@FreeBSD.ORG To: dwbear75@gmail.com Message-id: <20020719080125.GA4662@happy-idiot-talk.infracaninophi> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Precedence: bulk X-Loop: FreeBSD.org Delivered-to: freebsd-security@freebsd.org Old-To: Michael Sharp User-Agent: Mutt/1.5.1i Lines: 67 References: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> X-Keywords: cc: freebsd-security@FreeBSD.ORG cc: freebsd-questions@FreeBSD.ORG Subject: Re: chroot X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Fri, 24 Sep 2004 15:51:03 -0000 X-Original-Date: Fri, 19 Jul 2002 09:01:25 +0100 X-List-Received-Date: Fri, 24 Sep 2004 15:51:03 -0000 On Thu, Jul 18, 2002 at 10:22:59PM -0400, Michael Sharp wrote: > I installed ( or so I thought ) a chroot env last night and ran into some > difficulties. Could someone very familiar with openssh/chroot glance > over http://probsd.ws/chroot.txt and tell me what I did wrong please? > > chroot.txt is an EXTREMELY detailed example of what I did, and script > output of the ssh connection to the chroot. Hmmm... you are almost reinventing the concept of jail(8) here, which might be a better solution for you. The main difference from what you're doing is that a jailed sshd process would get it's own separate IP number. Some things you might find usefull: i) Copy /dev/MAKEDEV into your chrooted area and use that to create the device files you need: cp -p /dev/MAKEDEV /home/chrootuser/dev sh /home/chrootuser/dev/MAKEDEV jail --- the `jail' target should get you an appropriate set of devices. ii) Set up an additional logging socket in your chroot area and modify your syslogd flags to pick up syslog messages from there. You'll also need a copy of /etc/localtime in the chroot area so that your syslog messages get the correct timestamp.: mkdir -p /home/chrootuser/var/run cp -p /etc/localtime /home/chrootuser/etc/localtime cp /etc/rc.conf /etc/rc.conf.bak echo 'syslogd_flags="-s -l /home/chrootuser/var/run/log"' >> /etc/rc.conf kill `cat /var/run/syslogd.pid` /usr/sbin/syslogd -s -l /home/chrootuser/var/run/log You can then turn up the logging level in /home/chrootuser/etc/ssh/sshd_config by altering the LogLevel value: a LogLevel of DEBUG3 will give you a great deal of output showing a blow by blow account of just about everything the sshd does. iii) Make sure you can resolve addresses in the DNS from your chroot environment. It should be sufficient to copy over /etc/resolv.conf cp -p /etc/resolv.conf /home/chrootuser/etc/resolv.conf iv) If you want to be able to run ps(1) from the chroot area, then you need to mount a procfs(5) file system inside your chroot area. This isn't really necessary for sshd to operate correctly though: cp /etc/fstab /etc/fstab.bak cat <>/etc/fstab proc /home/chrootuser/proc procfs rw 0 0 EOF mount /home/chrootuser/proc cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message