Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Jul 2002 09:01:25 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Michael Sharp <freebsd@ec.rr.com>
Cc:        freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject:   Re: chroot
Message-ID:  <20020719080125.GA4662@happy-idiot-talk.infracaninophi>
In-Reply-To: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws>
References:  <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 18, 2002 at 10:22:59PM -0400, Michael Sharp wrote:
> I installed ( or so I thought ) a chroot env last night and ran into some
> difficulties.  Could someone very familiar with openssh/chroot glance
> over http://probsd.ws/chroot.txt   and tell me what I did wrong please?
> 
> chroot.txt is an EXTREMELY detailed example of what I did, and script
> output of the ssh connection to the chroot.

Hmmm... you are almost reinventing the concept of jail(8) here, which
might be a better solution for you.  The main difference from what
you're doing is that a jailed sshd process would get it's own separate
IP number.

Some things you might find usefull:

i) Copy /dev/MAKEDEV into your chrooted area and use that to create
the device files you need:

    cp -p /dev/MAKEDEV /home/chrootuser/dev
    sh /home/chrootuser/dev/MAKEDEV jail

 --- the `jail' target should get you an appropriate set of devices.

ii) Set up an additional logging socket in your chroot area and modify
your syslogd flags to pick up syslog messages from there.  You'll also
need a copy of /etc/localtime in the chroot area so that your syslog
messages get the correct timestamp.:

    mkdir -p /home/chrootuser/var/run
    cp -p /etc/localtime /home/chrootuser/etc/localtime
    cp /etc/rc.conf /etc/rc.conf.bak
    echo 'syslogd_flags="-s -l /home/chrootuser/var/run/log"' >> /etc/rc.conf
    kill `cat /var/run/syslogd.pid`
    /usr/sbin/syslogd -s -l /home/chrootuser/var/run/log

You can then turn up the logging level in
/home/chrootuser/etc/ssh/sshd_config by altering the LogLevel value: a
LogLevel of DEBUG3 will give you a great deal of output showing a blow
by blow account of just about everything the sshd does.

iii) Make sure you can resolve addresses in the DNS from your chroot
environment.  It should be sufficient to copy over /etc/resolv.conf

    cp -p /etc/resolv.conf /home/chrootuser/etc/resolv.conf

iv) If you want to be able to run ps(1) from the chroot area, then you
need to mount a procfs(5) file system inside your chroot area.  This
isn't really necessary for sshd to operate correctly though:

    cp /etc/fstab /etc/fstab.bak
    cat <<EOF >>/etc/fstab
proc	/home/chrootuser/proc	procfs	rw	0	0
EOF
    mount /home/chrootuser/proc

	cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
Tel: +44 1628 476614                                  Marlow
Fax: +44 0870 0522645                                 Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020719080125.GA4662>