From owner-freebsd-security Fri Jul 19 1: 2:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E75337B400; Fri, 19 Jul 2002 01:02:18 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id C624743E6A; Fri, 19 Jul 2002 01:02:16 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.5/8.12.5) with ESMTP id g6J81VXZ005392; Fri, 19 Jul 2002 09:01:31 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.5/8.12.5/Submit) id g6J81Pru005391; Fri, 19 Jul 2002 09:01:25 +0100 (BST) Date: Fri, 19 Jul 2002 09:01:25 +0100 From: Matthew Seaman To: Michael Sharp Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: chroot Message-ID: <20020719080125.GA4662@happy-idiot-talk.infracaninophi> References: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1085.192.168.1.4.1027045379.squirrel@webmail.probsd.ws> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 18, 2002 at 10:22:59PM -0400, Michael Sharp wrote: > I installed ( or so I thought ) a chroot env last night and ran into some > difficulties. Could someone very familiar with openssh/chroot glance > over http://probsd.ws/chroot.txt and tell me what I did wrong please? > > chroot.txt is an EXTREMELY detailed example of what I did, and script > output of the ssh connection to the chroot. Hmmm... you are almost reinventing the concept of jail(8) here, which might be a better solution for you. The main difference from what you're doing is that a jailed sshd process would get it's own separate IP number. Some things you might find usefull: i) Copy /dev/MAKEDEV into your chrooted area and use that to create the device files you need: cp -p /dev/MAKEDEV /home/chrootuser/dev sh /home/chrootuser/dev/MAKEDEV jail --- the `jail' target should get you an appropriate set of devices. ii) Set up an additional logging socket in your chroot area and modify your syslogd flags to pick up syslog messages from there. You'll also need a copy of /etc/localtime in the chroot area so that your syslog messages get the correct timestamp.: mkdir -p /home/chrootuser/var/run cp -p /etc/localtime /home/chrootuser/etc/localtime cp /etc/rc.conf /etc/rc.conf.bak echo 'syslogd_flags="-s -l /home/chrootuser/var/run/log"' >> /etc/rc.conf kill `cat /var/run/syslogd.pid` /usr/sbin/syslogd -s -l /home/chrootuser/var/run/log You can then turn up the logging level in /home/chrootuser/etc/ssh/sshd_config by altering the LogLevel value: a LogLevel of DEBUG3 will give you a great deal of output showing a blow by blow account of just about everything the sshd does. iii) Make sure you can resolve addresses in the DNS from your chroot environment. It should be sufficient to copy over /etc/resolv.conf cp -p /etc/resolv.conf /home/chrootuser/etc/resolv.conf iv) If you want to be able to run ps(1) from the chroot area, then you need to mount a procfs(5) file system inside your chroot area. This isn't really necessary for sshd to operate correctly though: cp /etc/fstab /etc/fstab.bak cat <>/etc/fstab proc /home/chrootuser/proc procfs rw 0 0 EOF mount /home/chrootuser/proc cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message