From owner-freebsd-stable@freebsd.org Sat Aug 22 13:45:57 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2E6A9BDBCC for ; Sat, 22 Aug 2015 13:45:57 +0000 (UTC) (envelope-from allbery.b@gmail.com) Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 418CC19C6 for ; Sat, 22 Aug 2015 13:45:57 +0000 (UTC) (envelope-from allbery.b@gmail.com) Received: by lalv9 with SMTP id v9so55238099lal.0 for ; Sat, 22 Aug 2015 06:45:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3B6rdPSB1SHkoJ7+PP8ImH6zFMpCZkaZZq80VeZGCv4=; b=Cn3wOWa21na+0VirlTBT4CDzrV9v0ByNpjws0UX0R05PUuixptTmpclaKNWY4Ri04L eW8Xg0i6hscQ3bPfyE/z3OPEXnFi0weYNa5MVH3bjnfCYEDXDDj1pwTcPUI4ruGH5tZs DyrOMxrSXI8T+qK0OJe/22FWyaFS6NzUsvI6gH2K50JOUvp9409genQrnvBtGupJqExe 0Tp5/yCE+OLkOhRu8RinZpPxAe+z2YRHRDjU3SSBODDJ3OwSIjCq+FWiDiI5C4FiKzwd HgNWF3cUtxaKN9afpO/SfwtFb4y49GAUfj6Hugy34ron1CnnDUdkA/XVk+ECR5f8Cp5r yL2g== MIME-Version: 1.0 X-Received: by 10.112.167.202 with SMTP id zq10mr12425191lbb.69.1440251155293; Sat, 22 Aug 2015 06:45:55 -0700 (PDT) Received: by 10.25.134.198 with HTTP; Sat, 22 Aug 2015 06:45:55 -0700 (PDT) In-Reply-To: <55D879DA.1070407@gmail.com> References: <55D879DA.1070407@gmail.com> Date: Sat, 22 Aug 2015 09:45:55 -0400 Message-ID: Subject: Re: SSH Chroot FreeBSD 10.1 and 10.2 From: Brandon Allbery To: Johan Hendriks Cc: freebsd-stable Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Aug 2015 13:45:57 -0000 On Sat, Aug 22, 2015 at 9:32 AM, Johan Hendriks wrote: > Last login: Sat Aug 22 17:05:52 2015 from 192.168.1.13 > Could not chdir to home directory /restricted/testuser1: No such file or > directory > Cannot read termcap database; > using dumb terminal settings. > % > From here I can do ls and so on if I copy ls, mkdir and other programs > from /rescue to /restricted/username/bin , and can not escape my home, > this is what I want but the error messages are frustrating. > You have the chroot directory both as a chroot directory and a home directory. This means that the *actual* home directory, as seen from outside the chroot, is /restricted/testuser1/restricted/testuser1. (Home directory is *inside* the chroot directory and therefore relative to it.) The termcap message should be self-explanatory; you're missing /etc/termcap inside the chroot. chroot is what it says on the tin: once set, the specified directory is "/". Every file accessed from that point on MUST be available from a tree in which the specified chroot directory is "/". This includes symlinks --- symlink resolution doesn't get to see outside the specified "/" any more than anything else running in the chroot does, so you cannot simply symlink to a file outside the chroot. (Hard links are fine, since they are actually by inode number; they just have to be on the same partition.) -- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net