From owner-freebsd-stable@freebsd.org Sat Aug 22 14:54:24 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E19E9BF6AA for ; Sat, 22 Aug 2015 14:54:24 +0000 (UTC) (envelope-from rainer@ultra-secure.de) Received: from mail.ultra-secure.de (mail.ultra-secure.de [88.198.178.88]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 941421710 for ; Sat, 22 Aug 2015 14:54:23 +0000 (UTC) (envelope-from rainer@ultra-secure.de) Received: (qmail 41340 invoked by uid 89); 22 Aug 2015 14:54:16 -0000 Received: from unknown (HELO ?192.168.1.200?) (rainer@ultra-secure.de@217.71.83.52) by mail.ultra-secure.de with ESMTPA; 22 Aug 2015 14:54:16 -0000 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: SSH Chroot FreeBSD 10.1 and 10.2 From: Rainer Duffner In-Reply-To: Date: Sat, 22 Aug 2015 16:54:09 +0200 Cc: Johan Hendriks , freebsd-stable Content-Transfer-Encoding: quoted-printable Message-Id: References: <55D879DA.1070407@gmail.com> To: Brandon Allbery X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Aug 2015 14:54:24 -0000 > Am 22.08.2015 um 15:45 schrieb Brandon Allbery : >=20 > On Sat, Aug 22, 2015 at 9:32 AM, Johan Hendriks = > wrote: >=20 > chroot is what it says on the tin: once set, the specified directory = is > "/". Every file accessed from that point on MUST be available from a = tree > in which the specified chroot directory is "/". This includes symlinks = --- > symlink resolution doesn't get to see outside the specified "/" any = more > than anything else running in the chroot does, so you cannot simply = symlink > to a file outside the chroot. (Hard links are fine, since they are = actually > by inode number; they just have to be on the same partition.) I found it=E2=80=99s much easier to have actual chroot=E2=80=99ed ssh = users once the users themselves are in an LDAP-directory. Also, for doing anything useful on that shell, it turned out you need a = some more devices in /dev than the usual chroot (like a chroot=E2=80=99ed = PHP-FPM, that just needs the dev-set of jail(4)). And a couple of symlinks. I=E2=80=99ve done this once for a customer (chroot=E2=80=99ed ssh = accounts) and unless this gets more easier in the future, I=E2=80=99ve = made a note to myself to not do that again any time soon. I hadn=E2=80=99t thought of just using /rescue (I would nullfs-mount it = into your target-directory, else you=E2=80=99ve got to copy it again = every time you run freebsd-update). But in my php-fpm chroots, I also need stuff from packages (ImageMagick, = most notably). I end up nullfs-mounting most of the system (except /sbin directories) = into the various chroots, but I was always looking for a better = approach. It=E2=80=99s all a bit of an hack, with lots of stuff borrowed from = ezjail ;-) The big advantage of using nullfs mounts is that I don=E2=80=99t have to = think about updating the chroots if I update the packages (except = /var/run/ld-elf*). Thinking about this: now that we have pkg - would pkg -c (chroot) also = create the SQLite DB inside the chroot? Regards, Rainer=