From owner-freebsd-stable@freebsd.org Sat Aug 22 15:48:54 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BB5C9BFFD4 for ; Sat, 22 Aug 2015 15:48:54 +0000 (UTC) (envelope-from rleigh@codelibre.net) Received: from b.painless.aa.net.uk (b.painless.aa.net.uk [IPv6:2001:8b0:0:30:5054:ff:fe5e:1643]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4EA64F4A for ; Sat, 22 Aug 2015 15:48:54 +0000 (UTC) (envelope-from rleigh@codelibre.net) Received: from e.8.e.2.2.0.5.b.2.2.2.8.e.e.0.5.d.b.d.d.0.6.8.0.0.b.8.0.1.0.0.2.ip6.arpa ([2001:8b0:860:ddbd:50ee:8222:b502:2e8e]) by b.painless.aa.net.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77) (envelope-from ) id 1ZTB2I-0007WB-6d for freebsd-stable@freebsd.org; Sat, 22 Aug 2015 16:48:50 +0100 Subject: Re: SSH Chroot FreeBSD 10.1 and 10.2 To: freebsd-stable@freebsd.org References: <55D879DA.1070407@gmail.com> From: Roger Leigh Message-ID: <55D899C4.30406@codelibre.net> Date: Sat, 22 Aug 2015 15:48:20 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Aug 2015 15:48:54 -0000 On 22/08/2015 15:01, Brandon Allbery wrote: > On Sat, Aug 22, 2015 at 10:54 AM, Rainer Duffner > wrote: > >> I found it’s much easier to have actual chroot’ed ssh users once the users >> themselves are in an LDAP-directory. >> Also, for doing anything useful on that shell, it turned out you need a >> some more devices in /dev than the usual chroot (like a chroot’ed PHP-FPM, >> that just needs the dev-set of jail(4)). >> And a couple of symlinks. >> > > Yep; chroots are always a pain to deal with. I have seen utilities to > manage them, but only for Linux. For your information, I'm in the process of porting my schroot chroot management tool to FreeBSD. https://github.com/codelibre-net/schroot This was traditionally a Linux (Debian) chroot tool for building source packages, but it's worked on Debian GNU/kFreeBSD for a good while so it already supported nullfs filesystem mounts e.g. of home directories and devices, and now the work to build it on FreeBSD proper is done--I was blocked on toolchain/linker bugs for the last 18 months until 10.2 came out (C++11 nullptr_t was broken) The master branch is current development work, and I got it all building on FreeBSD 10.2-RELEASE just yesterday. It's not yet actually *tested* on FreeBSD other than the unit tests pass. So it might not be production-ready right now, but it should be fairly soon. Now it's building, I'll also look at adding some FreeBSD-specific features to it as well, like ZFS snapshots, jail support, etc. While the compiled binaries should be fine, there may be residual Debianisms/GNU libc-isms in the setup scripts. They are likely trivial to fix though. If anyone wants to give it a try and provide some feedback, or if you have any suggestions or feature requests, please just let me know either by mail or at https://github.com/codelibre-net/schroot/issues Instructions for building on FreeBSD are in the README https://github.com/codelibre-net/schroot/blob/master/README.md Kind regards, Roger