linux-only jail possible?
John Nielsen
lists at jnielsen.net
Sat Mar 6 06:13:42 UTC 2010
On Friday 05 March 2010 04:14:46 Ed Schouten wrote:
> Hello Alexander,
>
> * Alexander Leidinger <Alexander at Leidinger.net> wrote:
> > > My current hurdle is sshd:
> > > Mar 3 22:20:51 centos sshd[88836]: fatal: openpty returns device for
> > > which ttyname fails.
> > >
> > > Apparently the Linux sshd isn't using /dev/ptmx appropriately. I'll
> > > probably just have to replace it with one that does..
> >
> > Ed, can it be that the linuxulator ttyname stuff needs to be fixed
> > after your tty changes?
>
> Hmmm... It worked back in August 2008 when I committed it to HEAD.
> ttyname() on Linux works pretty bad. First of all, it tries to
> readlink() on a node in devfs. If that fails, it falls back to stat()ing
> in /dev, /dev/pts, etc. until a device node is found which shares the
> same major/minor number. On FreeBSD we just use FIODGNAME (see
> fdevname(3)).
>
> Could you please strace/truss/etc the Linux binary to see what it
> exactly does?
Ptrace inside the jail doesn't run:
Mar 6 00:33:32 stealth kernel: linux: ptrace(24, ...) not implemented
Truss from the host side seems okay except that -f doesn't work as expected.
I can attach manually to the child processes just before submitting an SSH
password though so hopefully that's enough. If you want me to do any of this
again with different truss flags or other information just let me know.
=== attach truss to already-running jailed Linux sshd
stealth# truss -f -a -s 256 -d -p 86936 &
86936: -1267855183.102078976 SIGNAL 17 (SIGSTOP)
=== connect SSH client
86936: 12.137609664 linux_select(0x6,0x1070920,0x0,0x0,0x0,0x6) = 1 (0x1)
86936: 12.137928894
linux_socketcall(0x5,0x9fbfdc40,0x1064904,0x10691a0,0x1070920,0x6) = 4 (0x4)
86936: 12.138072794 linux_fcntl64(0x4,0x3,0x0,0x0,0x215d8ff4,0x6) = 2 (0x2)
86936: 12.138208180
linux_pipe(0x9fbfe1f0,0xa,0x1064904,0x1066a20,0x1070920,0x6) = 0 (0x0)
86936: 12.138339736
linux_socketcall(0x8,0x9fbfdc40,0x1064904,0x1066a20,0x1070920,0x6) = 0 (0x0)
86936: 12.139791642 linux_clone(0x1200011,0x0,0x0,0x0,0x216a2878,0x6) =
87878 (0x15746)
86936: 12.145413510 close(6) = 0 (0x0)
86936: 12.145607825 write(7,"\0\0\^B\r\0",5) = 5 (0x5)
86936: 12.146314103 write(7,"\0\0\^B\^D\n\n\n\n\n\n\n\n\n\n\n\n\n\nProtocol
2\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nSyslogFacility
AUTHPRIV\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nPasswordAuthentication
yes\n\n\n\nChallengeResponseAuthentication
no\n\n\n\n\n\n\n\n\n\nGSSAPIA"...,524) = 524 (0x20c)
86936: 12.146439264 close(7) = 0 (0x0)
86936: 12.146522149 close(8) = 0 (0x0)
86936: 12.146693212 close(4) = 0 (0x0)
=== attach truss to two child processes (identified in another terminal)
truss -f -a -s 256 -d -p 87878 &
truss -f -a -s 256 -d -p 87879 &
=== submit password from client
87879: 9.853932067 linux_select(0x4,0x106ff30,0x0,0x0,0x0,0x6) = 1 (0x1)
87879: 9.854301549 read(3,"0\M-u\M-S \M-.\M^XB\M-?D\M-N3rxp\M-r\M^AqO\M-
h\M^X\M-895Pi\M^_\M^?\M^?\M-1y?X\M^BLq\M-x\M-I\^Y\^R\M-0\M-m\M-8\M-4k\^?\M-
w\^D.r\M-S\M-/F\M-R\\\^_\M-^7a\M-S\M^XK\M-}\M^B\M-c\^V\M-
dj\M-}:dP\M^T~\M^O\M^Q\M-;\M-Z\^?\M-A^a\M^A^z\M-)\M^I%\M-1\M-P\M-M\M-
CNq\M-("...,8192) = 144 (0x90)
87879: 9.854845776 write(4,"\0\0\0\r\v",5) = 5 (0x5)
87878: 20.687933561 read(6,"\0\0\0\r",4) = 4 (0x4)
87879: 9.855093717 write(4,"\0\0\0\bi26y4you",12) = 12 (0xc)
87878: 20.688170204 read(6,"\v\0\0\0\bi26y4you",13) = 13 (0xd)
87878: 20.688383401 linux_time(0x0,0x210971c8,0x0,0x106fdb0,0x106ff50,0x6) =
1267855265 (0x4b91efa1)
87878: 20.688535529 linux_getuid(0x2180e5e4,0x19,0x1,0x1077978,0x106ff50,0x6)
= 0 (0x0)
87878: 20.688872527 linux_open("/etc/passwd",0x0,0666) = 4 (0x4)
87878: 20.689040520 linux_fcntl64(0x4,0x1,0x0,0x0,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.689186549 linux_fcntl64(0x4,0x2,0x1,0x1,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.689294722
linux_fstat64(0x4,0x9fbfd774,0x215d8ff4,0x107bb98,0x107bb98,0x6) = 0 (0x0)
87878: 20.689428922 linux_mmap2(0x0,0x1000,0x3,0x22,0xffffffff,0x6) = 554172416
(0x21080000)
87878: 20.699234019
read(4,"root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin"...,4096)
= 1212 (0x4bc)
87878: 20.699503111 close(4) = 0 (0x0)
87878: 20.699635968 munmap(0x21080000,4096) = 0 (0x0)
87878: 20.699914320 linux_open("/etc/shadow",0x0,0666) = 4 (0x4)
87878: 20.700006293 linux_fcntl64(0x4,0x1,0x0,0x0,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.700129843 linux_fcntl64(0x4,0x2,0x1,0x1,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.700259840
linux_fstat64(0x4,0x9fbfd774,0x215d8ff4,0x107bfc0,0x107bfc0,0x6) = 0 (0x0)
87878: 20.700384377 linux_mmap2(0x0,0x1000,0x3,0x22,0xffffffff,0x6) = 554172416
(0x21080000)
87878: 20.708676112 read(4,"root:
$1$pG5H8Y01$yn7Y0p4FKKi8sIDcQ3rEf1:14671:0:99999:7:::
\nbin:*:14671:0:99999:7:::\ndaemon:*:14671:0:99999:7:::
\nadm:*:14671:0:99999:7:::\nlp:*:14671:0:99999:7:::
\nsync:*:14671:0:99999:7:::\nshutdown:*:14671:0:99999:7:::
\nhalt:*:14671:0:99999:7:::\nmail:"...,4096) = 769 (0x301)
87878: 20.708940347 close(4) = 0 (0x0)
87878: 20.709078960 munmap(0x21080000,4096) = 0 (0x0)
87878: 20.709905132
linux_socketcall(0x1,0x9fbfd890,0x210cdff4,0x1,0x106ff50,0x6) ERR#47 'Address
family not supported by protocol family'
87878: 20.710306504 write(6,"\0\0\0\^E\f",5) = 5 (0x5)
87879: 9.877288770 read(4,"\0\0\0\^E",4) = 4 (0x4)
87878: 20.710505458 write(6,"\0\0\0\^A",4) = 4 (0x4)
87879: 9.877482859 read(4,"\f\0\0\0\^A",5) = 5 (0x5)
87879: 9.877654694 write(4,"\0\0\0\^A/",5) = 5 (0x5)
87878: 20.710731764 read(6,"\0\0\0\^A",4) = 4 (0x4)
87878: 20.710905919 read(6,"/",1) = 1 (0x1)
87878: 20.711149450 linux_open("/etc/nologin",0x8000,00) ERR#2 'No such file
or directory'
87878: 20.711385340 linux_getuid(0x2180e5e4,0x19,0x0,0x106ff50,0x106ff50,0x6)
= 0 (0x0)
87878: 20.711617951 linux_open("/etc/passwd",0x0,0666) = 4 (0x4)
87878: 20.711708912 linux_fcntl64(0x4,0x1,0x0,0x0,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.711830195 linux_fcntl64(0x4,0x2,0x1,0x1,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.711987900
linux_fstat64(0x4,0x9fbfd774,0x215d8ff4,0x107c410,0x107c410,0x6) = 0 (0x0)
87878: 20.712120506 linux_mmap2(0x0,0x1000,0x3,0x22,0xffffffff,0x6) = 554172416
(0x21080000)
87878: 20.712779451
read(4,"root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin"...,4096)
= 1212 (0x4bc)
87878: 20.713160707 close(4) = 0 (0x0)
87878: 20.713268842 munmap(0x21080000,4096) = 0 (0x0)
87878: 20.713400150 geteuid() = 0 (0x0)
87878: 20.713600510 linux_open("/etc/shadow",0x0,0666) = 4 (0x4)
87878: 20.713714568 linux_fcntl64(0x4,0x1,0x0,0x0,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.713833549 linux_fcntl64(0x4,0x2,0x1,0x1,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.713961773
linux_fstat64(0x4,0x9fbfd774,0x215d8ff4,0x107cb90,0x107cb90,0x6) = 0 (0x0)
87878: 20.714090120 linux_mmap2(0x0,0x1000,0x3,0x22,0xffffffff,0x6) = 554172416
(0x21080000)
87878: 20.714762942 read(4,"root:
[/etc/shadow contents sanitized]
...,4096) = 769 (0x301)
87878: 20.715053325 close(4) = 0 (0x0)
87878: 20.715173597 munmap(0x21080000,4096) = 0 (0x0)
87878: 20.715325437 linux_time(0x0,0x2180e5e4,0x0,0x1070000,0x107c410,0x6) =
1267855265 (0x4b91efa1)
87878: 20.715451861 linux_socketcall(0x1,0x9fbfd900,0x210cdff4,0x0,0x0,0x6)
ERR#47 'Address family not supported by protocol family'
87878: 20.715829496 write(6,"\0\0\0\t0",5) = 5 (0x5)
87879: 9.882848296 read(4,"\0\0\0\t",4) = 4 (0x4)
87878: 20.716121724 write(6,"\0\0\0\^A\0\0\0\0",8) = 8 (0x8)
87879: 9.883134465 read(4,"0\0\0\0\^A\0\0\0\0",9) = 9 (0x9)
87878: 20.716568885
linux_time(0x0,0x215d8ff4,0x9fbfd2dc,0x9fbfd2dc,0x1075b28,0x6) = 1267855265
(0x4b91efa1)
87879: 9.883559415 write(3,"\M-(\a\M-m\M-U\^B6^\M^H\f\M^?\M^_<A\M^^\M-ihg\M-
y\M-=tI\M-?\b\M-F\M-W\M-@\M-!W\M-1U\M^I\M^[",32) = 32 (0x20)
87878: 20.716914385 linux_open("/etc/localtime",0x0,0666) = 4 (0x4)
87879: 9.883892372 write(4,"\0\0\^D\M-.\^Y",5) = 5 (0x5)
87878: 20.717836319
linux_fstat64(0x4,0x9fbfd0dc,0x215d8ff4,0x0,0x215bdcf9,0x6) = 0 (0x0)
87879: 9.884825874 write(4,"\0\0\0\^T\M-O\M-k\fsg#c\^]\M-9\r|\M-.\M-|
\M-2\^C\M-r\v;\M- at d\0\0\0\^P\0\0\0\^A\0\0\0\^B\0\0\^B\M-3B5\M-W\M-mbP\M-
Iw\M-,\M-%\M-k\M-v\M-I\M-7\M-q\M-5\0\0\0Ydiffie-hellman-group-exchange-
sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-
sha1\0\0\0\^Ossh-"...,1197) = 1197 (0x4ad)
87878: 20.719538005
linux_fstat64(0x4,0x9fbfcf84,0x215d8ff4,0x1075ca0,0x1075ca0,0x6) = 0 (0x0)
87879: 9.884825874 process exit, rval = 0
87878: 20.720132472 linux_mmap2(0x0,0x1000,0x3,0x22,0xffffffff,0x6) = 554172416
(0x21080000)
87878: 20.739640280
read(4,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^D\0\0\0\^D\0\0\0\0\0\0\0\M-
k\0\0\0\^D\0\0\0\^P\M^^\M-&\^^p\M^_\M-:\M-k`\240\M^F\0p\M-!\M^Z\M-M`\M-"e\M-
bp\M-#\M^C\M-i\M-`\M-$j\M-.p\M-%5\M-'`\M-&S\M-J\M-p\M-'\^U\M^I`\M-(3\M-,\M-
p\M-(\M-~\M-%\M-`\M-*\^S\M^N\M-p"...,4096) = 3519 (0xdbf)
87878: 20.740867474 close(4) = 0 (0x0)
87878: 20.740999205 munmap(0x21080000,4096) = 0 (0x0)
87878: 20.741192384
linux_stat64(0x215bdcf9,0x9fbfcffc,0x215d8ff4,0x0,0x215bdcf9,0x6) = 0 (0x0)
87878: 20.741354100
linux_stat64(0x215bdcf9,0x9fbfcee0,0x215d8ff4,0x0,0x215bdcf9,0x6) = 0 (0x0)
87878: 20.741503796
linux_stat64(0x215bdcf9,0x9fbfcee0,0x215d8ff4,0x0,0x215bdcf9,0x6) = 0 (0x0)
87878: 20.741711425
linux_socketcall(0x1,0x9fbfd218,0x215d8ff4,0x14,0x1075b28,0x6) = 4 (0x4)
87878: 20.741881680 linux_fcntl64(0x4,0x2,0x1,0x1,0x215d8ff4,0x6) = 0 (0x0)
87878: 20.742124782 linux_socketcall(0x3,0x9fbfd218,0x215d8ff4,0x14,0x61,0x6)
= 0 (0x0)
87878: 20.742594901
linux_socketcall(0x9,0x9fbfd23c,0x215d8ff4,0x14,0x1075b28,0x6) = 93 (0x5d)
87878: 20.743105515 close(4) = 0 (0x0)
87878: 20.743238938 read(6,"\0\0\^D\M-.",4) = 4 (0x4)
87878: 20.743381687 read(6,"\^Y\0\0\0\^T\M-O\M-k\fsg#c\^]\M-9\r|\M-.\M-|
\M-2\^C\M-r\v;\M- at d\0\0\0\^P\0\0\0\^A\0\0\0\^B\0\0\^B\M-3B5\M-W\M-mbP\M-
Iw\M-,\M-%\M-k\M-v\M-I\M-7\M-q\M-5\0\0\0Ydiffie-hellman-group-exchange-
sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\0\0\0\^Os"...,1198)
= 1198 (0x4ae)
87878: 20.744202690 close(6) = 0 (0x0)
87878: 20.744322201 linux_mmap2(0x0,0x140000,0x3,0x21,0xffffffff,0x6) =
562327552 (0x21847000)
87878: 20.744509635 munmap(0x216ae000,65536) = 0 (0x0)
87878: 20.744642322
linux_waitpid(0x15747,0x9fbfe1ec,0x0,0x15747,0x9fbfe1ec,0x6) = 87879
(0x15747)
87878: 20.744820075
linux_alarm(0x0,0x9fbfe1ec,0x1064904,0x15747,0x9fbfe1ec,0x6) = 50 (0x32)
87878: 20.744954418 linux_rt_sigaction(0xe,0x0,0x9fbfd9c4,0x8,0x215d8ff4,0x6)
= 0 (0x0)
87878: 20.745082589 linux_rt_sigaction(0xe,0x9fbfda50,0x0,0x8,0x215d8ff4,0x6)
= 0 (0x0)
87878: 20.745222970 close(5) = 0 (0x0)
86936: 82.810586917 linux_select(0x6,0x1070920,0x0,0x0,0x0,0x6) = 1 (0x1)
87878: 20.745436998 geteuid() = 0 (0x0)
86936: 82.810770853 close(5) = 0 (0x0)
87878: 20.745582399 getegid() = 0 (0x0)
87878: 20.745685862
linux_getgroups(0x0,0x0,0x215d8ff4,0x106faf8,0x9fbfe1ec,0x6) = 0 (0x0)
87878: 20.745685862 process exit, rval = 255
86936: 82.862704631 linux_select(0x6,0x1070920,0x0,0x0,0x0,0x6) ERR#4
'Interrupted system call'
86936: 82.862704631 SIGNAL 20 (SIGCHLD)
86936: 82.863354019
linux_waitpid(0xffffffff,0x9fbfd940,0x1,0x9fbfd940,0x216a27e8,0x6) = 87878
(0x15746)
86936: 82.863490428
linux_waitpid(0xffffffff,0x9fbfd940,0x1,0x9fbfd940,0x216a27e8,0x6) ERR#10 'No
child processes'
86936: 82.863751244
linux_rt_sigaction(0x11,0x0,0x9fbfd6ac,0x8,0x215d8ff4,0x6) = 0 (0x0)
86936: 82.863884662 linux_sigreturn(0x9fbfd958,0x0,0x9fbfd7ec,0x0,0x0,0x6)
ERR#4 'Interrupted system call'
=== client disconnected, sshd child processes exit
[3] - Done truss -f -a -s 256 -d -p 87879
[2] - Done truss -f -a -s 256 -d -p 87878
=== detach truss from parent sshd
kill 87872
[1] Done truss -f -a -s 256 -d -p 86936
More information about the freebsd-emulation
mailing list