chroot
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Sep 24 08:51:03 PDT 2004
On Thu, Jul 18, 2002 at 10:22:59PM -0400, Michael Sharp wrote:
> I installed ( or so I thought ) a chroot env last night and ran into some
> difficulties. Could someone very familiar with openssh/chroot glance
> over http://probsd.ws/chroot.txt and tell me what I did wrong please?
>
> chroot.txt is an EXTREMELY detailed example of what I did, and script
> output of the ssh connection to the chroot.
Hmmm... you are almost reinventing the concept of jail(8) here, which
might be a better solution for you. The main difference from what
you're doing is that a jailed sshd process would get it's own separate
IP number.
Some things you might find usefull:
i) Copy /dev/MAKEDEV into your chrooted area and use that to create
the device files you need:
cp -p /dev/MAKEDEV /home/chrootuser/dev
sh /home/chrootuser/dev/MAKEDEV jail
--- the `jail' target should get you an appropriate set of devices.
ii) Set up an additional logging socket in your chroot area and modify
your syslogd flags to pick up syslog messages from there. You'll also
need a copy of /etc/localtime in the chroot area so that your syslog
messages get the correct timestamp.:
mkdir -p /home/chrootuser/var/run
cp -p /etc/localtime /home/chrootuser/etc/localtime
cp /etc/rc.conf /etc/rc.conf.bak
echo 'syslogd_flags="-s -l /home/chrootuser/var/run/log"' >> /etc/rc.conf
kill `cat /var/run/syslogd.pid`
/usr/sbin/syslogd -s -l /home/chrootuser/var/run/log
You can then turn up the logging level in
/home/chrootuser/etc/ssh/sshd_config by altering the LogLevel value: a
LogLevel of DEBUG3 will give you a great deal of output showing a blow
by blow account of just about everything the sshd does.
iii) Make sure you can resolve addresses in the DNS from your chroot
environment. It should be sufficient to copy over /etc/resolv.conf
cp -p /etc/resolv.conf /home/chrootuser/etc/resolv.conf
iv) If you want to be able to run ps(1) from the chroot area, then you
need to mount a procfs(5) file system inside your chroot area. This
isn't really necessary for sshd to operate correctly though:
cp /etc/fstab /etc/fstab.bak
cat <<EOF >>/etc/fstab
proc /home/chrootuser/proc procfs rw 0 0
EOF
mount /home/chrootuser/proc
cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
More information about the freebsd-questions
mailing list