Re: a very big problem
nitrogen ............... said:
> about a problem im having with my nix box.
> ok.. well i got a chrooted env setup for users and also for most of
> my daemons that run .. but i cant seem to get outgoing net access
> in the chrooted env.. got any ideas?.
maybe..what are you trying to run? chroot has never affected
net access for me, i can't imagine why it ever would. it could
affect host resolution or something ..
it took quite a bit of work to get ssh (client) to work under
a chroot environment. heres a list of files i use to build
'skeleton' chroot enviornments for users:
it-wa:/home2/chroot# ls -lR |more
.:
total 6
dr-xr-sr-x 2 root staff 1024 Jul 25 00:10 bin
dr-xr-sr-x 2 root staff 1024 Jul 24 22:19 dev
dr-xr-sr-x 3 root staff 1024 Jul 24 23:10 etc
dr-xr-sr-x 2 root staff 1024 Jul 24 22:35 lib
drwxrwxrwt 2 root staff 1024 Jul 24 21:21 tmp
dr-xr-sr-x 4 root staff 1024 Jul 24 21:55 usr
./bin:
total 5506
-r-xr-xr-x 6 root staff 461400 Jul 24 21:21 bash
-r-xr-xr-x 6 root staff 9668 Jul 24 21:21 cat
-r-xr-xr-x 6 root staff 32272 Jul 24 21:21 cp
-r-xr-xr-x 6 root staff 15440 Jul 24 21:47 finger
-r-xr-xr-x 6 root staff 68624 Jul 24 23:08 ftp
-r-xr-xr-x 6 root staff 75648 Jul 24 21:21 grep
-r-xr-xr-x 6 root staff 18832 Jul 24 21:21 ln
-r-xr-xr-x 6 root staff 40848 Jul 24 21:21 ls
-r-xr-xr-x 6 root staff 13088 Jul 24 21:21 mkdir
-r-xr-xr-x 6 root staff 24348 Jul 24 21:21 more
-r-xr-xr-x 6 root staff 39952 Jul 24 21:21 mv
-r-xr-xr-x 6 root staff 6260 Jul 24 21:21 pwd
-r-xr-xr-x 6 root staff 20304 Jul 24 21:21 rm
-r-xr-xr-x 6 root staff 6892 Jul 24 21:21 rmdir
-r-xr-xr-x 6 root staff 18556 Jul 24 22:14 scp
-rwxr-xr-x 6 root staff 738040 Jul 25 00:10 scp2
-r-xr-xr-x 6 root staff 661056 Jul 24 22:15 sftp-server
-rwxr-xr-x 6 root staff 833672 Jul 25 00:08 sftp2
-r-xr-xr-x 6 root staff 461400 Jul 24 21:21 sh
-r-xr-xr-x 6 root staff 107644 Jul 24 21:54 ssh
-r-xr-xr-x 6 root staff 1836695 Jul 24 22:14 ssh2
-r-xr-xr-x 6 root staff 94552 Jul 24 23:08 telnet
./dev:
total 0
crw-r--r-- 1 root staff 1, 3 Jul 24 21:21 null
crw-rw-rw- 1 root staff 5, 0 Jul 24 21:21 tty
crw-r--r-- 1 root staff 1, 9 Jul 24 21:24 urandom
./etc:
total 34
-rw-r--r-- 1 root staff 206 Jul 24 21:21 group
-rw-r--r-- 6 root staff 11924 Jul 24 21:21 ld.so.cache
-rw-r--r-- 6 root staff 465 Jul 24 23:11 nsswitch.conf
-rw-r--r-- 1 root staff 319 Jul 24 23:41 passwd
-rw-r--r-- 6 root staff 66 Jul 24 23:11 resolv.conf
-rw-r--r-- 6 root staff 14450 Jul 24 23:10 services
-rw-r--r-- 1 root staff 157 Aug 3 12:53 shadow
dr-xr-sr-x 3 root staff 1024 Jul 24 21:21 terminfo
./etc/terminfo:
total 1
dr-xr-sr-x 2 root staff 1024 Jul 24 21:55 x
./etc/terminfo/x:
total 2
-rw-r--r-- 6 root staff 1777 Jul 24 21:21 xterm
./lib:
total 1984
-rwxr-xr-x 6 root staff 85654 Jul 24 22:35 ld-linux.so.2
-rwxr-xr-x 6 root staff 887712 Jul 24 22:35 libc.so.6
-rw-r--r-- 6 root staff 20436 Jul 24 21:21 libcrypt.so.1
-rw-r--r-- 6 root staff 9452 Jul 24 22:35 libdl.so.2
-rw-r--r-- 6 root staff 116336 Jul 24 21:27 libm.so.6
-rw-r--r-- 6 root staff 238700 Jul 24 21:21 libncurses.so.4
-rw-r--r-- 6 root staff 233816 Jul 24 22:35 libncurses.so.5
-rw-r--r-- 6 root staff 76032 Jul 24 22:35 libnsl.so.1
-rw-r--r-- 6 root staff 41356 Jul 24 22:35
libnss_compat.so.2-r-x---r-x 6 root staff 11452 Jul 24 22:35 libnss_dns.so.2
-r-x---r-x 6 root staff 31084 Jul 24 22:35 libnss_files.so.2
-rw-r--r-- 6 root staff 27180 Jul 24 21:21 libpam.so.0
-rw-r--r-- 6 root staff 6060 Jul 24 21:21 libpam_misc.so.0
-r-x---r-x 6 root staff 143336 Jul 24 22:35 libreadline.so.4
-rw-r--r-- 6 root staff 46624 Jul 24 22:35 libresolv.so.2
-rw-r--r-- 6 root staff 7652 Jul 24 22:35 libutil.so.1
-rw-r--r-- 6 root staff 23008 Jul 24 21:21 libwrap.so.0
./tmp:
total 0
./usr:
total 2
drwxr-sr-x 2 root staff 1024 Jul 24 21:27 bin
drwxr-sr-x 2 root staff 1024 Jul 24 21:21 lib
./usr/bin:
total 2523
-rwxr-xr-x 6 root staff 10596 Jul 24 21:21 head
-rwxr-xr-x 6 root staff 9552 Jul 24 21:21 id
-rwxr-xr-x 6 root staff 18556 Jul 24 21:21 scp
-rwxr-xr-x 6 root staff 107644 Jul 24 21:21 ssh
-rwxr-xr-x 6 root staff 1836695 Jul 24 21:27 ssh2
-rwxr-xr-x 6 root staff 23568 Jul 24 21:21 tail
-rwxr-xr-x 6 root staff 22640 Jul 24 21:21 touch
-rwxr-xr-x 6 root staff 315260 Jul 24 21:21 vi
./usr/lib:
total 729
-rw-r--r-- 6 root staff 685228 Jul 24 21:21 libcrypto.so.0
-rw-r--r-- 6 root staff 54512 Jul 24 21:21 libz.so.1
i have a script that sets up the enviroment from that
template. there is a password file there as ssh requires
it, but each user has only 1 line in their password file, for
their own username.(If you have no password file ssh spits back
"you dont exist! go away" or something). the script looks
like:
#!/bin/bash
export USER=tomb
export DIR=/home2/$USER
# /
mkdir $DIR
chown $USER /home2/$USER
## /bin
mkdir $DIR/bin
chmod a-w $DIR/bin
cd $DIR/bin
ln /home2/chroot/bin/* .
## /dev
mkdir $DIR/dev
chmod a-w $DIR/dev
cd $DIR/dev
mknod null c 1 3
mknod tty c 5 0
mknod urandom c 1 9
chmod go+w tty
## /etc
mkdir $DIR/etc
chmod a-w $DIR/etc
cd $DIR/etc
mkdir -p terminfo/x
chmod a-w $DIR/etc/terminfo
chmod a-w $DIR/etc/terminfo/x
cd $DIR/etc/terminfo/x
ln /home2/chroot/etc/terminfo/x/* .
cd $DIR/etc
ln /home2/chroot/etc/nsswitch.conf .
ln /home2/chroot/etc/resolv.conf .
ln /home2/chroot/etc/services .
ln /home2/chroot/etc/ld.so.cache .
cat /etc/passwd | grep $USER > $DIR/etc/passwd
## /lib
mkdir $DIR/lib
chmod a-w $DIR/lib
cd $DIR/lib
ln /home2/chroot/lib/* .
## /usr
mkdir $DIR/usr
chmod a-w $DIR/usr
cd $DIR/usr
mkdir $DIR/usr/bin
mkdir $DIR/usr/bin
chmod a-w $DIR/usr/bin
cd $DIR/usr/bin
ln /home2/chroot/usr/bin/* .
cd $DIR/usr
mkdir $DIR/usr/lib
chmod a-w $DIR/usr/lib
cd $DIR/usr/lib
ln /home2/chroot/usr/lib/* .
## /tmp
mkdir $DIR/tmp
chmod 1777 $DIR/tmp
note that almost all of the files are hard links. saves
disk space(the enviornment is 10MB), and makes keeping
everything in synch easier. but of course everything has
to be on the same filesystem.
hth. it took several hours to get it working for me. SSH3(commercial)
was much easier to get working then OpenSSH.
nate
Reply to: