Penguin

Finding the right libraries

You can find most of the libraries needed to run an executable using the ldd(1) command. E.g. if you're trying to set up sftp-server (part of SSH) for use under SCPOnly:

ldd /usr/lib/misc/sftp-server

and then copy the referenced libraries from /lib to /chroot-area/lib and from /usr/lib to /chroot-area/usr/lib.

This may or may not get everything. In one case, I finally had to resort to brute force and make everything in /lib available. I didn't copy the entire directory, I simply did a temporary bind-mount:

mount --bind /lib /chroot-area/lib

And then I did an SFTP connection as the chrooted user, looked for the process running the sftp-server executable, and examined which libraries it had mapped, by examining the /proc/pid/maps file. Once I had identified the ones I was missing, I could remove the bind mount and copy across the necessary libraries.

Syslog inside your chroot

I had a few issues getting syslog to work -

  1. In debian, the start-stop-daemon program used to start syslog finds the existing syslog running (ie the one outside the chroot) and won't start another one. I fixed this by changing a line in /etc/init.d/sysklogd from "start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD" to simply "$binpath $SYSLOGD"
  2. make sure you have all the device files it needs - eg /dev/log and /dev/console
  3. syslog wouldn't open any output log files until I copied /etc/services and restarted it - otherwise it doesn't know what port it should listen on...

SSH

There is a patchset for ssh to allow you to chroot specific users. If you just use a normal chroot and normal ssh instead, and you get errors like

sshd[1234]: error: openpty: No such file or directory

or

error: session_pty_req: session 0 alloc failed

then you are missing /dev/ptmx. Try "mknod /dev/ptmx c 5 2". -- Also see chroot(8)