Finding the right libraries
You can find most of the libraries needed to run an executable using the ldd(1) command. E.g. if you're trying to set up
sftp-server (part of SSH) for use under SCPOnly:
and then copy the referenced libraries from
/lib and from
This may or may not get everything. In one case, I finally had to resort to brute force and make everything in
/lib available. I didn't copy the entire directory, I simply did a temporary bind-mount:
mount --bind /lib /chroot-area/lib
And then I did an SFTP connection as the chrooted user, looked for the process running the
sftp-server executable, and examined which libraries it had mapped, by examining the
/maps file. Once I had identified the ones I was missing, I could remove the bind mount and copy across the necessary libraries.
Syslog inside your chroot
I had a few issues getting syslog to work -
- In debian, the start-stop-daemon program used to start syslog finds the existing syslog running (ie the one outside the chroot) and won't start another one. I fixed this by changing a line in /etc/init.d/sysklogd from "start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD" to simply "$binpath $SYSLOGD"
- make sure you have all the device files it needs - eg /dev/log and /dev/console
- syslog wouldn't open any output log files until I copied /etc/services and restarted it - otherwise it doesn't know what port it should listen on...
There is a patchset for ssh to allow you to chroot specific users. If you just use a normal chroot and normal ssh instead,
and you get errors like
sshd: error: openpty: No such file or directory
error: session_pty_req: session 0 alloc failed
then you are missing /dev/ptmx. Try "mknod /dev/ptmx c 5 2".
Also see chroot(8)