Annotated edit history of
ChrootNotes version 3, including all changes.
View license author blame.
Rev |
Author |
# |
Line |
3 |
LawrenceDoliveiro |
1 |
!!Finding the right libraries |
|
|
2 |
|
|
|
3 |
You can find most of the libraries needed to run an executable using the ldd(1) command. E.g. if you're trying to set up <code>sftp-server</code> (part of [SSH]) for use under [SCPOnly]: |
|
|
4 |
|
|
|
5 |
ldd /usr/lib/misc/sftp-server |
|
|
6 |
|
|
|
7 |
and then copy the referenced libraries from <code>/lib</code> to <code>/</code>''chroot-area''<code>/lib</code> and from <code>/usr/lib</code> to <code>/</code>''chroot-area''<code>/usr/lib</code>. |
|
|
8 |
|
|
|
9 |
This may or may not get everything. In one case, I finally had to resort to brute force and make everything in <code>/lib</code> available. I didn't copy the entire directory, I simply did a temporary bind-mount: |
|
|
10 |
|
|
|
11 |
mount --bind /lib /''chroot-area''/lib |
|
|
12 |
|
|
|
13 |
And then I did an SFTP connection as the chrooted user, looked for the process running the <code>sftp-server</code> executable, and examined which libraries it had mapped, by examining the <code>/proc/</code>''pid''<code>/maps</code> file. Once I had identified the ones I was missing, I could remove the bind mount and copy across the necessary libraries. |
|
|
14 |
|
2 |
JohnMcPherson |
15 |
!!Syslog inside your chroot |
1 |
JohnMcPherson |
16 |
|
|
|
17 |
I had a few issues getting syslog to work - |
|
|
18 |
|
|
|
19 |
# In debian, the start-stop-daemon program used to start syslog finds the existing syslog running (ie the one outside the chroot) and won't start another one. I fixed this by changing a line in <tt>/etc/init.d/sysklogd</tt> from "<tt>start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD</tt>" to simply "<tt>$binpath $SYSLOGD</tt>" |
|
|
20 |
# make sure you have all the device files it needs - eg /dev/log and /dev/console |
|
|
21 |
# syslog wouldn't open any output log files until I copied <tt>/etc/services</tt> and restarted it - otherwise it doesn't know what port it should listen on... |
2 |
JohnMcPherson |
22 |
!!SSH |
|
|
23 |
There is a patchset for ssh to allow you to chroot specific users. If you just use a normal chroot and normal ssh instead, |
|
|
24 |
and you get errors like |
|
|
25 |
<pre>sshd~[1234]: error: openpty: No such file or directory |
|
|
26 |
</pre> |
|
|
27 |
or |
|
|
28 |
<pre> |
|
|
29 |
error: session_pty_req: session 0 alloc failed |
|
|
30 |
</pre> |
|
|
31 |
then you are missing /dev/ptmx. Try "<tt>mknod /dev/ptmx c 5 2</tt>". |
1 |
JohnMcPherson |
32 |
-- |
|
|
33 |
Also see chroot(8) |