AW: [Maybe Spam][L] [scponly] scponly chroot jail on Solaris 8 (I ntel)

Lammel Roland roland.lammel at kapsch.net
Wed Jul 14 11:36:40 EDT 2004 

Please always reply to the list...

I have done some checks which binaries are linked against which shared libs, that's why some of them need libpam, although authentication itself, is already done before the chroot is executed (at least that what I understood).

The libraries are problably different on ix86, so you have to find out (best using ldd on the binaries you need) whats actually needed. There might be some more files required, which are best found out through trial and error ;-)

Yes /lib/ld.so is a symlink.

Don't know about ld.conf, guess the man pages are your friend, what the solaris ix86 dynaloader actually needs to work.
I don't have the platform (nor the time to test currently), so good luck on that one.

Please post your results (or updates arch/build scripts) when you succeed.

Each user needs ist own jail, that's the only way to seperate them, only way around that would be to have them all in the same group, but then the can write and see each others file (that wouldn't make too much sense to me)

Cheers

+rl

-----Ursprüngliche Nachricht-----
Von: Sue Bauer-Lee [mailto:sblee at tazmania.org] 
Gesendet: Mittwoch, 14. Juli 2004 14:11
An: Lammel Roland
Betreff: Re: [Maybe Spam][L] [scponly] scponly chroot jail on Solaris 8 (I ntel)

Thanks. i started the population last night. Couple of dumb questions:

What is nsswitch.conf  required for?

For some strange reason, my x86 only seems ot have a copy of ld.so.1. Can't
remember without checking another system: is /lib/ld.so a symlink to it?

If authentication occurs at login, why include ld.pam? (chmod/chgrp?)

In testing, I received an error regarding a missing /var/ld/ld.conf(ig). Can't
seem to find such a beast on the system either. Any ideas?

My bin directory is: rm, scponlyc, ls, ssh, scp. Does sftp beling here or in 
the usr/libexec tree?

(can't believe I have to do this for each individual user.....
/home/user/jail-dirs....
with the /etc/passwd homedir entry of /home/user/./
Does this entry belong in the jail etc/passwd file?
Do I understnad this correctly?

If I installed scponlyc to /usr/local/scponly/sbin/scponlyc, does it still
go in the jail as usr/bin/scponlyc?


TIA for your help.

On Mon, Jul 12, 2004 at 07:56:38AM +0200, Lammel Roland wrote:
> Maybe as a starting point here's what i have in the chroot jail for scponlyc
> (this is Solaris 8 Sparc, so there might be some differences)
> 
> Cheers
> 
> +rl
> 
> # find /home/jail
> /home/jail
> /home/jail/usr
> /home/jail/usr/bin
> /home/jail/usr/sbin
> /home/jail/usr/local
> /home/jail/usr/local/lib
> /home/jail/usr/local/bin
> /home/jail/usr/local/bin/scp
> /home/jail/usr/local/libexec
> /home/jail/usr/local/libexec/sftp-server
> /home/jail/usr/lib
> /home/jail/usr/lib/libc.so.1
> /home/jail/usr/lib/libdl.so.1
> /home/jail/usr/lib/libgen.so.1
> /home/jail/usr/lib/libmp.so.2
> /home/jail/usr/lib/libnsl.so.1
> /home/jail/usr/lib/libpam.so.1
> /home/jail/usr/lib/libsocket.so.1
> /home/jail/usr/lib/ld.so
> /home/jail/usr/lib/ld.so.1
> /home/jail/usr/lib/nss_compat.so.1
> /home/jail/usr/lib/nss_files.so.1
> /home/jail/usr/libexec
> /home/jail/usr/libexec/openssh
> /home/jail/usr/ucb
> /home/jail/usr/ucb/ls
> /home/jail/usr/ucb/ln
> /home/jail/usr/ucb/chown
> /home/jail/usr/platform
> /home/jail/usr/platform/SUNW,Ultra-4
> /home/jail/usr/platform/SUNW,Ultra-4/lib
> /home/jail/usr/platform/SUNW,Ultra-4/lib/libc_psr.so.1
> /home/jail/lib
> /home/jail/lib/ld.so
> /home/jail/bin
> /home/jail/bin/rm
> /home/jail/bin/mv
> /home/jail/bin/chmod
> /home/jail/bin/chgrp
> /home/jail/bin/mkdir
> /home/jail/bin/rmdir
> /home/jail/etc
> /home/jail/etc/passwd
> /home/jail/incoming
> /home/jail/incoming/oem.gif 
> 
> -----Ursprüngliche Nachricht-----
> Von: scponly-bounces at lists.ccs.neu.edu [mailto:scponly-bounces at lists.ccs.neu.edu] Im Auftrag von Sue Bauer-Lee
> Gesendet: Montag, 12. Juli 2004 05:38
> An: scponly at lists.ccs.neu.edu
> Betreff: [Maybe Spam][L] [scponly] scponly chroot jail on Solaris 8 (Intel)
> 
> Great package. I've finally had a chance to attempt implementation.
> First a Solaris Intel transfer system, then on to a RH Enterprise
> system. As have others, I ran the setup_chroot..... script. It didn't
> create a bin directory... seems like lots of stuff is missing. 
> 
> Has anyone successfully created this environment on a Solaris system?
> What are the suggested contents of the jail directories (bin, etc, usr)?
> Is a "dev" required? Also, is it better to create a "/home/users" jail
> with the above listed system directories and the individual user
> directories below, or a separate jail for each user?
> 
> TIA for the help. This is my last attempt at being able to deploy a
> limited access scp/sftp user tomorrow since the standard company wide
> sco wrapper shell isn't working with WinSCP......
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

-----------------------------------------------------
Sue Bauer-Lee        |    KE4HNN, SSCP
Carrollton, GA 30112 |    Email: sblee at tazmania.org
-----------------------------------------------------

More information about the scponly mailing list