[scponly] quick how-to chroot for debian

[Alex Strawman]

chroot scponly on debian


we have /chroot/ as a file system already

# make the user(s)
useradd -d /chroot/USERNAME -s /usr/sbin/scponlyc -m USERNAME

cd /chroot
mkdir -p bin etc lib/tls usr/lib usr/bin usr/libexec usr/lib/openssh

# /bin/ files
cp /bin/chgrp ./bin/
cp /bin/chmod ./bin/
cp /bin/chown ./bin/
cp /bin/ln ./bin/
cp /bin/ls ./bin/
cp /bin/mkdir ./bin/
cp /bin/mv ./bin/
cp /bin/rm ./bin/
cp /bin/rmdir ./bin/

# /etc/ files
cp /etc/ld.so.cache ./etc/
cp /etc/passwd ./etc/
cp /etc/group ./etc/

# hand-edit ./etc/passwd and remove all users except the one(s) you made
vi ./etc/passwd

# note this is debian specific
# it is usually in /usr/libexec/
cp /usr/lib/sftp-server ./usr/lib/

# libs
cp /lib/ld-linux.so.2 ./lib/
cp /lib/libc.so.6 ./lib/
cp /lib/libdb1.so.2 ./lib/
cp /lib/libnsl.so.1 ./lib/
cp /lib/libnss_compat-2.3.2.so ./lib/
cp /lib/libnss_compat.so.2 ./lib/
cp /lib/libutil.so.1 ./lib/
cp /lib/tls/* ./lib/tls/
cp /usr/lib/libcrypto.so.0.9.* ./usr/lib/
cp /usr/lib/libz.so.1* ./usr/lib/


# modify /etc/passwd (the real one)
# and set the chroot() point with the // two slashes

# change /etc/passwd
# USERNAME:x:1001:100::/chroot/USERNAME:/usr/sbin/scponlyc
# to
# USERNAME:x:1001:100::/chroot//USERNAME:/usr/sbin/scponlyc


# now, its always the way with chroot environments, you have chroot()
and see what LD fails on...

# sftponly:/chroot# chroot .
# sftponly:/# ls
# ls: error while loading shared libraries: libacl.so.1: cannot open
shared object file: No such file or directory
# sftponly:/# exit
# sftponly:/chroot# cp /lib/libacl.so.1 ./lib/
# sftponly:/chroot# chroot .
# sftponly:/# ls
# ls: error while loading shared libraries: libpthread.so.0: cannot
open shared object file: No such file or directory
# sftponly:/# exit
# sftponly:/chroot# cp /lib/libpthread.so.0 ./lib/
# sftponly:/chroot# chroot .
# sftponly:/# ls
# ls: error while loading shared libraries: libattr.so.1: cannot open
shared object file: No such file or directory
# sftponly:/# exit
# sftponly:/chroot# cp /lib/libattr.so.1 ./lib/
# sftponly:/chroot# chroot .
# sftponly:/# ls
# bin  etc  lib  lost+found  USERNAME  usr


# now exec the sftp-server binary

# sftponly:/# ./usr/lib/sftp-server
# ./usr/lib/sftp-server: error while loading shared libraries:
libresolv.so.2: cannot open shared object file: No such file or
# sftponly:/# exit
# sftponly:/chroot# cp /lib/libresolv.so.2 ./lib/
# sftponly:/chroot# chroot .
# sftponly:/# ./usr/lib/sftp-server
# ./usr/lib/sftp-server: error while loading shared libraries:
libcrypt.so.1: cannot open shared object file: No such file or
# sftponly:/# exit
# sftponly:/chroot# cp /lib/libcrypt.so.1 ./lib/
# sftponly:/# ./usr/lib/sftp-server



# results were:
cp /lib/libacl.so.1 ./lib/
cp /lib/libpthread.so.0 ./lib/
cp /lib/libattr.so.1 ./lib/
cp /lib/libresolv.so.2 ./lib/
cp /lib/libcrypt.so.1 ./lib/


thats it!