[scponly] setting up chroot jail on solaris 8 (intel)

Mike Smith mike at ftl.com
Mon Aug 23 14:06:11 EDT 2004 

This is what I have set up on solaris-sparc....I remember when I first
set it up, I had a hard time, just like you.

.:
bin  etc  lib  pub  usr

./bin:
chgrp  chmod  chown  echo   ln     ls     mkdir  mv     pwd    rm
rmdir

./etc:
passwd

./lib:
ld.so    ld.so.1

./usr:
bin       lib       libexec   local     platform

./usr/bin:
groups  id

./usr/lib:
ld.so            libc.so.1        libdl.so.1       libnsl.so.1
libproject.so.1  libsocket.so.1
ld.so.1          libcmd.so.1      libmp.so.2       libpam.so.1
libsecdb.so.1    nss_files.so.1

./usr/libexec:

./usr/local:
bin      lib      libexec  ssl

./usr/local/bin:
md5sum  scp

./usr/local/lib:
libz.so.1

./usr/local/libexec:
sftp-server

./usr/local/ssl:
lib

./usr/local/ssl/lib:
libcrypto.so.0.9.6

./usr/platform:
SUNW,Ultra-80

./usr/platform/SUNW,Ultra-80:
lib

./usr/platform/SUNW,Ultra-80/lib:
libc_psr.so.1

Hope this helps....

 - Mike
 
-----Original Message-----
From: scponly-bounces at lists.ccs.neu.edu
[mailto:scponly-bounces at lists.ccs.neu.edu] On Behalf Of Chris Cheshire
Sent: Monday, August 23, 2004 10:56 AM
To: scponly at lists.ccs.neu.edu
Subject: [scponly] setting up chroot jail on solaris 8 (intel)

Hi,

I have openssh 3.8.1p1 installed (from sunfreeware.com) and have been 
trying to configure scponly to use a chrooted jail. I can get scponly to

work fine with sftp but scponlyc doesn't. The setup_chroot.sh doesn't 
work on this platform so I tried to manually do the bits and pieces, as 
well as follow other suggestions from the archives here, but ssh seems 
to close the connection straight after the key handshaking is done. (ssh

is configured to only do key authentication, not password).

The user dir has this structure:
.:
bin  etc  lib  pub  usr

./bin:
chgrp   chmod   chown   echo    groups  id      ln      ls      mkdir 
mv      pwd     rm      rmdir

./etc:
passwd

./lib:
ld.so.1

./pub:

./usr:
lib    local

./usr/lib:
libaio.so.1      libdl.so.1       libnsl.so.1      libresolv.so.2 
libsocket.so.1
libc.so.1        libgen.so.1      libpam.so.1      librt.so.1 
nss_compat.so.1
libcmd.so.1      libmp.so.2       libproject.so.1  libsecdb.so.1 
nss_files.so.1

./usr/local:
bin      lib      libexec  ssl

./usr/local/bin:
scp

./usr/local/lib:
libgcc_s.so.1  libz.so

./usr/local/libexec:
sftp-server

./usr/local/ssl:
lib

./usr/local/ssl/lib:
libcrypto.so.0.9.7

Everything but the pub dir is writable only by root, but readable and 
executable by all.

The debug output from ssh from when it spawns the sftp-server subsystem
is:
......
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
debug1: subsystem: exec() /usr/local/libexec/sftp-server
debug1: Received SIGCHLD.
debug2: fd 11 setting O_NONBLOCK
debug2: fd 11 is O_NONBLOCK
debug2: notify_done: reading
debug1: session_by_pid: pid 14240
debug1: session_exit_message: session 0 channel 0 pid 14240
debug2: channel 0: request exit-signal
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: output open -> closed
debug1: session_close: session 0 pid 14240
debug2: channel 0: read<=0 rfd 11 len 0
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: send close
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
   #0 server-session (t4 r0 i3/0 o3/0 fd 11/11)

debug3: channel 0: close_fds r 11 w 11 e -1
Connection closed by ....
debug1: do_cleanup
Closing connection to ....
debug3: mm_request_send entering: type 56
debug3: monitor_read: checking request 56
debug3: mm_answer_term: tearing down sessions


A succesful connection with just scponly as the shell looks like this:
....
subsystem request for sftp
debug1: subsystem: exec() /usr/local/libexec/sftp-server
debug2: fd 11 setting O_NONBLOCK
debug2: fd 11 is O_NONBLOCK
debug2: channel 0: rcvd adjust 916


Have I missed copying any libraries or commands to the jail? Any other 
suggestions? Are there special permissions that need setting on
anything?

Thanks

Chris


_______________________________________________
scponly mailing list
scponly at lists.ccs.neu.edu
https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list