[scponly] setting up chroot jail on solaris 8 (intel)
Sue Bauer-Lee
sblee at tazmania.org
Mon Aug 23 15:06:03 EDT 2004
Here's an excerpt of what we have setup on Solaris 8 Intel.
I may be able to grab the script that sets up the user space if needed.
The users entry in the real /etc/passwd is (tail -1 /etc/passwd):
test:x:50031:10000:Client - test:/home/test//test/incoming:/usr/local/scponly/sbin/scponlyc
The entire jailed etc/passwd (cat /home/test/etc/passwd) is:
test:x:50031:10000:://test/incoming:/usr/local/sbin/scponlyc
The entire jailed etc/group (cat /home/test/etc/group) is:
ftpcli::10000:test
The following jail environment is created in the user.s jail (/home/test):
d-.x.-x--x 7 root sys .
drwxr-xr-x 5 root sys ./usr
d-wx--x--x 2 root sys ./usr/bin
-r-xr-xr-x 1 root bin ./usr/bin/ls
-r-xr-xr-x 1 root bin ./usr/bin/mv
-r-xr-xr-x 1 root bin ./usr/bin/pwd
-r-xr-xr-x 1 root bin ./usr/bin/rm
-r-xr-xr-x 1 root bin ./usr/bin/groups
-rwxr-xr-x 1 bin bin ./usr/bin/scp
d.-x.-x--x 2 root sys ./usr/lib
-rwxr-xr-x 1 root bin ./usr/lib/libc.so.1
-rwxr-xr-x 1 root bin ./usr/lib/libdl.so.1
-rwxr-xr-x 1 root bin ./usr/lib/libresolv.so.2
-rwxr-xr-x 1 root bin ./usr/lib/librt.so.1
-rwxr-xr-x 1 root bin ./usr/lib/libsocket.so.1
-rwxr-xr-x 1 root bin ./usr/lib/libnsl.so.1
-rwxr-xr-x 1 root bin ./usr/lib/libaio.so.1
-rwxr-xr-x 1 root bin ./usr/lib/libmp.so.2
-rwxr-xr-x 1 root bin ./usr/lib/ld.so.1
-rwxr-xr-x 1 root bin ./usr/lib/nss_files.so.1
d.-x.-x--x 6 root sys ./usr/local
d--x--x--x 3 root sys ./usr/local/ssl
d--x--x--x 2 root sys ./usr/local/ssl/lib
-r-xr-xr-x 1 bin bin ./usr/local/ssl/lib/libcrypto.so.0.9.7
d--x--x--x 2 root sys ./usr/local/lib
-rwxr-xr-x 1 bin bin ./usr/local/lib/libz.so
-rw-r--r-- 1 bin bin ./usr/local/lib/libgcc_s.so.1
d--x--x--x 2 root sys ./usr/local/libexec
-rwxr-xr-x 1 bin bin ./usr/local/libexec/sftp-server
d--x--x--x 3 root sys ./usr/local/scponly
d--x--x--x 2 root sys ./usr/local/scponly/sbin
-rwsr-xr-x 1 root root ./usr/local/scponly/sbin/scponlyc
d--x--x--x 3 root sys ./devices
d--x--x--x 2 root sys ./devices/pseudo
crw-rw-rw- 1 root sys ./devices/pseudo/mm at 0:zero
crw-rw-rw- 1 root sys ./devices/pseudo/mm at 0:null
d--x--x--x 2 root sys ./dev
lrwxrwxrwx 1 root other ./dev/zero ->../devices/psuedo/mm at 0:zero
lrwxrwxrwx 1 root other ./dev/null ->../devices/pseudo/mm at 0:null
d--x--x--x 2 root sys ./etc
-r--r--r-- 1 root sys ./etc/passwd
-r--r--r-- 1 root sys ./etc/group
lrwxrwxrwx 1 root other ./bin -> ./usr/bin
lrwxrwxrwx 1 root other ./lib -> ./usr/lib
drwxr-x--- 2 testuser ftpadm ./test
drwxr-x--- 2 testuser ftpadm ./test/incoming
drwxr-x--- 2 testuser ftpadm ./test/incoming/.ssh
-rw-r--r-- 2 testuser ftpadm ./test/incoming/.ssh/authorized_keys
drwxrwx--- 2 testuser ftpadm ./test/outgoing
On Mon, Aug 23, 2004 at 10:55:55AM -0700, Chris Cheshire wrote:
> Hi,
>
> I have openssh 3.8.1p1 installed (from sunfreeware.com) and have been
> trying to configure scponly to use a chrooted jail. I can get scponly to
> work fine with sftp but scponlyc doesn't. The setup_chroot.sh doesn't
> work on this platform so I tried to manually do the bits and pieces, as
> well as follow other suggestions from the archives here, but ssh seems
> to close the connection straight after the key handshaking is done. (ssh
> is configured to only do key authentication, not password).
>
> The user dir has this structure:
> .:
> bin etc lib pub usr
>
> ./bin:
> chgrp chmod chown echo groups id ln ls mkdir
> mv pwd rm rmdir
>
> ./etc:
> passwd
>
> ./lib:
> ld.so.1
>
> ./pub:
>
> ./usr:
> lib local
>
> ./usr/lib:
> libaio.so.1 libdl.so.1 libnsl.so.1 libresolv.so.2
> libsocket.so.1
> libc.so.1 libgen.so.1 libpam.so.1 librt.so.1
> nss_compat.so.1
> libcmd.so.1 libmp.so.2 libproject.so.1 libsecdb.so.1
> nss_files.so.1
>
> ./usr/local:
> bin lib libexec ssl
>
> ./usr/local/bin:
> scp
>
> ./usr/local/lib:
> libgcc_s.so.1 libz.so
>
> ./usr/local/libexec:
> sftp-server
>
> ./usr/local/ssl:
> lib
>
> ./usr/local/ssl/lib:
> libcrypto.so.0.9.7
>
> Everything but the pub dir is writable only by root, but readable and
> executable by all.
>
> The debug output from ssh from when it spawns the sftp-server subsystem is:
> ......
> debug1: session_input_channel_req: session 0 req subsystem
> subsystem request for sftp
> debug1: subsystem: exec() /usr/local/libexec/sftp-server
> debug1: Received SIGCHLD.
> debug2: fd 11 setting O_NONBLOCK
> debug2: fd 11 is O_NONBLOCK
> debug2: notify_done: reading
> debug1: session_by_pid: pid 14240
> debug1: session_exit_message: session 0 channel 0 pid 14240
> debug2: channel 0: request exit-signal
> debug1: session_exit_message: release channel 0
> debug2: channel 0: write failed
> debug2: channel 0: close_write
> debug2: channel 0: output open -> closed
> debug1: session_close: session 0 pid 14240
> debug2: channel 0: read<=0 rfd 11 len 0
> debug2: channel 0: read failed
> debug2: channel 0: close_read
> debug2: channel 0: input open -> drain
> debug2: channel 0: ibuf empty
> debug2: channel 0: send eof
> debug2: channel 0: input drain -> closed
> debug2: channel 0: send close
> debug3: channel 0: will not send data after close
> debug3: channel 0: will not send data after close
> debug2: channel 0: rcvd close
> debug3: channel 0: will not send data after close
> debug2: channel 0: is dead
> debug2: channel 0: garbage collecting
> debug1: channel 0: free: server-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
> #0 server-session (t4 r0 i3/0 o3/0 fd 11/11)
>
> debug3: channel 0: close_fds r 11 w 11 e -1
> Connection closed by ....
> debug1: do_cleanup
> Closing connection to ....
> debug3: mm_request_send entering: type 56
> debug3: monitor_read: checking request 56
> debug3: mm_answer_term: tearing down sessions
>
>
> A succesful connection with just scponly as the shell looks like this:
> ....
> subsystem request for sftp
> debug1: subsystem: exec() /usr/local/libexec/sftp-server
> debug2: fd 11 setting O_NONBLOCK
> debug2: fd 11 is O_NONBLOCK
> debug2: channel 0: rcvd adjust 916
>
>
> Have I missed copying any libraries or commands to the jail? Any other
> suggestions? Are there special permissions that need setting on anything?
>
> Thanks
>
> Chris
>
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list