DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd December 2010
Tommahawk Tommahawk is offline
New User
 
Join Date: Dec 2010
Posts: 3
Thanked 0 Times in 0 Posts
Default Chrooted Userland

any easy packages or options/instruction for creating a chrooted user environmnet. I have been fooling around with jailkit and while its still Ok for ubuntu/debian its totally not for openbsd.
Reply With Quote
  #2   (View Single Post)  
Old 22nd December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,707
Thanked 214 Times in 189 Posts
Default

If you describe what you want to accomplish, perhaps someone can give you some assistance.

Key to a userland environment is having enough of the OS available for your entire application. If you want a =complete= userland environment in your chrooted structure, you will have to copy the complete OS into it. I've done this when I needed virtual filesystems structures (but not virtual machines) when doing application development testing.

FAQ 10.16 discusses setting up partial environments for specific web applications using OpenBSD's chrooted Apache.

And if you run -current, there is sysutils/jailkit, which entered the ports tree several months ago. I have not used it, and can't answer any questions about it. The port description says:
Quote:
Jailkit is a set of utilities to limit user accounts to specific
files using chroot() and or specific commands. Setting up a chroot
shell, a shell limited to some specific command, or a daemon inside
a chroot jail is a lot easier and can be automated using these utilities.
Just to level set, do not attempt to use -current applications on -release or -stable flavors of the OS. Keep them in sync, as described in FAQ 15.4.1. For more about -current, see FAQ 5.1.
Reply With Quote
  #3   (View Single Post)  
Old 22nd December 2010
Tommahawk Tommahawk is offline
New User
 
Join Date: Dec 2010
Posts: 3
Thanked 0 Times in 0 Posts
Default

just one jailed user for the moment that can login get a shell and nothing much else.

trying jailedkit but it seems the issue is with jkchrootsh

I setup a jail user /jail/./home/user but change the shell in passwd
from jk_chrootsh to sh to test and login OK then I run jkchootsh and get
transported to jail dir but am not jailed. Great. Then I change the
shell in passwd to jk_chrootsh logout and then try and login, it
authenticates but I get logged out again immediately.

authlog states tranporting to /jail dir and nothing else. I assume that
jk_chrootsh may no longer be compatible with security conscious openbsd.
Reply With Quote
  #4   (View Single Post)  
Old 23rd December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,707
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by Tommahawk View Post
...trying jailedkit but it seems the issue is with jkchrootsh...
Quote:
Originally Posted by jggimi View Post
I have not used it, and can't answer any questions about it.
Quote:
Originally Posted by Tommahawk View Post
just one jailed user for the moment that can login get a shell and nothing much else.
To improve your understanding of chrooted environments, please read FAQ 10.16. It describes how one would make a single application with dynamically loaded libraries available to a chrooted Apache server.

Since you want a "shell" environment, you'll have to determine and define in advance exactly what you want your user to be able to do within that shell. /bin/sh or /usr/local/bin/tcsh will not be enough. And not just your executables -- those found typically in /bin, /usr/bin, /usr/local/bin you think of as commands -- but all libraries and library tools called by each, usually /usr/lib and /usr/local/lib, and in the case of shells that interact with consoles/ttys, you'll need nodes from /dev as well.

Since you will need device nodes in your virtual filesystem, you'll need to permit them in whichever real filesystem houses your virtual /dev. This means you will need to check your mount options for that filesystem, and perhaps change them.

-----

For example, to chroot into a statically linked (no libraries) /bin/sh, you'll need a virtual filesystem containing your "jailed" user's $HOME, /bin/sh, and /dev/tty, on a real filesystem that is not mounted nodev. That shell won't be able to execute any external commands except "sh". It can execute internal shell commands only. Not very useful.

FAQ 10.16 will help you understand what is needed to enable a single executable program with dynamic libraries.

When I set up virtual filesystems, it was for development and testing of administrative tools so it was easy -- I replicated everything I might need: /bin, /sbin, /usr/bin, /usr/sbin, /user/local/bin, /usr/lib, /usr/local/lib, and /dev. I also needed bits of /var, and those directories were put in place and filled with test data.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openBSD4.4 + Chrooted apache1.3 + php5 + sessions wolf3d OpenBSD Packages and Ports 1 2nd July 2009 11:07 AM
fusefs-kmod: requires the userland sources to be installed? zelut FreeBSD Ports and Packages 2 7th October 2008 10:39 PM
userland sources rex FreeBSD General 8 8th September 2008 12:33 AM
building userland fails after upgrade to 7.0 padmanabh FreeBSD Installation and Upgrading 10 22nd July 2008 05:18 AM
obsd 4.3 chrooted sftp permissions? luismi OpenBSD General 4 12th July 2008 11:39 PM


All times are GMT. The time now is 01:43 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick