Static shells?

[Jautenim]

I'm having a little trouble setting up a chrooted environment for one my unprivileged user accounts because I don't happen to have any statically linked shell in my system.

According to Michael W. Lucas on the 2nd edition of his Absolute OpenBSD book:

Quote:

(...) The included system shells are statically linked, and most shells in the ports tree can be built in static flavors. Verify that a shell is statically linked with file(1), and then create a bin directory inside the chroot and copy the shell there:

Code:

# file /bin/ksh
/bin/ksh: ELF 32-bit LSB executable, Intel 80386, version 1, for OpenBSD,
statically linked, stripped
# cd /home/lasynder
# mkdir bin
# cd bin
# cp /bin/ksh .

At first I thought that maybe the book was outdated, but the current FAQ reads:

Quote:

A traditional Unix guideline is to only use statically compiled shells for root, because if your system comes up in single user mode, non-root partitions won't be mounted and dynamically linked shells won't be able to access libraries located in the /usr partition. This isn't actually a significant issue for OpenBSD, as the system will prompt you for a shell when it comes up in single user mode, and the default is sh. The three standard shells in OpenBSD (csh, sh and ksh) are all statically linked, and thus usable in single user mode.

However, every shell in my mint-condition OpenBSD 5.7 has been dynamically linked:

Code:

# file /bin/ksh 
/bin/ksh: ELF 64-bit LSB shared object, x86-64, version 1, for OpenBSD, dynamically linked, stripped
# file /bin/sh 
/bin/sh: ELF 64-bit LSB shared object, x86-64, version 1, for OpenBSD, dynamically linked, stripped
# file /bin/csh
/bin/csh: ELF 64-bit LSB shared object, x86-64, version 1, for OpenBSD, dynamically linked, stripped

Did this "shell build policy" really change? Shall I go ahead and try to build myself a static ksh from the ports tree source?

[jggimi]

Hello, and welcome!

You are being misled by an incorrect result from file(1) at 5.7. But ldd(1) will provide the truth.

Code:

$ ldd /bin/sh
/bin/sh:
    Start            End              Type Open Ref  GrpRef Name
    00000802ac819000 00000802acc99000 dlib 1    0    0      /bin/sh
$

Every program in /bin is statically linked.

The file(1) program was rewritten for 5.8, and this issue is fixed.

The rewrite improved security by including privilege separation, and misleading ELF analysis like this was corrected. The summary description of the change is mentioned in www.openbsd.org/58.html as "file(1) has been replaced with a new modern implementation, including sandbox and privilege separation."

For some of the details, see the commit log for the Makefile between 5.7 and 5.8 (r1.113 - r1.115) here:

http://cvsweb.openbsd.org/cgi-bin/cv.../file/Makefile

There was a discussion of this on either the tech@ or misc@ mailing lists, which is why I knew of it, but my Google Fu is weak today and I cannot locate the discussion.

[Jautenim]

You are right, the ldd output checks, and I went ahead and it just works.

Maybe I should have followed the instructions straight to the end before asking here for help, but if I had done that now I'd be really baffled Thank you, jggimi.