|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Chrooted Userland
any easy packages or options/instruction for creating a chrooted user environmnet. I have been fooling around with jailkit and while its still Ok for ubuntu/debian its totally not for openbsd.
|
|
|||
just one jailed user for the moment that can login get a shell and nothing much else.
trying jailedkit but it seems the issue is with jkchrootsh I setup a jail user /jail/./home/user but change the shell in passwd from jk_chrootsh to sh to test and login OK then I run jkchootsh and get transported to jail dir but am not jailed. Great. Then I change the shell in passwd to jk_chrootsh logout and then try and login, it authenticates but I get logged out again immediately. authlog states tranporting to /jail dir and nothing else. I assume that jk_chrootsh may no longer be compatible with security conscious openbsd. |
|
||||
Quote:
Quote:
Since you want a "shell" environment, you'll have to determine and define in advance exactly what you want your user to be able to do within that shell. /bin/sh or /usr/local/bin/tcsh will not be enough. And not just your executables -- those found typically in /bin, /usr/bin, /usr/local/bin you think of as commands -- but all libraries and library tools called by each, usually /usr/lib and /usr/local/lib, and in the case of shells that interact with consoles/ttys, you'll need nodes from /dev as well. Since you will need device nodes in your virtual filesystem, you'll need to permit them in whichever real filesystem houses your virtual /dev. This means you will need to check your mount options for that filesystem, and perhaps change them. ----- For example, to chroot into a statically linked (no libraries) /bin/sh, you'll need a virtual filesystem containing your "jailed" user's $HOME, /bin/sh, and /dev/tty, on a real filesystem that is not mounted nodev. That shell won't be able to execute any external commands except "sh". It can execute internal shell commands only. Not very useful. FAQ 10.16 will help you understand what is needed to enable a single executable program with dynamic libraries. When I set up virtual filesystems, it was for development and testing of administrative tools so it was easy -- I replicated everything I might need: /bin, /sbin, /usr/bin, /usr/sbin, /user/local/bin, /usr/lib, /usr/local/lib, and /dev. I also needed bits of /var, and those directories were put in place and filled with test data. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
openBSD4.4 + Chrooted apache1.3 + php5 + sessions | wolf3d | OpenBSD Packages and Ports | 1 | 2nd July 2009 11:07 AM |
fusefs-kmod: requires the userland sources to be installed? | zelut | FreeBSD Ports and Packages | 2 | 7th October 2008 10:39 PM |
userland sources | rex | FreeBSD General | 8 | 8th September 2008 12:33 AM |
building userland fails after upgrade to 7.0 | padmanabh | FreeBSD Installation and Upgrading | 10 | 22nd July 2008 05:18 AM |
obsd 4.3 chrooted sftp permissions? | luismi | OpenBSD General | 4 | 12th July 2008 11:39 PM |