[prev in list] [next in list] [prev in thread] [next in thread]
List: rssh-discuss
Subject: RE: chroot() failed, 2: Not owner
From: "Martin, Russell" <russell.martin () eds ! com>
Date: 2006-08-22 21:36:23
Message-ID: 2B2E102A5843024EB001F3419527C546013B9B02 () ushrm232 ! amer ! corp ! eds ! com
[Download RAW message or body]
--===============0286820217==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C6C633.0403458D"
This is a multi-part message in MIME format.
You're absolutely right that it was a permissions problem inside of my jail. I \
modified the script that I created to build my jail (which very much resembles your \
script, but hey, who doesn't love reinventing the wheel) to use "cp -p" instead of \
just "cp" when copying files from the root file system to the jail, blew away my \
jail, and reran the script and now it works without having to suid root on \
sftp-server or having to make the user the owner of the jail. And, the user only has \
write access within their home directory in the jail. Yay!
Please hang onto that "discounted" consulting rate though. I may need it some day. \
:-p Seriously, though, thanks for taking the time to respond to my posts- I think it \
would have taken me much longer to figure things out without your input.
Just in case anyone is interested, here's the script that I developed for creating \
jails on Solaris 8:
CHROOTPATH=/export/home/chroot
USER_HOME_DIR=export/home/testrssh
USER_NAME=testrssh
GROUP_NAME=testrssh
SFTP_PATH=/opt/csw/libexec/sftp-server
SCP_PATH=/opt/csw/bin/scp
RSSH_PATH=/opt/csw/bin/rssh
CHROOT_HELPER_PATH=/opt/csw/libexec/rssh_chroot_helper
LDD_PATH=/usr/bin/ldd
KSH_PATH1=/bin/ksh
KSH_PATH2=/usr/bin/ksh
PWD_PATH1=/bin/pwd
PWD_PATH2=/usr/bin/pwd
CopyLibFiles(){
for aFile in `ldd ${currExecutable} | cut -d' ' -f3`; do
if [ ! -d ${CHROOTPATH}/`dirname ${aFile}` ]; then
mkdir -p ${CHROOTPATH}/`dirname ${aFile}`;
fi
cp -p ${aFile} ${CHROOTPATH}${aFile}
done;
}
CopyExecutable(){
directoryPath=`dirname ${currExecutable}`
mkdir -p ${CHROOTPATH}${directoryPath}
cp -p ${currExecutable} ${CHROOTPATH}${directoryPath}
}
# copy sftp-server and library files
# ==================================
currExecutable=${SFTP_PATH}
CopyExecutable
CopyLibFiles
# make sftp-server suid root
# this only needs to be done if
# the user logging in doesn't own ${CHROOTPATH}
# chmod u+s ${CHROOTPATH}/${SFTP_PATH}
# copy scp and library files
# ==========================
currExecutable=${SCP_PATH}
CopyExecutable
CopyLibFiles
# copy rssh and library files
# ===========================
currExecutable=${RSSH_PATH}
CopyExecutable
CopyLibFiles
# copy rssh_chroot_helper and library files
# =========================================
currExecutable=${CHROOT_HELPER_PATH}
CopyExecutable
CopyLibFiles
# copy ldd and library files
# ==========================
currExecutable=${LDD_PATH}
CopyExecutable
CopyLibFiles
# copy ksh and library files
# =========================
currExecutable=${KSH_PATH1}
CopyExecutable
CopyLibFiles
currExecutable=${KSH_PATH2}
CopyExecutable
CopyLibFiles
# copy pwd and library files
# =========================
currExecutable=${PWD_PATH1}
CopyExecutable
CopyLibFiles
currExecutable=${PWD_PATH2}
CopyExecutable
CopyLibFiles
# copy file(s) from /etc
# ====================
mkdir -p ${CHROOTPATH}/etc
cp -p /etc/passwd ${CHROOTPATH}/etc
# create home directory in jail
# =============================
mkdir -p ${CHROOTPATH}/${USER_HOME_DIR}
chown ${USER_NAME}:${GROUP_NAME} ${CHROOTPATH}/${USER_HOME_DIR}
echo "Remember to edit /etc/passwd with absolute path to jailed home dir: \
${CHROOTPATH}/${USER_HOME_DIR}"
# copy ld.so.1
# ============
cp -p /usr/lib/ld.so.1 ${CHROOTPATH}/usr/lib/
# create /dev/null in jail
# ========================
mkdir -p ${CHROOTPATH}/dev
cp -p /dev/null ${CHROOTPATH}/dev
________________________________
From: rssh-discuss-bounces@lists.sourceforge.net on behalf of Derek Martin
Sent: Tue 8/22/2006 2:36 PM
To: rssh-discuss@lists.sourceforge.net
Subject: Re: chroot() failed, 2: Not owner
On Tue, Aug 22, 2006 at 02:36:00PM -0400, Martin, Russell wrote:
> > The user does not need to own the jail, and they don't need write
> > access to the root of the jail. The permissions on the jail just need
> > to be sufficient for them to read the directory, i.e. r-x.
>
> Okay. But, I've tested this and retested it and the behavior I've
> described is consistent. If sftp-server (the copy inside the jail)
> is suid root, then sftp works.
Sure, root can do anything... You are giving your users root
privileges within your jail. NOT GOOD!
> If sftp-server is not suid root and the user logging in owns the
> jail then things work. I have not found any other combination where
> sftp will work. This is a Solaris 8 box I'm testing on. Any ideas as
> to why things are behaving this way for me?
Well, it seems like it's almost certainly some kind of permissions
problem in your jail. For starters, with the sftp_server binary not
SUID (and of course the rssh_chroot_helper IS set SUID), does it still
fail with "chroot() failed, 2: Not owner"?
Without seeing your config, passwd file, and having access to the
directory permissions in your tree, I can't really make any guesses.
If you post your config, I can certainly poke at it... I don't
necessarily need to see your passwd file (which shouldn't have any
passwords in it, of course)... but that would help. And I'd
definitely need the output of this:
cd $ROOT_OF_JAIL; find . -type d -maxdepth 1 -exec ls -ld {} \;
My usual consulting fee is $100/hr, but since you packaged rssh for
Solaris, I'll give you the special price of $125/hr. ;-)
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D
[Attachment #3 (text/html)]
<HTML dir=ltr><HEAD><TITLE>Re: chroot() failed, 2: Not owner</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText29155 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>You're absolutely right that it \
was a permissions problem inside of my jail. I modified the script that I created to \
build my jail (which very much resembles your script, but hey, who doesn't love \
reinventing the wheel) to use "cp -p" instead of just "cp" when copying files from \
the root file system to the jail, blew away my jail, and reran the script and now it \
works without having to suid root on sftp-server or having to make the user the owner \
of the jail. And, the user only has write access within their home directory in the \
jail. Yay!</FONT></DIV> <DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Please hang onto that "discounted" consulting \
rate though. I may need it some day. :-p Seriously, though, thanks for taking the \
time to respond to my posts- I think it would have taken me much longer to figure \
things out without your input.</FONT></DIV> <DIV dir=ltr><FONT face=Arial \
size=2></FONT> </DIV> <DIV dir=ltr><FONT face=Arial size=2>Just in case anyone \
is interested, here's the script that I developed for creating jails on Solaris \
8:</FONT></DIV> <DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr>CHROOTPATH=/export/home/chroot<BR>USER_HOME_DIR=export/home/testrssh<BR>USER_NAME=testrssh<BR>GROUP_NAME=testrssh</DIV>
<DIV dir=ltr>SFTP_PATH=/opt/csw/libexec/sftp-server<BR>SCP_PATH=/opt/csw/bin/scp<BR>R \
SSH_PATH=/opt/csw/bin/rssh<BR>CHROOT_HELPER_PATH=/opt/csw/libexec/rssh_chroot_helper<B \
R>LDD_PATH=/usr/bin/ldd<BR>KSH_PATH1=/bin/ksh<BR>KSH_PATH2=/usr/bin/ksh<BR>PWD_PATH1=/bin/pwd<BR>PWD_PATH2=/usr/bin/pwd</DIV>
<DIV dir=ltr><BR>CopyLibFiles(){<BR> for aFile in `ldd ${currExecutable} | cut \
-d' ' -f3`; do<BR> if [ ! -d ${CHROOTPATH}/`dirname ${aFile}` ]; \
then<BR> mkdir -p ${CHROOTPATH}/`dirname \
${aFile}`;<BR> fi<BR> cp -p ${aFile} \
${CHROOTPATH}${aFile}<BR> done;<BR>}</DIV> <DIV \
dir=ltr><BR>CopyExecutable(){<BR> directoryPath=`dirname \
${currExecutable}`<BR> mkdir -p ${CHROOTPATH}${directoryPath}<BR> cp -p \
${currExecutable} ${CHROOTPATH}${directoryPath}</DIV> <DIV dir=ltr>}</DIV>
<DIV dir=ltr><BR># copy sftp-server and library files<BR># \
==================================<BR>currExecutable=${SFTP_PATH}<BR>CopyExecutable<BR>CopyLibFiles<BR># \
make sftp-server suid root<BR># this only needs to be done if<BR># the user logging \
in doesn't own ${CHROOTPATH}<BR># chmod u+s ${CHROOTPATH}/${SFTP_PATH}</DIV> <DIV \
dir=ltr><BR># copy scp and library files<BR># \
==========================<BR>currExecutable=${SCP_PATH}<BR>CopyExecutable<BR>CopyLibFiles</DIV>
<DIV dir=ltr><BR># copy rssh and library files<BR># \
===========================<BR>currExecutable=${RSSH_PATH}<BR>CopyExecutable<BR>CopyLibFiles</DIV>
<DIV dir=ltr><BR># copy rssh_chroot_helper and library files<BR># \
=========================================<BR>currExecutable=${CHROOT_HELPER_PATH}<BR>CopyExecutable<BR>CopyLibFiles</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr># copy ldd and library files<BR># \
==========================<BR>currExecutable=${LDD_PATH}<BR>CopyExecutable<BR>CopyLibFiles</DIV>
<DIV dir=ltr><BR># copy ksh and library files<BR># \
=========================<BR>currExecutable=${KSH_PATH1}<BR>CopyExecutable<BR>CopyLibFiles<BR>currExecutable=${KSH_PATH2}<BR>CopyExecutable<BR>CopyLibFiles</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr># copy pwd and library files<BR># \
=========================<BR>currExecutable=${PWD_PATH1}<BR>CopyExecutable<BR>CopyLibFiles<BR>currExecutable=${PWD_PATH2}<BR>CopyExecutable<BR>CopyLibFiles</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><BR># copy file(s) from /etc<BR># ====================<BR>mkdir -p \
${CHROOTPATH}/etc<BR>cp -p /etc/passwd ${CHROOTPATH}/etc</DIV> <DIV \
dir=ltr> </DIV> <DIV dir=ltr># create home directory in jail<BR># \
=============================<BR>mkdir -p ${CHROOTPATH}/${USER_HOME_DIR}<BR>chown \
${USER_NAME}:${GROUP_NAME} ${CHROOTPATH}/${USER_HOME_DIR}<BR>echo "Remember to edit \
/etc/passwd with absolute path to jailed home dir: \
${CHROOTPATH}/${USER_HOME_DIR}"</DIV> <DIV dir=ltr> </DIV>
<DIV dir=ltr># copy ld.so.1<BR># ============<BR>cp -p /usr/lib/ld.so.1 \
${CHROOTPATH}/usr/lib/</DIV> <DIV dir=ltr> </DIV>
<DIV dir=ltr># create /dev/null in jail<BR># ========================<BR>mkdir -p \
${CHROOTPATH}/dev<BR>cp -p /dev/null ${CHROOTPATH}/dev</DIV></DIV> <DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> rssh-discuss-bounces@lists.sourceforge.net on \
behalf of Derek Martin<BR><B>Sent:</B> Tue 8/22/2006 2:36 PM<BR><B>To:</B> \
rssh-discuss@lists.sourceforge.net<BR><B>Subject:</B> Re: chroot() failed, 2: Not \
owner<BR></FONT><BR></DIV> <DIV>
<P><FONT size=2>On Tue, Aug 22, 2006 at 02:36:00PM -0400, Martin, Russell \
wrote:<BR>> > The user does not need to own the jail, and they don't need \
write<BR>> > access to the root of the jail. The permissions on the jail \
just need<BR>> > to be sufficient for them to read the directory, i.e. \
r-x.<BR>><BR>> Okay. But, I've tested this and retested it and the behavior \
I've<BR>> described is consistent. If sftp-server (the copy inside the \
jail)<BR>> is suid root, then sftp works.<BR><BR>Sure, root can do \
anything... You are giving your users root<BR>privileges within your \
jail. NOT GOOD!<BR><BR>> If sftp-server is not suid root and the user \
logging in owns the<BR>> jail then things work. I have not found any other \
combination where<BR>> sftp will work. This is a Solaris 8 box I'm testing on. Any \
ideas as<BR>> to why things are behaving this way for me?<BR><BR>Well, it seems \
like it's almost certainly some kind of permissions<BR>problem in your jail. \
For starters, with the sftp_server binary not<BR>SUID (and of course the \
rssh_chroot_helper IS set SUID), does it still<BR>fail with "chroot() failed, 2: Not \
owner"?<BR><BR>Without seeing your config, passwd file, and having access to \
the<BR>directory permissions in your tree, I can't really make any guesses.<BR><BR>If \
you post your config, I can certainly poke at it... I don't<BR>necessarily need \
to see your passwd file (which shouldn't have any<BR>passwords in it, of course)... \
but that would help. And I'd<BR>definitely need the output of \
this:<BR><BR> cd $ROOT_OF_JAIL; find . -type d -maxdepth 1 -exec ls -ld {} \
\;<BR><BR>My usual consulting fee is $100/hr, but since you packaged rssh \
for<BR>Solaris, I'll give you the special price of $125/hr. \
;-)<BR><BR>--<BR>Derek D. Martin<BR><A \
href="http://www.pizzashack.org/">http://www.pizzashack.org/</A><BR>GPG Key ID: \
0x81CFE75D<BR><BR></FONT></P></DIV></BODY></HTML>
[Attachment #4 (--===============0286820217==)]
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic