Date: Sat, 22 Aug 2015 16:54:09 +0200 From: Rainer Duffner <rainer@ultra-secure.de> To: Brandon Allbery <allbery.b@gmail.com> Cc: Johan Hendriks <joh.hendriks@gmail.com>, freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: SSH Chroot FreeBSD 10.1 and 10.2 Message-ID: <F77B357B-3DD3-40AC-A16F-027FAC9CA136@ultra-secure.de> In-Reply-To: <CAKFCL4V=bUiHo4Mtjw67sYRddC6fbodS3koYg5qZkExr6BueRw@mail.gmail.com> References: <55D879DA.1070407@gmail.com> <CAKFCL4V=bUiHo4Mtjw67sYRddC6fbodS3koYg5qZkExr6BueRw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Am 22.08.2015 um 15:45 schrieb Brandon Allbery <allbery.b@gmail.com>: >=20 > On Sat, Aug 22, 2015 at 9:32 AM, Johan Hendriks = <joh.hendriks@gmail.com> > wrote: >=20 > chroot is what it says on the tin: once set, the specified directory = is > "/". Every file accessed from that point on MUST be available from a = tree > in which the specified chroot directory is "/". This includes symlinks = --- > symlink resolution doesn't get to see outside the specified "/" any = more > than anything else running in the chroot does, so you cannot simply = symlink > to a file outside the chroot. (Hard links are fine, since they are = actually > by inode number; they just have to be on the same partition.) I found it=E2=80=99s much easier to have actual chroot=E2=80=99ed ssh = users once the users themselves are in an LDAP-directory. Also, for doing anything useful on that shell, it turned out you need a = some more devices in /dev than the usual chroot (like a chroot=E2=80=99ed = PHP-FPM, that just needs the dev-set of jail(4)). And a couple of symlinks. I=E2=80=99ve done this once for a customer (chroot=E2=80=99ed ssh = accounts) and unless this gets more easier in the future, I=E2=80=99ve = made a note to myself to not do that again any time soon. I hadn=E2=80=99t thought of just using /rescue (I would nullfs-mount it = into your target-directory, else you=E2=80=99ve got to copy it again = every time you run freebsd-update). But in my php-fpm chroots, I also need stuff from packages (ImageMagick, = most notably). I end up nullfs-mounting most of the system (except /sbin directories) = into the various chroots, but I was always looking for a better = approach. It=E2=80=99s all a bit of an hack, with lots of stuff borrowed from = ezjail ;-) The big advantage of using nullfs mounts is that I don=E2=80=99t have to = think about updating the chroots if I update the packages (except = /var/run/ld-elf*). Thinking about this: now that we have pkg - would pkg -c (chroot) also = create the SQLite DB inside the chroot? Regards, Rainer=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F77B357B-3DD3-40AC-A16F-027FAC9CA136>