From owner-freebsd-questions@FreeBSD.ORG Mon Jan 15 12:12:30 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from localhost (hub.freebsd.org [69.147.83.54]) by hub.freebsd.org (Postfix) with ESMTP id 9DFEE16A412; Mon, 15 Jan 2007 12:12:29 +0000 (UTC) (envelope-from rushani@FreeBSD.org) Date: Mon, 15 Jan 2007 21:12:24 +0900 (JST) Message-Id: <20070115.211224.41626423.rushani@FreeBSD.org> To: list@museum.rain.com From: Hideyuki KURASHINA In-Reply-To: <20070113025439.GA63533@ns.umpquanet.com> References: <20070113025439.GA63533@ns.umpquanet.com> X-URL: http://www.rushani.jp/ X-PGP-Public-Key: http://www.rushani.jp/rushani.asc X-PGP-Fingerprint: A052 6F98 6146 6FE3 91E2 DA6B F2FA 2088 439A DC57 X-RC5-72-Stats: http://stats.distributed.net/participant/psummary.php?project_id=8&id=432320 X-Mailer: Mew version 5.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: /dev/null in a chroot X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Jan 2007 12:12:30 -0000 Thank you for describing the issue. Could you please file the PR not to miss this useful suggestion? Regards, >>> On Fri, 12 Jan 2007 18:54:39 -0800, James Long said: > > Date: Sun, 07 Jan 2007 20:03:40 -0400 > > From: "Marc G. Fournier" > > Subject: Re: /dev/null in a chroot > > To: Michael Grant , FreeBSD Questions > > > > Message-ID: <8A1292FC91669855CE9C3403@ganymede.hub.org> > > Content-Type: text/plain; charset=us-ascii > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > #!/bin/sh > > /sbin/devfs -m $1 rule apply hide > > /sbin/devfs -m $1 rule apply path null unhide > > > > where $1 == the dev directory you mount within the chroot environment ... > > This issue is currently biting users of /usr/ports/security/scponly > also, I believe. > > I'm finding that recently-created scponlyc chroots do not permit sftp > login, although they do allow ftp login. The client symptom is just: > > $ sftp newuser@www > Connecting to www... > Password: > Connection closed > $ > > The cause appears to be that recent versions of > /usr/libexec/sftp-server will complain about of lack of access to > /dev/null and exit, resulting in the closed connection witnessed by > the remote client. > > The solution appears to be to create a devfs in the scponlyc chroot. > > This is a little disappointing, as scponlyc used to be delightfully > lightweight and low-maintenance. At this point, my understanding is > that the devfs requirement means that now I must run a script at boot > time that iterates through a list of chroot'ed users and create dev > nodes within each jail. scponlyc jails were previously a > set-and-forget type of setup. > > What is the proper mechanism for setting up an arbitrary number of > scponlyc chroots at boot time? /usr/share/examples/etc/devfs.conf > doesn't show an example of how to apply these rules to a non-default > dev path. I have chosen to put a script in /usr/local/etc/rc.d. > > In case other scponly users are reading this in the archives, the > manual method that works for me with 6.2-PRE and scponly-4.6_1 is: > > # cd ~user > # mkdir -p dev > # mount_devfs devfs dev > # devfs -m dev rule -s 1 applyset > # devfs -m dev rule -s 2 applyset > > One then sees: > > # ls -l dev > total 0 > crw-rw-rw- 1 root wheel 0, 6 Jan 12 17:15 null > crw-rw-rw- 1 root wheel 0, 12 Jan 10 07:57 random > lrwxr-xr-x 1 root wheel 6 Jan 12 16:54 urandom@ -> random > crw-rw-rw- 1 root wheel 0, 7 Jan 10 15:57 zero > > which is more than enough to appease /usr/libexec/sftp-server. > > chroots created some months ago contain lib versions with numbers > typically one less, such as ./usr/lib/libssh.so.2 in the older > chroot, versus ./usr/lib/libssh.so.3 in the newer. The older > scponly chroots do net require devfs nodes! I suspect they will > eventually break though, given enough time. > > Given that scponlyc provides a setup_chroot.sh script that provides > hooks for OS-specific chroot setup steps, would it help the port > maintainer to provide the shell script below? I have it installed > in /usr/local/etc/rc.d/scponlyc.sh. > > > Jim > > > > #!/bin/sh > > # script to create devfs filesystems at boot time for scponlyc > # chroot'ed users. We will read /etc/shells to determine > # where scponlyc is installed. Then we'll iterate through > # each user in /etc/passwd to find users whose shell is set to > # scponlyc. For each such user found, we will create a > # minimal devfs under ~/dev. > > > > SCPONLYC=$(/usr/bin/grep "/scponlyc$" /etc/shells 2>/dev/null | /usr/bin/tail -1) > > > make_devfs() { > # $1 is the user name whose home directory needs a minimal > # devfs created. If ~/dev is not a directory, it will be > # deleted and replaced with a directory. > > eval DEV="~$1/dev" > while /sbin/umount ${DEV} 2>/dev/null; do :; done > [ -h "${DEV}" ] && rm "${DEV}" > [ -f "${DEV}" ] && rm "${DEV}" > mkdir -p "${DEV}" > if /sbin/mount_devfs devfs "${DEV}"; then > /sbin/devfs -m "${DEV}" rule -s 1 applyset || /sbin/umount ${DEV} 2>/dev/null > /sbin/devfs -m "${DEV}" rule -s 2 applyset || /sbin/umount ${DEV} 2>/dev/null > fi > > } > > > scponly_startup() { > # $1 is the path to the /etc/passwd file > > if [ "x${SCPONLYC}" = "x" ]; then > echo scponlyc is not defined in /etc/shells >&2 > exit 1 > fi > > /usr/bin/grep -v "^[ ]*#" "$1" | > /usr/bin/awk -F: {'print $1 " " $7'} | > while read USER SHELL; do > if [ "x${SHELL}" = "x${SCPONLYC}" ]; then > make_devfs "${USER}" > fi > done > > } > > > case "$1" in > start) > scponly_startup "/etc/passwd" > echo -n ' scponlyc' > ;; > *) > echo "Usage: `basename $0` start" >&2 > ;; > esac > > exit 0 -- rushani