topic Re: setting up a jail user in Operating System - HP-UX

setting up a jail user

Jdamian — Mon, 15 Dec 2003 06:48:46 GMT

Hi.

I'm trying to set up a jail user (for instance, "mark").

I created /jail tree in which I added some directories and files as usr, var, etc, tmp, etc/profile, etc/passwd, etc/group, usr/bin/su (and its shared libraries), sbin/sh.

I installed sudo to run:

sudo /usr/sbin/chroot /jail su - mark

but 'su' command reports:

su: Unknown id: mark

I copied /etc/passwd and /etc/group files into the jail tree.

Any ideas ?

Re: setting up a jail user

Mark Grant — Mon, 15 Dec 2003 07:02:39 GMT

Not actually tried this ever but I would have thought that the idea would be to put

"sudo /usr/sbin/chroot /jail /usr/bin/sh"

in Mark's .profile and not use the su command

Re: setting up a jail user

Massimo Bianchi — Mon, 15 Dec 2003 07:40:26 GMT

Looks correct.

What are the permission of passwd and groups ?

Massimo

Re: setting up a jail user

Jdamian — Mon, 15 Dec 2003 08:55:01 GMT

permissions for passwd and group files are 444

Mark, I want to use 'su' command in order to make jail user log into the system as a default user (HOME dir, .profile,), not as a jail user.

Re: setting up a jail user

Mark Grant — Mon, 15 Dec 2003 09:01:47 GMT

Hi,

Presumably, if they were running a chrooted shell from their .profile then all the environments would be set up as you wanted.

However, where exactly are you issuing this command then? Because if you have the su - mark in Marks .profile you might have a bit of a circular problem :)

Re: setting up a jail user

Jdamian — Mon, 15 Dec 2003 09:06:14 GMT

No Mark, there is no circular problem.

When user logs into the system, its /home/mark/.profile runs sudo command. Sudo command runs 'su - mark' but this 'su' command is executed into the jail tree (not into the real root tree), in which there is a /home/mark dir containing another .profile.

Re: setting up a jail user

Mark Grant — Mon, 15 Dec 2003 09:09:57 GMT

Aaaah, I see :)

I told you I'd never tried this before :)

In that case, I'd suspect that the password file you are using might have a typo in it or something. Maybe "sudo /usr/sbin/chroot /jail pwck" might help.

Re: setting up a jail user

Jdamian — Mon, 15 Dec 2003 10:42:18 GMT

'pwck' reports the same results executed as normal root and as jail root. But grpck doesn't.

If grpck is executed as normal root, no error is reported. But if jail root runs 'grpck', a lot of errors are reported. It looks like grpck doesn't recognize users listed in grpck. An example of this error message is:

root::0:root
root - Logname not found in password file

other::1:root,hpdb
root - Logname not found in password file
hpdb - Logname not found in password file

Moreover, if 'id' is executed by jail root, group names aren't displayed:

# id
uid=0() gid=3() groups=0()

('id' executed by normal root, is OK)

I think grpck and id commands uses something else that is not available in jail tree but I cannot guess what it is...

Re: setting up a jail user

Jdamian — Tue, 16 Dec 2003 08:46:48 GMT

Good news guys...

I found in Internet a document related to this issue.

http://www.tjw.org/chroot-login-HOWTO/

In this doc there are some interesting remarks about needed libraries:

NOTE: at least with Slackware, for some reason the library /lib/libnss_compat.so.2 is not listed as a required lib for su, but it IS needed!
NOTE: On RedHat 7.x systems, not only do you have to build a new su binary but you must copy /lib/libnss_files.so.2 and /lib/libnsl.so.1 (as well as /lib/libnss_compat.so.2) to the chroot /lib directory even though they don't show up in 'ldd su'. Thanks to Arnstein Ressem and others for figuring this out.

Then I copied libnss_files.1 into the jail root file system... then errors reported by su, id and grpck commands in jail environment (and listed above) disappeared.

I suspect if other methods for name resolution are used, other libnss_* libraries are required.