HPE Community
Operating System - HP-UX
1832596 Members
3100 Online
110043 Solutions
New Discussion

setting up a jail user

 
Jdamian
Respected Contributor

‎12-14-2003 10:48 PM

‎12-14-2003 10:48 PM

setting up a jail user

Hi.

I'm trying to set up a jail user (for instance, "mark").

I created /jail tree in which I added some directories and files as usr, var, etc, tmp, etc/profile, etc/passwd, etc/group, usr/bin/su (and its shared libraries), sbin/sh.

I installed sudo to run:

sudo /usr/sbin/chroot /jail su - mark

but 'su' command reports:

su: Unknown id: mark

I copied /etc/passwd and /etc/group files into the jail tree.

Any ideas ?

0 Kudos
Reply
8 REPLIES 8
Mark Grant
Honored Contributor

‎12-14-2003 11:02 PM

‎12-14-2003 11:02 PM

Re: setting up a jail user

Not actually tried this ever but I would have thought that the idea would be to put

"sudo /usr/sbin/chroot /jail /usr/bin/sh"

in Mark's .profile and not use the su command
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎12-14-2003 11:40 PM

‎12-14-2003 11:40 PM

Re: setting up a jail user

Looks correct.

What are the permission of passwd and groups ?

Massimo
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-15-2003 12:55 AM

‎12-15-2003 12:55 AM

Re: setting up a jail user

permissions for passwd and group files are 444

Mark, I want to use 'su' command in order to make jail user log into the system as a default user (HOME dir, .profile,), not as a jail user.
0 Kudos
Reply
Mark Grant
Honored Contributor

‎12-15-2003 01:01 AM

‎12-15-2003 01:01 AM

Re: setting up a jail user

Hi,

Presumably, if they were running a chrooted shell from their .profile then all the environments would be set up as you wanted.

However, where exactly are you issuing this command then? Because if you have the su - mark in Marks .profile you might have a bit of a circular problem :)

Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-15-2003 01:06 AM

‎12-15-2003 01:06 AM

Re: setting up a jail user

No Mark, there is no circular problem.

When user logs into the system, its /home/mark/.profile runs sudo command. Sudo command runs 'su - mark' but this 'su' command is executed into the jail tree (not into the real root tree), in which there is a /home/mark dir containing another .profile.
0 Kudos
Reply
Mark Grant
Honored Contributor

‎12-15-2003 01:09 AM

‎12-15-2003 01:09 AM

Re: setting up a jail user

Aaaah, I see :)

I told you I'd never tried this before :)

In that case, I'd suspect that the password file you are using might have a typo in it or something. Maybe "sudo /usr/sbin/chroot /jail pwck" might help.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-15-2003 02:42 AM

‎12-15-2003 02:42 AM

Re: setting up a jail user

'pwck' reports the same results executed as normal root and as jail root. But grpck doesn't.

If grpck is executed as normal root, no error is reported. But if jail root runs 'grpck', a lot of errors are reported. It looks like grpck doesn't recognize users listed in grpck. An example of this error message is:

root::0:root
root - Logname not found in password file


other::1:root,hpdb
root - Logname not found in password file
hpdb - Logname not found in password file

Moreover, if 'id' is executed by jail root, group names aren't displayed:

# id
uid=0() gid=3() groups=0()

('id' executed by normal root, is OK)

I think grpck and id commands uses something else that is not available in jail tree but I cannot guess what it is...
0 Kudos
Reply
Jdamian
Respected Contributor

‎12-16-2003 12:46 AM

‎12-16-2003 12:46 AM

Re: setting up a jail user

Good news guys...

I found in Internet a document related to this issue.

http://www.tjw.org/chroot-login-HOWTO/

In this doc there are some interesting remarks about needed libraries:

NOTE: at least with Slackware, for some reason the library /lib/libnss_compat.so.2 is not listed as a required lib for su, but it IS needed!
NOTE: On RedHat 7.x systems, not only do you have to build a new su binary but you must copy /lib/libnss_files.so.2 and /lib/libnsl.so.1 (as well as /lib/libnss_compat.so.2) to the chroot /lib directory even though they don't show up in 'ldd su'. Thanks to Arnstein Ressem and others for figuring this out.

Then I copied libnss_files.1 into the jail root file system... then errors reported by su, id and grpck commands in jail environment (and listed above) disappeared.

I suspect if other methods for name resolution are used, other libnss_* libraries are required.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.