* Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
Sent from my iPhone On Dec 23, 2011, at 8:28 PM, Antonio Olivares olivares14...@gmail.com wrote: Dear folks, I am trying to build a simple livecd to learn more. I have successfully run some commands found here: http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD # cd /usr/src # make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/ all these commands are successful I mount devfs as instructed in command # mount -t devfs devfs /path/to/livecd/dev # chroot /path/to/livecd === tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/ tricorehome# chroot /usr/home/olivares/tmp/tmp/R/ chroot: /bin/csh: No such file or directory === I have tried to use freesbie script(s) by installing freesbie port, but it failed and I asked questions but got few to no responses. I have tried to look for some scripts/SDK but not have been successful like frenzy's to create frenzy livecd. There are few to no FreeBSD LiveCDs, only one that has been working and updated is the GhostBSD one by Eric Turgeon. I see OpenBSD has several livecds/livedvds like jggimi, FuguITA, etc to showcase it. NetBSD has one as well called Jibbed. FreeBSD has specialized ones like PfSense, Monowall, FreeNAS, Mahesha, and GhostBSD. Frenzy was apparently going to be maintained but no newer releases. I have gotten feedback as to there exist mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd, http://sourceforge.net/projects/druidbsd/, but cannot do much with them :( I try to get my feet wet, but I get error and can't seem to get around it :( Any thoughts, ideas, comments, observations? I just want to create a livecd/livedvd with customized packages to take my desktop everywhere, That should be pretty easy with druidbsd as it gives you a convenient dumping-ground to throw extras. Note, however, that there is a very large code-drop around the corner that will bring about 1.5 years of enhancements in soon. So if it doesn't do quite what you want now, it may soon. That being said, one of the things I feel makes DruidBSD unique is an insanely-customized mfsroot designed to break you out into the larger (and more expansive) ISO-9660 structure so that you -- as a developer of your own custom LiveCD -- CAN expand the functionality simply by dumping binaries and libs into the ISO-9660 structure while the mfsroot stays nice and compact. If you wanted to, you could add X windows even. -- Devin I have tried several *BSD livecds out there, they are good, but I want to have the packages that I use and more newer than FreeSBIE 2.0, and roFreeSBIE 1.3. I have seen linux-live scripts [http://www.linux-live.org/] by Tomas M, and wonder if there exist such a utility in the *BSDs, a universal script to create a livecd/livedvd of a running BSD ? if there is not any utility, how can I get around the error about /bin/csh, if it is apparently there: tricorehome# which csh /bin/csh so I can chroot to it and add packages/ports to customize the livecd/dvd I want to create? Regards, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
On 12/24/11 22:57, Antonio Olivares wrote: I'll ask a stupid question, and you're more than welcome to give a stupid answer: Is /bin/csh actually _in_ your chroot? So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org tricorehome# pwd /usr/home/olivares/tmp/tmp/R tricorehome# ls -l /bin/csh -r-xr-xr-x 2 root wheel 369288 Apr 2 2011 /bin/csh I am not sure if it is there now :( I think you may have missed something there- you do realise that even though you've changed directory, you haven't chrooted. So when you run ls -l /bin/csh it is still checking your system root- not the chroot. Sometimes a single typo can cause huge hassles, eh? :) Try: cd /usr/home/olivares/tmp/tmp/R ls -l bin/csh Watch the bin/csh- don't make it an absolute path by adding the root (/) at the beginning. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
I'll ask a stupid question, and you're more than welcome to give a stupid answer: Is /bin/csh actually _in_ your chroot? So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org tricorehome# pwd /usr/home/olivares/tmp/tmp/R tricorehome# ls -l /bin/csh -r-xr-xr-x 2 root wheel 369288 Apr 2 2011 /bin/csh I am not sure if it is there now :( Thanks, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
On Sat, Dec 24, 2011 at 7:03 AM, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: On 12/24/11 22:57, Antonio Olivares wrote: I'll ask a stupid question, and you're more than welcome to give a stupid answer: Is /bin/csh actually _in_ your chroot? So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org tricorehome# pwd /usr/home/olivares/tmp/tmp/R tricorehome# ls -l /bin/csh -r-xr-xr-x 2 root wheel 369288 Apr 2 2011 /bin/csh I am not sure if it is there now :( I think you may have missed something there- you do realise that even though you've changed directory, you haven't chrooted. So when you run ls -l /bin/csh it is still checking your system root- not the chroot. Sometimes a single typo can cause huge hassles, eh? :) Try: cd /usr/home/olivares/tmp/tmp/R ls -l bin/csh Watch the bin/csh- don't make it an absolute path by adding the root (/) at the beginning. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I am trying to do what you have suggested, it appears that /bin/csh is not present in the /usr/home/olivares/tmp/tmp/R directory :( tricorehome# ls /usr/home/olivares/tmp/tmp/ R tricorehome# ls -l /usr/home/olivares/tmp/tmp/ total 2 drwxr-xr-x 17 root wheel 512 Dec 23 21:56 R tricorehome# ls -l /usr/home/olivares/tmp/tmp/R/ total 46 -rw-r--r-- 2 root wheel 798 Dec 23 21:56 .cshrc -rw-r--r-- 2 root wheel 265 Dec 23 21:56 .profile -r--r--r-- 1 root wheel 6200 Dec 23 21:56 COPYRIGHT drwxr-xr-x 2 root wheel 1024 Dec 23 21:30 bin drwxr-xr-x 7 root wheel 512 Dec 23 21:56 boot dr-xr-xr-x 2 root wheel 512 Dec 23 21:30 dev drwxr-xr-x 20 root wheel 2048 Dec 23 21:56 etc drwxr-xr-x 3 root wheel 1536 Dec 23 21:30 lib drwxr-xr-x 2 root wheel 512 Dec 23 21:31 libexec drwxr-xr-x 2 root wheel 512 Dec 23 21:30 media drwxr-xr-x 2 root wheel 512 Dec 23 21:30 mnt dr-xr-xr-x 2 root wheel 512 Dec 23 21:30 proc drwxr-xr-x 2 root wheel 2560 Dec 23 21:30 rescue drwxr-xr-x 2 root wheel 512 Dec 23 21:56 root drwxr-xr-x 2 root wheel 2560 Dec 23 21:31 sbin lrwxr-xr-x 1 root wheel11 Dec 23 21:30 sys - usr/src/sys drwxrwxrwt 2 root wheel 512 Dec 23 21:30 tmp drwxr-xr-x 14 root wheel 512 Dec 23 21:31 usr drwxr-xr-x 22 root wheel 512 Dec 23 21:30 var tricorehome# ls -l /usr/home/olivares/tmp/tmp/R/bin/ total 1692 -r-xr-xr-x 2 root wheel 11472 Dec 23 21:30 [ -r-xr-xr-x 1 root wheel 11448 Dec 23 21:30 cat -r-xr-xr-x 1 root wheel7912 Dec 23 21:30 chflags -r-xr-xr-x 1 root wheel 17576 Dec 23 21:30 chio -r-xr-xr-x 1 root wheel8392 Dec 23 21:30 chmod -r-xr-xr-x 1 root wheel 21304 Dec 23 21:30 cp -r-xr-xr-x 2 root wheel 369288 Dec 23 21:30 csh -r-xr-xr-x 1 root wheel 18440 Dec 23 21:30 date -r-xr-xr-x 1 root wheel 22104 Dec 23 21:30 dd -r-xr-xr-x 1 root wheel 13920 Dec 23 21:30 df -r-xr-xr-x 1 root wheel5704 Dec 23 21:30 domainname -r-xr-xr-x 1 root wheel5592 Dec 23 21:30 echo -r-xr-xr-x 2 root wheel 56880 Dec 23 21:30 ed -r-xr-xr-x 1 root wheel 16408 Dec 23 21:30 expr -r-xr-xr-x 1 root wheel 10336 Dec 23 21:30 getfacl -r-xr-xr-x 1 root wheel5840 Dec 23 21:30 hostname -r-xr-xr-x 1 root wheel7128 Dec 23 21:30 kenv -r-xr-xr-x 1 root wheel7640 Dec 23 21:30 kill -r-xr-xr-x 2 root wheel 11368 Dec 23 21:30 link -r-xr-xr-x 2 root wheel 11368 Dec 23 21:30 ln -r-xr-xr-x 1 root wheel 30496 Dec 23 21:30 ls -r-xr-xr-x 1 root wheel7152 Dec 23 21:30 mkdir -r-xr-xr-x 1 root wheel 13576 Dec 23 21:30 mv -r-xr-xr-x 1 root wheel 95448 Dec 23 21:30 pax -r-xr-xr-x 2 root wheel 16520 Dec 23 21:30 pgrep -r-xr-xr-x 2 root wheel 16520 Dec 23 21:30 pkill -r-xr-xr-x 1 root wheel 43312 Dec 23 21:30 ps -r-xr-xr-x 1 root wheel7128 Dec 23 21:30 pwait -r-xr-xr-x 1 root wheel5696 Dec 23 21:30 pwd -r-sr-xr-x 1 root wheel 20416 Dec 23 21:30 rcp -r-xr-xr-x 1 root wheel5456 Dec 23 21:30 realpath -r-xr-xr-x 2 root wheel 56880 Dec 23 21:30 red -r-xr-xr-x 2 root wheel 15880 Dec 23 21:30 rm -r-xr-xr-x 1 root wheel 72744 Dec 23 21:30 rmail -r-xr-xr-x 1 root wheel5784 Dec 23 21:30 rmdir -r-xr-xr-x 1 root wheel 18832 Dec 23 21:30 setfacl -r-xr-xr-x 1 root wheel 136696 Dec 23 21:30 sh -r-xr-xr-x 1 root wheel5448 Dec 23 21:30 sleep -r-xr-xr-x 1 root wheel 22608 Dec 23 21:30 stty -r-xr-xr-x 1 root wheel4456 Dec 23 21:30 sync -r-xr-xr-x 2 root wheel 369288 Dec 23 21:30 tcsh -r-xr-xr-x 2 root wheel 11472 Dec 23 21:30 test -r-xr-xr-x 2 root wheel
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
On 12/24/11 14:28, Antonio Olivares wrote: Dear folks, I am trying to build a simple livecd to learn more. I have successfully run some commands found here: http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD # cd /usr/src # make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/ all these commands are successful I mount devfs as instructed in command # mount -t devfs devfs /path/to/livecd/dev # chroot /path/to/livecd === tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/ tricorehome# chroot /usr/home/olivares/tmp/tmp/R/ chroot: /bin/csh: No such file or directory === I have tried to use freesbie script(s) by installing freesbie port, but it failed and I asked questions but got few to no responses. I have tried to look for some scripts/SDK but not have been successful like frenzy's to create frenzy livecd. There are few to no FreeBSD LiveCDs, only one that has been working and updated is the GhostBSD one by Eric Turgeon. I see OpenBSD has several livecds/livedvds like jggimi, FuguITA, etc to showcase it. NetBSD has one as well called Jibbed. FreeBSD has specialized ones like PfSense, Monowall, FreeNAS, Mahesha, and GhostBSD. Frenzy was apparently going to be maintained but no newer releases. I have gotten feedback as to there exist mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd, http://sourceforge.net/projects/druidbsd/, but cannot do much with them :( I try to get my feet wet, but I get error and can't seem to get around it :( Any thoughts, ideas, comments, observations? I just want to create a livecd/livedvd with customized packages to take my desktop everywhere, I have tried several *BSD livecds out there, they are good, but I want to have the packages that I use and more newer than FreeSBIE 2.0, and roFreeSBIE 1.3. I have seen linux-live scripts [http://www.linux-live.org/] by Tomas M, and wonder if there exist such a utility in the *BSDs, a universal script to create a livecd/livedvd of a running BSD ? if there is not any utility, how can I get around the error about /bin/csh, if it is apparently there: tricorehome# which csh /bin/csh so I can chroot to it and add packages/ports to customize the livecd/dvd I want to create? I'll ask a stupid question, and you're more than welcome to give a stupid answer: Is /bin/csh actually _in_ your chroot? So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot scp only network storage?
On Tue, May 25, 2010 11:05 pm, Matthew Seaman wrote: Checkout the security/openssh-portable port which has options to enable chroot'ing. You should be able to configure the account to only be able to use scp(1) or sftp(1) by editing sshd_config or by using forced commands in the user authorized_keys files. This sounds pretty close to what I want. I don't want the user to be able to get a shell on the box but do want to allow them to run a small subset of useful commands over ssh such as 'ls' and of course scp files to and from it. Another alternative is WebDAV. Run it over HTTPS for security, and use the standard Apache authn/authz controls to give each user access to only their own area. In principle your users can mount their WebDAV areas as networked filesystems on their desktops. In practice, this works fine with MacOS X, is horribly buggy under Windows, needs quite a lot of effort to make work on Linux, and I don't think it's actually available at all on FreeBSD. However, commandline clients like cadaver will work fine on anything Unixy. I've had problems with exactly this before on linux. I only need to allow linux, FreeBSD and Solaris users access to this resource so will persevere with something SSH based I think. Thanks, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot scp only network storage?
On Tue, May 25, 2010 11:23 pm, Balázs Mátéffy wrote: Hello, Try /usr/ports/shells/scponly . Look up the features, this way you can assign the restrictive scponly shell to the users: http://sublimation.org/scponly/wiki/index.php/Main_Page Thanks, I have used this before on linux. In this case it might not be exactly what I want. Thanks, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot scp only network storage?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/05/2010 22:29:57, Matthew Law wrote: I want to provide some users with secure network attached storage over SCP. The intent is to provide people with a similar thing to, e.g. rsync.net but inside of our network only. Security is obviously a priority so I would like each user to be chrooted into their allocated directory and allow them only to execute a small set of commands. Checkout the security/openssh-portable port which has options to enable chroot'ing. You should be able to configure the account to only be able to use scp(1) or sftp(1) by editing sshd_config or by using forced commands in the user authorized_keys files. I have come across scponly before. Is this the best way of achieving this with FreeBSD or is there some other better way? Another alternative is WebDAV. Run it over HTTPS for security, and use the standard Apache authn/authz controls to give each user access to only their own area. In principle your users can mount their WebDAV areas as networked filesystems on their desktops. In practice, this works fine with MacOS X, is horribly buggy under Windows, needs quite a lot of effort to make work on Linux, and I don't think it's actually available at all on FreeBSD. However, commandline clients like cadaver will work fine on anything Unixy. Cheers Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf CnUAnj668eKglbUe8RIfp8actDj13gYe =jATZ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot scp only network storage?
Hello, Try /usr/ports/shells/scponly . Look up the features, this way you can assign the restrictive scponly shell to the users: http://sublimation.org/scponly/wiki/index.php/Main_Page Best Regards: Balázs Mátéffy On 26 May 2010 00:05, Matthew Seaman m.sea...@infracaninophile.co.ukwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/05/2010 22:29:57, Matthew Law wrote: I want to provide some users with secure network attached storage over SCP. The intent is to provide people with a similar thing to, e.g. rsync.net but inside of our network only. Security is obviously a priority so I would like each user to be chrooted into their allocated directory and allow them only to execute a small set of commands. Checkout the security/openssh-portable port which has options to enable chroot'ing. You should be able to configure the account to only be able to use scp(1) or sftp(1) by editing sshd_config or by using forced commands in the user authorized_keys files. I have come across scponly before. Is this the best way of achieving this with FreeBSD or is there some other better way? Another alternative is WebDAV. Run it over HTTPS for security, and use the standard Apache authn/authz controls to give each user access to only their own area. In principle your users can mount their WebDAV areas as networked filesystems on their desktops. In practice, this works fine with MacOS X, is horribly buggy under Windows, needs quite a lot of effort to make work on Linux, and I don't think it's actually available at all on FreeBSD. However, commandline clients like cadaver will work fine on anything Unixy. Cheers Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf CnUAnj668eKglbUe8RIfp8actDj13gYe =jATZ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot a few apps
2010/1/9 Vadkan Jozsef jozsi.avad...@gmail.com Hi. What kind of chroot should I use, if I want to make a more secured desktop, running e.g.: pdf reader webbrowser audio player video player openoffice picture viewer mua ooo virtualbox e.g.: if theres a javascript vulnerability in google chrome [I haven't heard a NoScript extension for it :( ] a chroot would be good for stopping it from doing something bad with the whole system. or e.g.: I have to open a .doc file, that I don't trust, or a PDF can contain malicious code :( Any tips/docs/howtos? Thank you! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org the best way might be to look at implementing the trusted bsd mac system. It's a bit hairly though and would take a while to get your head around ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot SSH users.
On Sunday 27 December 2009 18:16:47 krad wrote: fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftpinternal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot/user/home/user/.ssh chown -R root /home/chroot/user chown -R user /home/chroot/user Shouldn't this line be: chown -R user /home/chroot/user/home/user chmod -R 755 /home/chroot/user /home/chroot/user/home/user ln -s /home/chroot/user/home/user /home/. 8. Put their ssh keys in /home/chroot/user/home/user/.ssh All should now work ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot SSH users.
2009/12/28 Tijl Coosemans t...@coosemans.org On Sunday 27 December 2009 18:16:47 krad wrote: fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftpinternal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot/user/home/user/.ssh chown -R root /home/chroot/user chown -R user /home/chroot/user Shouldn't this line be: chown -R user /home/chroot/user/home/user strictly yes I probably missed i step where i sym linked it as i was copying stuff from the shell history chmod -R 755 /home/chroot/user /home/chroot/user/home/user ln -s /home/chroot/user/home/user /home/. 8. Put their ssh keys in /home/chroot/user/home/user/.ssh All should now work ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot SSH users.
2009/12/27 Marwan Sultan dead_l...@hotmail.com Dear Krad, Thank you for your reply, regarding your answer, i have few questions here 1- in sshd_config file the default line is : Subsystem sftp/usr/libexec/sftp-server So should i comment out the line? or just add your line ? Subsystem sftp internal-sftp Either should work, however I only know that the one i put works. 2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot compile SSH in the system. Are you asking me to install additional packages? or to recompile ssh when you wrote : Make sure chroot support was compiled in Default should probably be ok, but again I haven't actually tested it so cant say for certain. If you do ever upgrade the base ssh from ports make sure you have the chroot bit compiled in 3- SSH users are using passwords not keygen, where do i get the keys for thier login? Thank you - Marwan You don't need to use key based auth, but we I generally do. The users have to create them with ssh-keygen. I usually use dsa. If you support windows users stay away from puttygen. It does work fine, its just it tends to generate keys in the wrong format which often leads to confusion. Hello people, Im on FreeBSD 7.2-R P5 Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the job easy. How about if I want to chroot the SSH users (not ftp) any easy way? no need for jail installation or anything like this.. I saw sshd_config file and it has a chrootdirectory but not sure how to use it.. Anyone? any tips? any easy way? Thank you -Marwan _ Hotmail: Free, trusted and rich email service. fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftp internal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot/user/home/user/.ssh chown -R root /home/chroot/user chown -R user /home/chroot/user chmod -R 755 /home/chroot/user /home/chroot/user/home/user ln -s /home/chroot/user/home/user /home/. 8. Put their ssh keys in /home/chroot/user/home/user/.ssh All should now work If not check /etc/shadow the account might be locked, this just caught me out :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now. http://clk.atdmt.com/GBL/go/171222985/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot SSH users.
2009/12/27 Marwan Sultan dead_l...@hotmail.com Hello people, Im on FreeBSD 7.2-R P5 Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the job easy. How about if I want to chroot the SSH users (not ftp) any easy way? no need for jail installation or anything like this.. I saw sshd_config file and it has a chrootdirectory but not sure how to use it.. Anyone? any tips? any easy way? Thank you -Marwan _ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/171222984/direct/01/___ freebsd-questions@freebsd.orghttp://clk.atdmt.com/GBL/go/171222984/direct/01/___%0afreebsd-questi...@freebsd.orgmailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftpinternal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot/user/home/user/.ssh chown -R root /home/chroot/user chown -R user /home/chroot/user chmod -R 755 /home/chroot/user /home/chroot/user/home/user ln -s /home/chroot/user/home/user /home/. 8. Put their ssh keys in /home/chroot/user/home/user/.ssh All should now work If not check /etc/shadow the account might be locked, this just caught me out :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: chroot SSH users.
Dear Krad, Thank you for your reply, regarding your answer, i have few questions here 1- in sshd_config file the default line is : Subsystem sftp/usr/libexec/sftp-server So should i comment out the line? or just add your line ? Subsystem sftp internal-sftp 2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot compile SSH in the system. Are you asking me to install additional packages? or to recompile ssh when you wrote : Make sure chroot support was compiled in 3- SSH users are using passwords not keygen, where do i get the keys for thier login? Thank you - Marwan Hello people, Im on FreeBSD 7.2-R P5 Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the job easy. How about if I want to chroot the SSH users (not ftp) any easy way? no need for jail installation or anything like this.. I saw sshd_config file and it has a chrootdirectory but not sure how to use it.. Anyone? any tips? any easy way? Thank you -Marwan _ Hotmail: Free, trusted and rich email service. fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftp internal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot/user/home/user/.ssh chown -R root /home/chroot/user chown -R user /home/chroot/user chmod -R 755 /home/chroot/user /home/chroot/user/home/user ln -s /home/chroot/user/home/user /home/. 8. Put their ssh keys in /home/chroot/user/home/user/.ssh All should now work If not check /etc/shadow the account might be locked, this just caught me out :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/171222985/direct/01/___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Chroot/jail mechanism in ssh and sftp connections
Thanks for the suggestion. I intend to study about this possible solution but to save time I'd like to ask you some questions. With this software, can I control which accounts from the unix passwd file will be able to log in? If there is a symbolic link in the home directory(jail/chroot) that point to anywhere out of it, will the users be able to use this symlink? Will they go out from their jail/chroot directory this way? Derek Ragona wrote: At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: Hello, I want to use the chroot/jail mechanism in user's ssh and sftp connections. I've read some tutorials and possible solutions to jail/chroot the users into their own home directories. One is to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. I have implemented a similar setup using vsftpd from the ports. It works well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: /home/user You'd need to change it to: /home/./user vsftpd is well documented and relatively easy to get setup and running. -Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Chroot/jail mechanism in ssh and sftp connections
At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote: Thanks for the suggestion. I intend to study about this possible solution but to save time I'd like to ask you some questions. With this software, can I control which accounts from the unix passwd file will be able to log in? Yes just set the shell to a non-login shell for users you don't want to give shell access. Typically I set those user's shell to: /usr/bin/false If there is a symbolic link in the home directory(jail/chroot) that point to anywhere out of it, will the users be able to use this symlink? Will they go out from their jail/chroot directory this way? You can actually specify what ftp commands are allowed in the vsftpd.conf file in one server I manage I have set: cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT But you'd probably want to remove any symlinks that shouldn't be there. Derek Ragona wrote: At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: Hello, I want to use the chroot/jail mechanism in user's ssh and sftp connections. I've read some tutorials and possible solutions to jail/chroot the users into their own home directories. One is to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. I have implemented a similar setup using vsftpd from the ports. It works well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: /home/user You'd need to change it to: /home/./user vsftpd is well documented and relatively easy to get setup and running. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Chroot/jail mechanism in ssh and sftp connections
Thanks, I think this is the solution for the sftp connections using jail/chroot mechanism. Derek Ragona wrote: At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote: Thanks for the suggestion. I intend to study about this possible solution but to save time I'd like to ask you some questions. With this software, can I control which accounts from the unix passwd file will be able to log in? Yes just set the shell to a non-login shell for users you don't want to give shell access. Typically I set those user's shell to: /usr/bin/false If there is a symbolic link in the home directory(jail/chroot) that points to anywhere out of it, will the users be able to use this symlink? Will they go out from their jail/chroot directory this way? You can actually specify what ftp commands are allowed in the vsftpd.conf file in one server I manage I have set: cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT But you'd probably want to remove any symlinks that shouldn't be there. Derek Ragona wrote: At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: Hello, I want to use the chroot/jail mechanism in user's ssh and sftp connections. I've read some tutorials and possible solutions to jail/chroot the users into their own home directories. One is to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. I have implemented a similar setup using vsftpd from the ports. It works well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: /home/user You'd need to change it to: /home/./user vsftpd is well documented and relatively easy to get setup and running. -Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Chroot/jail mechanism in ssh and sftp connections
At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: Hello, I want to use the chroot/jail mechanism in user's ssh and sftp connections. I've read some tutorials and possible solutions to jail/chroot the users into their own home directories. One is to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. I have implemented a similar setup using vsftpd from the ports. It works well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: /home/user You'd need to change it to: /home/./user vsftpd is well documented and relatively easy to get setup and running. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot, performance security
On Wed, Dec 27, 2006 at 10:16:31AM +0100, VeeJay wrote: Hi I have made partations on my web server like at very outer edges of the disks, I have /, then /var, /tmp, /usr and in the end /home. Since I read that Data modified used often should be placed at close to outer edges as possible. So, I am having all logs (apache, ftp, mysql and other logs) under /var/logs I have all my mysql DBs under /var/mysql/db But if for Security reseasons, I want to chroot apache, mysql and ftp under /home, then along with all executables and liberaries I have to move all logs, DBs under /home/chroot But then I think, If I move all these data from /var... I miss performance? You need not have created so many partitions because it is going to hurt you now when you have to chroot. :) Apache running under chroot means lot of things. OpenBSD has done it by default and it means that all the files that users host have to be under the chroot. All the DSOs have to be accessible as well. chrooting ftp or sftp is not much trouble. I think a simple google search will tell you how to run sftp under chroot. I would suggest that along with chrooting ftp. mysql should not give u much trouble but then I never use it. I am a postgresql guy... Best of luck! regards, Girish - When your mind is purified like a mirror knowledge is reflected in it. Adi Sankaracharya, Hindu saint ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot and /dev
On Thu, Dec 15, 2005 at 07:18:11PM +, Dieter wrote: How does one provide one or two devices, e.g. /dev/null for a chroot environment? Device nodes created by mknod do not work. mount_devfs creates an entire device tree, negating the security of the chroot. See the jail manpage (jail is better than chroot if security is your goal). Kris pgptHJjQW11pZ.pgp Description: PGP signature
Re: chroot jail and syslogd
I have a very similar setup with bind run inside a chroot jail. I experience a similar problem if I set up named to use /var/run/log. I commected it out and put syslog daemon in its place and it works like a champ. Sadly, I've not found the time to spend figuring out why it doesn't work otherwise. Jerry http://www.syslog.org channel audit_log { // Send the security related messages to a separate file. file /var/run/log; severity debug; print-time yes; }; ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot
On Thu, Jul 18, 2002 at 10:22:59PM -0400, Michael Sharp wrote: I installed ( or so I thought ) a chroot env last night and ran into some difficulties. Could someone very familiar with openssh/chroot glance over http://probsd.ws/chroot.txt and tell me what I did wrong please? chroot.txt is an EXTREMELY detailed example of what I did, and script output of the ssh connection to the chroot. Hmmm... you are almost reinventing the concept of jail(8) here, which might be a better solution for you. The main difference from what you're doing is that a jailed sshd process would get it's own separate IP number. Some things you might find usefull: i) Copy /dev/MAKEDEV into your chrooted area and use that to create the device files you need: cp -p /dev/MAKEDEV /home/chrootuser/dev sh /home/chrootuser/dev/MAKEDEV jail --- the `jail' target should get you an appropriate set of devices. ii) Set up an additional logging socket in your chroot area and modify your syslogd flags to pick up syslog messages from there. You'll also need a copy of /etc/localtime in the chroot area so that your syslog messages get the correct timestamp.: mkdir -p /home/chrootuser/var/run cp -p /etc/localtime /home/chrootuser/etc/localtime cp /etc/rc.conf /etc/rc.conf.bak echo 'syslogd_flags=-s -l /home/chrootuser/var/run/log' /etc/rc.conf kill `cat /var/run/syslogd.pid` /usr/sbin/syslogd -s -l /home/chrootuser/var/run/log You can then turn up the logging level in /home/chrootuser/etc/ssh/sshd_config by altering the LogLevel value: a LogLevel of DEBUG3 will give you a great deal of output showing a blow by blow account of just about everything the sshd does. iii) Make sure you can resolve addresses in the DNS from your chroot environment. It should be sufficient to copy over /etc/resolv.conf cp -p /etc/resolv.conf /home/chrootuser/etc/resolv.conf iv) If you want to be able to run ps(1) from the chroot area, then you need to mount a procfs(5) file system inside your chroot area. This isn't really necessary for sshd to operate correctly though: cp /etc/fstab /etc/fstab.bak cat EOF /etc/fstab proc/home/chrootuser/proc procfs rw 0 0 EOF mount /home/chrootuser/proc cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-security in the body of the message ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot
How very interesting... For a start, you can't copy devices with cp--you need something smarter like tar, cpio, ... Pretty much anything that could be used for backups should understand the niceties of copying a device. As an alternative you could use mknod to create them. Here is how to do it with cpio: cd /dev find null random urandom -print | cpio -pdmuv /home/chrootuser/dev/ and then compare the results with ls -l to make sure you're happy. Specifically, using cp to copy /dev/null is a method of creating a new empty file, or completely emptying out an existing file. Secondly, are you sure you weren't connected? If you could use control-d to terminate the connection it looks to me like you were connected but had no prompt. Control-d is an end of file indicator; when you give it to a shell that means there are no more commands. Since the sole purpose of a shell is to let you execute commands, this results in it terminating (as it does for any program that primarily processes input). However end of file is only meaningful if it's read by something. It doesn't generate any sort of signal to catch the attention of a hung program. Try connecting again and typing a command that should work, like /bin/ls /bin or even something more basic like set (which is builtin to all the shells). If you get something, you're connected. Tony -- Tony Landells [EMAIL PROTECTED] Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty LtdFax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-security in the body of the message ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot versus jail for the name daemon
On Sat, Jun 12, 2004 at 12:53:41PM +0100, Robert Downes wrote: Questions (for the old and wise): So, are there any FreeBSD-internals masters who can answer the following: 1) What happens if named is broken with neither chroot nor jail, assuming named is running as user and group bind (rather than as root)? 2) What happens if named is broken while using chroot? 3) What happens if named is broken while in a jail, and how is this less dangerous than using chroot? Without the restriction of the named process either by using jail(8) or chroot(2) anyone that can subvert the BIND process (presumably by some sort of buffer overflow exploit) would be able to write files anywhere on the system. That means an attacker can set things up so that they can log in remotely as the bind UID, and once an attacker has local access to your system, breaking root is a lot easier for them. Now, that assumes that there is a buffer overflow or some such in named(8) that a remote user can exploit. Unfortunately it has been shown again and again that in any project of the scale of BIND, such things are almost impossible to avoid. chroot'ing named does limit the damage that an attacker can do if they break in via named -- there won't be any tools within the chroot'ed area that an attacker can use, or any simple means whereby they can copy those tools onto the system via the network. The same thing goes for thin jails, but the tendency does seem to be for many jails to be set up as fat -- ie. essentially complete BSD environments. People will say, quite accurately, that even if an attacker can break root in the jail, they don't automatically get to break root in the host system. However, you should ask yourself if breaking root in the host system is something an attacker would necessarily need to do, given that they have managed to take over the almost equivalent resources of the fat jail. The thing about these sort of security measures is not that they offer an absolute guarrantee that your system is unhackable -- no one can promise that. The idea is to make attacking your system so difficult and unrewarding that the black-hats go away and attack someone else instead. However, all of those measures take up system resources and management effort: it's a matter of judgement as to whether the costs of imposing such things pay off the benefits of the increased security. My personal judgement is that the chroot(2) function built into named(8) is easy to implement, costs virtually nothing to manage compared to not doing it, and is well worth the bother and suficient for the sort of low impact domains I'm running. Even so, the prime security danger with named is not subversion of the named process, but poisoning the actual DNS database itself. Securing against that sort of thing is another kettle of fish -- there's a good article or two at: http://www.boran.com/security/sp/bind9_20010430.html Also, can FreeBSD run as a gateway with NAT while using a jail? A jail needs its own IP address, and that seems to intefere with the way other services need to be configured. It can, but it is quite a bit more complex to manage, and there's the whole 'split horizon' problem to deal with. (ie. you can create a jail to contain a webserver on your NAT gateway, and you can make it accessible either to your internal networks or to the Internet at large, but making it accessible to both is rather harder.) If you are particularly concerned about security, then it's a good idea to keep your NAT gateway/firewall machine as simple as possible. Ideally, it should run *only* the NAT/firewalling service. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpqeHT4E5PFZ.pgp Description: PGP signature
Re: chroot or jail?
- Original Message - From: Kris Kennaway [EMAIL PROTECTED] To: Mark [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, April 01, 2004 10:47 AM Subject: Re: chroot or jail? Hello, I am setting up a new Apache 1.3.29; and I was wondering, should I use jail or chroot to secure it? I know root can potentially break out of chroot. But what about jail? (FreeBSD 4.9R-p3). Can you break out of a jail? No [1], that's the point :) Well, we all know how things are meant to work. I mean, you're not supposed to be able to break out of a chroot either; yet this is still possible (some fchdir exploits with open directory file descriptors pointing outside the chrooted environment). So, I reiterate my question, do such exploits exist for jail too? I particularly ask because of the chroot ability of mod_security (1.75). It chroots Apache, after having started it up. Neat trick. But my suspicious nature (not necessarily a bait trait in a system administrator) wonders how breakout-proof that method really is. Especially since Apache keeps quite a few file descriptors open, pointing outside the chrooted environment. So, I was contemplating that I am perhaps better off jailing Apache (with a real jail call), instead of chrooting it. Cheers, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot or jail?
On Thu, Apr 01, 2004 at 08:02:04AM +, Mark wrote: Hello, I am setting up a new Apache 1.3.29; and I was wondering, should I use jail or chroot to secure it? I know root can potentially break out of chroot. But what about jail? (FreeBSD 4.9R-p3). Can you break out of a jail? No [1], that's the point :) Kris [1] Modulo any implementation bugs, of course. pgp0.pgp Description: PGP signature
Re: chroot environment
On Sat, 6 Dec 2003 13:18:13 -0800 Nick Twaddell [EMAIL PROTECTED] wrote: I am trying to setup a chroot environment for some users. I rebuilt the environment inside their userdir, copied all the appropriate binaries, libs, etc. The part I am stumped on, is how do you make it so their account gets chrooted on login. Since chroot can only be executed by root. Some of the docs I found created a shell script that would sudo chroot and run it on login. I am just wondering what everyone else recommends. Thanks Nick Twaddell ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Answer1: security/chrootuid. Answer2: Build jail(8) environment, install sshd, for example, on each jail. Let each user login to the respective account. horio shoichi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot environment
If you've already built the environment, you're halfway to having a jail(8) - this extends chroot(8) by creating a private process tree and network interface. You can run an entire system inside a jail, including sshd(8) to accept logins. For ftp logins, ftpd(8) has builtin support for chrooting certain users - see ftpchroot(5). There is also support for chrooting logins in the ssh.com version of sshd - I believe this is /usr/ports/security/ssh2, but I haven't checked. Apart from this, I don't know a 'standard' way of doing it. - Original Message - From: Nick Twaddell [EMAIL PROTECTED] Subject: chroot environment I am trying to setup a chroot environment for some users. I rebuilt the environment inside their userdir, copied all the appropriate binaries, libs, etc. The part I am stumped on, is how do you make it so their account gets chrooted on login. Since chroot can only be executed by root. Some of the docs I found created a shell script that would sudo chroot and run it on login. I am just wondering what everyone else recommends. Thanks Nick Twaddell ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot users
On Fri, Nov 14, 2003 at 10:38:39AM +0530, Sunil Sunder Raj typed: Hi, proftp is the best bet. It locks the user in his home directory not allowng him to go below his home directory. Why install a port when the base system ftpd can do the same thing? All you need to do is put the users you want chrooted in their homedir in /etc/ftpchroot. man ftpd Ruben Regards SSR From: Shawn Guillemette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: chroot users Date: Thu, 13 Nov 2003 16:45:58 -0800 I want to chroot users to there home directories so that I can allow them to use FTP and not worry about someone going lower then there home dir.. looking for a howto or links that might help out. Shawn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Contact brides grooms FREE! Only on www.shaadi.com. http://www.shaadi.com/ptnr.php?ptnr=hmltag Register now! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot users
On Thu, 13 Nov 2003, Shawn Guillemette wrote: I want to chroot users to there home directories so that I can allow them to use FTP and not worry about someone going lower then there home dir.. Hi, If you are using Proftpd add DefaultRoot or try changing their home directory to /home/./user The extra dot should chroot them Rus -- w: http://www.jvds.com | Dedicated FreeBSD,Debian and RedHat Servers e: [EMAIL PROTECTED]| Donations made to Debian, FreeBSD t: +44 7919 373537 | and Slackware t: 1-888-327-6330 | email: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot users
In the immortal words of Shawn Guillemette [EMAIL PROTECTED]... I want to chroot users to there home directories so that I can allow them to use FTP and not worry about someone going lower then there home dir.. The default ftpd in FreeBSD works nicely, try looking in: man ftpchroot Cheers Tim -- Tim Aslat [EMAIL PROTECTED] Spyderweb Consulting http://www.spyderweb.com.au P: +61 8 82243020M: +61 0401088479 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot users
Hi, proftp is the best bet. It locks the user in his home directory not allowng him to go below his home directory. Regards SSR From: Shawn Guillemette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: chroot users Date: Thu, 13 Nov 2003 16:45:58 -0800 I want to chroot users to there home directories so that I can allow them to use FTP and not worry about someone going lower then there home dir.. looking for a howto or links that might help out. Shawn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Contact brides grooms FREE! Only on www.shaadi.com. http://www.shaadi.com/ptnr.php?ptnr=hmltag Register now! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: chroot and su user
On Fri, Oct 03, 2003 at 11:45:47AM -0400, Your Name wrote: Can you teach me what is the different between chroot and su user Even a cursory glance at the chroot(8) and su(1) man pages will answer this. 'chroot' is change root directory: that is confine a process and all of it's children to a subsection of the disk space. 'su' is substitute user identity -- run programs using the identity and credentials of a different user. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: Chroot directory for user not working
On Wed, Jul 30, 2003 at 12:08:17PM -0400, Jason Lieurance wrote: Hello, I know I'm not doing this right. I want to have a user who uses windows xp login to my freebsd 4.7 server with winscp and just have access(chroot) to the home directory I specify for them. I tried it like so: /etc/passwd file user1:*:600:600:User for ssh ftp:/usr/home/./user1:/sbin/false ..and of course when you login with winscp it takes you to the regular system root. Any help would be appreciated as always. Try the scponly port in shells/scponly. -- Jason mike -- ___ WHAT ARE YOU LOOKING AT??? - Pokey the Penguin from POKEY AND THE PARANOIA ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Chroot SSH
Steve Warwick [EMAIL PROTECTED] writes: I have been looking through the docs to see how I can chroot SSH sessions in the same way as FTP (using proftp). ie when a user logs in they can only play in their home directory. Is it possible? Sure. man chroot(8). or jail(8). To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: chroot problem
On Sat, Oct 05, 2002 at 07:57:18PM -0500, Joseph Davida wrote: Any ideas why I am getting: $ chroot /usr/compat/linux /bin/sh chroot: /usr/compat/linux: Operation not permitted I am Using FreeBSD 4.6.2-RELEASE. Cheers, Joe Permissions issue perhaps? What happens if you try it as root? Josh To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: chroot problem
On Sat, Oct 05, 2002 at 07:57:18PM -0500, Joseph Davida wrote: Any ideas why I am getting: $ chroot /usr/compat/linux /bin/sh chroot: /usr/compat/linux: Operation not permitted I am Using FreeBSD 4.6.2-RELEASE. You can only chroot as the superuser. Kris msg04056/pgp0.pgp Description: PGP signature
Re: Chroot
rbash is the best option. I was quite succecful with it - Original Message - From: Gerard Samuel [EMAIL PROTECTED] To: Brossin Pierrick [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Sent: Tuesday, September 24, 2002 11:21 PM Subject: Re: Chroot Your first half made total sense, and I was able to lock the root user in /home/developer when chroot was executed. Your second half however, is not clicking with me at the moment. Here is what I did 1. Under /home/developer/bin create a new file (my_sh) with this - #!/bin/sh /home/developer/bin/sh chroot /home/developer/ 2. Chmod the file 555, chown root:wheel 3. Enter vipw, and change the user developer shell to /home/developer/bin/my_sh With these modifications, I can ssh into the account, but I can still break root by cd'ing out of the home directory. Any advise would be greatly appreciated... Thanks Brossin Pierrick wrote: Hi, || Im trying to figure out how to restrict users from leaving their home || directories. || I would enter the new directory /usr/home/developer and issue the || chroot command - || hivemind# chroot /usr/home/developer || chroot: /bin/csh: No such file or directory It's because a chrooted directory is like the root dir of your system ! You have to create 'bin' 'etc' and stuff into /usr/home/developer. You should also copy csh into /usr/home/developer/bin. Your chrooted system will be completely independent of your system. This means if the user developer logs on, he won't be able to access the real /etc for example. I hope I'm clear enough. www.google.com for more info .. just type in freebsd chroot. || What am I doing wrong?? || Also when this is set, how do I make it persist throught reboots. || Make my own script in /usr/local/etc/rc.d ??? || Thanks for any insight you may provide Just create a shell script and run it instead of running tcsh or sh or ... run 'vipw' and change it. Cya To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Chroot
[ snip ] With these modifications, I can ssh into the account, but I can still break root by cd'ing out of the home directory. Hrm, aren't you supposed to soft mount the home directory to a blank place, e.g. mount /home/user /usr/local/chroots/user at which point / is /usr/local/chroots/user which looks like /home/user? I dunno, never done it, but I did read a howto on it a little while back. HTH James To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Chroot
Hi, || Im trying to figure out how to restrict users from leaving their home || directories. || I would enter the new directory /usr/home/developer and issue the || chroot command - || hivemind# chroot /usr/home/developer || chroot: /bin/csh: No such file or directory It's because a chrooted directory is like the root dir of your system ! You have to create 'bin' 'etc' and stuff into /usr/home/developer. You should also copy csh into /usr/home/developer/bin. Your chrooted system will be completely independent of your system. This means if the user developer logs on, he won't be able to access the real /etc for example. I hope I'm clear enough. www.google.com for more info .. just type in freebsd chroot. || What am I doing wrong?? || Also when this is set, how do I make it persist throught reboots. || Make my own script in /usr/local/etc/rc.d ??? || Thanks for any insight you may provide Just create a shell script and run it instead of running tcsh or sh or ... run 'vipw' and change it. Cya To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Chroot
Your first half made total sense, and I was able to lock the root user in /home/developer when chroot was executed. Your second half however, is not clicking with me at the moment. Here is what I did 1. Under /home/developer/bin create a new file (my_sh) with this - #!/bin/sh /home/developer/bin/sh chroot /home/developer/ 2. Chmod the file 555, chown root:wheel 3. Enter vipw, and change the user developer shell to /home/developer/bin/my_sh With these modifications, I can ssh into the account, but I can still break root by cd'ing out of the home directory. Any advise would be greatly appreciated... Thanks Brossin Pierrick wrote: Hi, || Im trying to figure out how to restrict users from leaving their home || directories. || I would enter the new directory /usr/home/developer and issue the || chroot command - || hivemind# chroot /usr/home/developer || chroot: /bin/csh: No such file or directory It's because a chrooted directory is like the root dir of your system ! You have to create 'bin' 'etc' and stuff into /usr/home/developer. You should also copy csh into /usr/home/developer/bin. Your chrooted system will be completely independent of your system. This means if the user developer logs on, he won't be able to access the real /etc for example. I hope I'm clear enough. www.google.com for more info .. just type in freebsd chroot. || What am I doing wrong?? || Also when this is set, how do I make it persist throught reboots. || Make my own script in /usr/local/etc/rc.d ??? || Thanks for any insight you may provide Just create a shell script and run it instead of running tcsh or sh or ... run 'vipw' and change it. Cya To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Chroot
Well I figured out why my example below wouldn't work. So this is one for the archive for others who may try what I was doing... chroot can only be executed by root, and the shell is executed by the user logging in, thus a no go. So the method of using chroot and or jail doesn't seem to make sense to be used in what Im trying to do. Im going to explore the restricted bash method. Thanks for your time... Gerard Samuel wrote: Your first half made total sense, and I was able to lock the root user in /home/developer when chroot was executed. Your second half however, is not clicking with me at the moment. Here is what I did 1. Under /home/developer/bin create a new file (my_sh) with this - #!/bin/sh /home/developer/bin/sh chroot /home/developer/ 2. Chmod the file 555, chown root:wheel 3. Enter vipw, and change the user developer shell to /home/developer/bin/my_sh With these modifications, I can ssh into the account, but I can still break root by cd'ing out of the home directory. Any advise would be greatly appreciated... Thanks Brossin Pierrick wrote: Hi, || Im trying to figure out how to restrict users from leaving their home || directories. || I would enter the new directory /usr/home/developer and issue the || chroot command - || hivemind# chroot /usr/home/developer || chroot: /bin/csh: No such file or directory It's because a chrooted directory is like the root dir of your system ! You have to create 'bin' 'etc' and stuff into /usr/home/developer. You should also copy csh into /usr/home/developer/bin. Your chrooted system will be completely independent of your system. This means if the user developer logs on, he won't be able to access the real /etc for example. I hope I'm clear enough. www.google.com for more info .. just type in freebsd chroot. || What am I doing wrong?? || Also when this is set, how do I make it persist throught reboots. || Make my own script in /usr/local/etc/rc.d ??? || Thanks for any insight you may provide Just create a shell script and run it instead of running tcsh or sh or ... run 'vipw' and change it. Cya To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Chroot
|| Your first half made total sense, and I was able to lock the root || user in /home/developer when || chroot was executed. || Your second half however, is not clicking with me at the moment. || Here is what I did || 1. Under /home/developer/bin create a new file (my_sh) with this - || #!/bin/sh || /home/developer/bin/sh Dude just go on www.google.ch and you'll find tones of howto and stuff about chrooting. With examples ! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: chroot
On Thu, Jul 18, 2002 at 10:22:59PM -0400, Michael Sharp wrote: I installed ( or so I thought ) a chroot env last night and ran into some difficulties. Could someone very familiar with openssh/chroot glance over http://probsd.ws/chroot.txt and tell me what I did wrong please? chroot.txt is an EXTREMELY detailed example of what I did, and script output of the ssh connection to the chroot. Hmmm... you are almost reinventing the concept of jail(8) here, which might be a better solution for you. The main difference from what you're doing is that a jailed sshd process would get it's own separate IP number. Some things you might find usefull: i) Copy /dev/MAKEDEV into your chrooted area and use that to create the device files you need: cp -p /dev/MAKEDEV /home/chrootuser/dev sh /home/chrootuser/dev/MAKEDEV jail --- the `jail' target should get you an appropriate set of devices. ii) Set up an additional logging socket in your chroot area and modify your syslogd flags to pick up syslog messages from there. You'll also need a copy of /etc/localtime in the chroot area so that your syslog messages get the correct timestamp.: mkdir -p /home/chrootuser/var/run cp -p /etc/localtime /home/chrootuser/etc/localtime cp /etc/rc.conf /etc/rc.conf.bak echo 'syslogd_flags=-s -l /home/chrootuser/var/run/log' /etc/rc.conf kill `cat /var/run/syslogd.pid` /usr/sbin/syslogd -s -l /home/chrootuser/var/run/log You can then turn up the logging level in /home/chrootuser/etc/ssh/sshd_config by altering the LogLevel value: a LogLevel of DEBUG3 will give you a great deal of output showing a blow by blow account of just about everything the sshd does. iii) Make sure you can resolve addresses in the DNS from your chroot environment. It should be sufficient to copy over /etc/resolv.conf cp -p /etc/resolv.conf /home/chrootuser/etc/resolv.conf iv) If you want to be able to run ps(1) from the chroot area, then you need to mount a procfs(5) file system inside your chroot area. This isn't really necessary for sshd to operate correctly though: cp /etc/fstab /etc/fstab.bak cat EOF /etc/fstab proc/home/chrootuser/proc procfs rw 0 0 EOF mount /home/chrootuser/proc cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: chroot
How very interesting... For a start, you can't copy devices with cp--you need something smarter like tar, cpio, ... Pretty much anything that could be used for backups should understand the niceties of copying a device. As an alternative you could use mknod to create them. Here is how to do it with cpio: cd /dev find null random urandom -print | cpio -pdmuv /home/chrootuser/dev/ and then compare the results with ls -l to make sure you're happy. Specifically, using cp to copy /dev/null is a method of creating a new empty file, or completely emptying out an existing file. Secondly, are you sure you weren't connected? If you could use control-d to terminate the connection it looks to me like you were connected but had no prompt. Control-d is an end of file indicator; when you give it to a shell that means there are no more commands. Since the sole purpose of a shell is to let you execute commands, this results in it terminating (as it does for any program that primarily processes input). However end of file is only meaningful if it's read by something. It doesn't generate any sort of signal to catch the attention of a hung program. Try connecting again and typing a command that should work, like /bin/ls /bin or even something more basic like set (which is builtin to all the shells). If you get something, you're connected. Tony -- Tony Landells [EMAIL PROTECTED] Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty LtdFax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: chroot
I haven't looked over what you've done all that thoroughly, but here's some starters: The first thing I would do is to turn up your server log level and have a look at what it says. It's an option in the sshd config file. I take it you didn't install 'su' in your chroot area. 'sh'? You very likely need a log device. start syslog with the appropriate option. Take a look at lsof output for an active sshd process. It shows a number of libraries that you don't seem to have done anything about. eg: /usr/lib/pam_skey.so /usr/lib/libskey.so.2 /usr/lib/libdescrypt.so.2 /usr/lib/libmd.so.2 /usr/lib/pam_unix.so /usr/lib/pam_permit.so Andrew McNaughton On Thu, 18 Jul 2002, Michael Sharp wrote: Date: Thu, 18 Jul 2002 22:22:59 -0400 (EDT) From: Michael Sharp [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: chroot I installed ( or so I thought ) a chroot env last night and ran into some difficulties. Could someone very familiar with openssh/chroot glance over http://probsd.ws/chroot.txt and tell me what I did wrong please? chroot.txt is an EXTREMELY detailed example of what I did, and script output of the ssh connection to the chroot. Thx, michael [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-security in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message