* Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
Sent from my iPhone On Dec 23, 2011, at 8:28 PM, Antonio Olivares wrote: > Dear folks, > > I am trying to build a simple livecd to learn more. I have > successfully run some commands found here: > > http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD > > # cd /usr/src > # make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ > # make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ > # make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ > # make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ > # make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/ > > all these commands are successful > > I mount devfs as instructed in command > > # mount -t devfs devfs /path/to/livecd/dev > # chroot /path/to/livecd > > === > > tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/ > tricorehome# chroot /usr/home/olivares/tmp/tmp/R/ > chroot: /bin/csh: No such file or directory > > === > > I have tried to use freesbie script(s) by installing freesbie port, > but it failed and I asked questions but got few to no responses. > I have tried to look for some scripts/SDK but not have been successful > like frenzy's to create frenzy livecd. There are few to no FreeBSD > LiveCDs, only one that has been working and updated is the GhostBSD > one by Eric Turgeon. I see OpenBSD has several livecds/livedvds like > jggimi, FuguITA, etc to showcase it. NetBSD has one as well called > Jibbed. FreeBSD has specialized ones like PfSense, Monowall, FreeNAS, > Mahesha, and GhostBSD. Frenzy was apparently going to be maintained > but no newer releases. I have gotten feedback as to there exist > mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd, > http://sourceforge.net/projects/druidbsd/, but cannot do much with > them :( > > I try to get my feet wet, but I get error and can't seem to get around it :( > > Any thoughts, ideas, comments, observations? > I just want to create a livecd/livedvd with customized packages to > take my desktop everywhere, That should be pretty easy with druidbsd as it gives you a convenient dumping-ground to throw extras. Note, however, that there is a very large code-drop around the corner that will bring about 1.5 years of enhancements in soon. So if it doesn't do quite what you want now, it may soon. That being said, one of the things I feel makes DruidBSD unique is an insanely-customized mfsroot designed to break you out into the larger (and more expansive) ISO-9660 structure so that you -- as a developer of your own custom LiveCD -- CAN expand the functionality simply by dumping binaries and libs into the ISO-9660 structure while the mfsroot stays nice and compact. If you wanted to, you could add X windows even. -- Devin > I have tried several *BSD livecds out > there, they are good, but I want to have the packages that I use and > more newer than FreeSBIE 2.0, and roFreeSBIE 1.3. > > I have seen linux-live scripts [http://www.linux-live.org/] by Tomas > M, and wonder if there exist such a utility in the *BSDs, a universal > script to create a livecd/livedvd of a running BSD ? if there is not > any utility, how can I get around the error about /bin/csh, if it is > apparently there: > > tricorehome# which csh > /bin/csh > > so I can chroot to it and add packages/ports to customize the > livecd/dvd I want to create? > > Regards, > > > Antonio > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
On Sat, Dec 24, 2011 at 7:03 AM, Da Rock wrote: > On 12/24/11 22:57, Antonio Olivares wrote: >>> >>> I'll ask a stupid question, and you're more than welcome to give a stupid >>> answer: Is /bin/csh actually _in_ your chroot? >>> >>> So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh >>> >>> HTH >>> ___ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscr...@freebsd.org" >> >> tricorehome# pwd >> /usr/home/olivares/tmp/tmp/R >> tricorehome# ls -l /bin/csh >> -r-xr-xr-x 2 root wheel 369288 Apr 2 2011 /bin/csh >> >> I am not sure if it is there now :( > > I think you may have missed something there- you do realise that even though > you've changed directory, you haven't chrooted. So when you run ls -l > /bin/csh it is still checking your system root- not the chroot. Sometimes a > single typo can cause huge hassles, eh? :) > > Try: > > cd /usr/home/olivares/tmp/tmp/R && ls -l bin/csh > > Watch the "bin/csh"- don't make it an absolute path by adding the root (/) > at the beginning. > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" I am trying to do what you have suggested, it appears that /bin/csh is not present in the /usr/home/olivares/tmp/tmp/R directory :( tricorehome# ls /usr/home/olivares/tmp/tmp/ R tricorehome# ls -l /usr/home/olivares/tmp/tmp/ total 2 drwxr-xr-x 17 root wheel 512 Dec 23 21:56 R tricorehome# ls -l /usr/home/olivares/tmp/tmp/R/ total 46 -rw-r--r-- 2 root wheel 798 Dec 23 21:56 .cshrc -rw-r--r-- 2 root wheel 265 Dec 23 21:56 .profile -r--r--r-- 1 root wheel 6200 Dec 23 21:56 COPYRIGHT drwxr-xr-x 2 root wheel 1024 Dec 23 21:30 bin drwxr-xr-x 7 root wheel 512 Dec 23 21:56 boot dr-xr-xr-x 2 root wheel 512 Dec 23 21:30 dev drwxr-xr-x 20 root wheel 2048 Dec 23 21:56 etc drwxr-xr-x 3 root wheel 1536 Dec 23 21:30 lib drwxr-xr-x 2 root wheel 512 Dec 23 21:31 libexec drwxr-xr-x 2 root wheel 512 Dec 23 21:30 media drwxr-xr-x 2 root wheel 512 Dec 23 21:30 mnt dr-xr-xr-x 2 root wheel 512 Dec 23 21:30 proc drwxr-xr-x 2 root wheel 2560 Dec 23 21:30 rescue drwxr-xr-x 2 root wheel 512 Dec 23 21:56 root drwxr-xr-x 2 root wheel 2560 Dec 23 21:31 sbin lrwxr-xr-x 1 root wheel11 Dec 23 21:30 sys -> usr/src/sys drwxrwxrwt 2 root wheel 512 Dec 23 21:30 tmp drwxr-xr-x 14 root wheel 512 Dec 23 21:31 usr drwxr-xr-x 22 root wheel 512 Dec 23 21:30 var tricorehome# ls -l /usr/home/olivares/tmp/tmp/R/bin/ total 1692 -r-xr-xr-x 2 root wheel 11472 Dec 23 21:30 [ -r-xr-xr-x 1 root wheel 11448 Dec 23 21:30 cat -r-xr-xr-x 1 root wheel7912 Dec 23 21:30 chflags -r-xr-xr-x 1 root wheel 17576 Dec 23 21:30 chio -r-xr-xr-x 1 root wheel8392 Dec 23 21:30 chmod -r-xr-xr-x 1 root wheel 21304 Dec 23 21:30 cp -r-xr-xr-x 2 root wheel 369288 Dec 23 21:30 csh -r-xr-xr-x 1 root wheel 18440 Dec 23 21:30 date -r-xr-xr-x 1 root wheel 22104 Dec 23 21:30 dd -r-xr-xr-x 1 root wheel 13920 Dec 23 21:30 df -r-xr-xr-x 1 root wheel5704 Dec 23 21:30 domainname -r-xr-xr-x 1 root wheel5592 Dec 23 21:30 echo -r-xr-xr-x 2 root wheel 56880 Dec 23 21:30 ed -r-xr-xr-x 1 root wheel 16408 Dec 23 21:30 expr -r-xr-xr-x 1 root wheel 10336 Dec 23 21:30 getfacl -r-xr-xr-x 1 root wheel5840 Dec 23 21:30 hostname -r-xr-xr-x 1 root wheel7128 Dec 23 21:30 kenv -r-xr-xr-x 1 root wheel7640 Dec 23 21:30 kill -r-xr-xr-x 2 root wheel 11368 Dec 23 21:30 link -r-xr-xr-x 2 root wheel 11368 Dec 23 21:30 ln -r-xr-xr-x 1 root wheel 30496 Dec 23 21:30 ls -r-xr-xr-x 1 root wheel7152 Dec 23 21:30 mkdir -r-xr-xr-x 1 root wheel 13576 Dec 23 21:30 mv -r-xr-xr-x 1 root wheel 95448 Dec 23 21:30 pax -r-xr-xr-x 2 root wheel 16520 Dec 23 21:30 pgrep -r-xr-xr-x 2 root wheel 16520 Dec 23 21:30 pkill -r-xr-xr-x 1 root wheel 43312 Dec 23 21:30 ps -r-xr-xr-x 1 root wheel7128 Dec 23 21:30 pwait -r-xr-xr-x 1 root wheel5696 Dec 23 21:30 pwd -r-sr-xr-x 1 root wheel 20416 Dec 23 21:30 rcp -r-xr-xr-x 1 root wheel5456 Dec 23 21:30 realpath -r-xr-xr-x 2 root wheel 56880 Dec 23 21:30 red -r-xr-xr-x 2 root wheel 15880 Dec 23 21:30 rm -r-xr-xr-x 1 root wheel 72744 Dec 23 21:30 rmail -r-xr-xr-x 1 root wheel5784 Dec 23 21:30 rmdir -r-xr-xr-x 1 root wheel 18832 Dec 23 21:30 setfacl -r-xr-xr-x 1 root wheel 136696 D
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
> I'll ask a stupid question, and you're more than welcome to give a stupid > answer: Is /bin/csh actually _in_ your chroot? > > So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh > > HTH > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" tricorehome# pwd /usr/home/olivares/tmp/tmp/R tricorehome# ls -l /bin/csh -r-xr-xr-x 2 root wheel 369288 Apr 2 2011 /bin/csh I am not sure if it is there now :( Thanks, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
On 12/24/11 22:57, Antonio Olivares wrote: I'll ask a stupid question, and you're more than welcome to give a stupid answer: Is /bin/csh actually _in_ your chroot? So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" tricorehome# pwd /usr/home/olivares/tmp/tmp/R tricorehome# ls -l /bin/csh -r-xr-xr-x 2 root wheel 369288 Apr 2 2011 /bin/csh I am not sure if it is there now :( I think you may have missed something there- you do realise that even though you've changed directory, you haven't chrooted. So when you run ls -l /bin/csh it is still checking your system root- not the chroot. Sometimes a single typo can cause huge hassles, eh? :) Try: cd /usr/home/olivares/tmp/tmp/R && ls -l bin/csh Watch the "bin/csh"- don't make it an absolute path by adding the root (/) at the beginning. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
On 12/24/11 14:28, Antonio Olivares wrote: Dear folks, I am trying to build a simple livecd to learn more. I have successfully run some commands found here: http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD # cd /usr/src # make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/ all these commands are successful I mount devfs as instructed in command # mount -t devfs devfs /path/to/livecd/dev # chroot /path/to/livecd === tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/ tricorehome# chroot /usr/home/olivares/tmp/tmp/R/ chroot: /bin/csh: No such file or directory === I have tried to use freesbie script(s) by installing freesbie port, but it failed and I asked questions but got few to no responses. I have tried to look for some scripts/SDK but not have been successful like frenzy's to create frenzy livecd. There are few to no FreeBSD LiveCDs, only one that has been working and updated is the GhostBSD one by Eric Turgeon. I see OpenBSD has several livecds/livedvds like jggimi, FuguITA, etc to showcase it. NetBSD has one as well called Jibbed. FreeBSD has specialized ones like PfSense, Monowall, FreeNAS, Mahesha, and GhostBSD. Frenzy was apparently going to be maintained but no newer releases. I have gotten feedback as to there exist mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd, http://sourceforge.net/projects/druidbsd/, but cannot do much with them :( I try to get my feet wet, but I get error and can't seem to get around it :( Any thoughts, ideas, comments, observations? I just want to create a livecd/livedvd with customized packages to take my desktop everywhere, I have tried several *BSD livecds out there, they are good, but I want to have the packages that I use and more newer than FreeSBIE 2.0, and roFreeSBIE 1.3. I have seen linux-live scripts [http://www.linux-live.org/] by Tomas M, and wonder if there exist such a utility in the *BSDs, a universal script to create a livecd/livedvd of a running BSD ? if there is not any utility, how can I get around the error about /bin/csh, if it is apparently there: tricorehome# which csh /bin/csh so I can chroot to it and add packages/ports to customize the livecd/dvd I want to create? I'll ask a stupid question, and you're more than welcome to give a stupid answer: Is /bin/csh actually _in_ your chroot? So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd
Dear folks, I am trying to build a simple livecd to learn more. I have successfully run some commands found here: http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD # cd /usr/src # make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/ # make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/ all these commands are successful I mount devfs as instructed in command # mount -t devfs devfs /path/to/livecd/dev # chroot /path/to/livecd === tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/ tricorehome# chroot /usr/home/olivares/tmp/tmp/R/ chroot: /bin/csh: No such file or directory === I have tried to use freesbie script(s) by installing freesbie port, but it failed and I asked questions but got few to no responses. I have tried to look for some scripts/SDK but not have been successful like frenzy's to create frenzy livecd. There are few to no FreeBSD LiveCDs, only one that has been working and updated is the GhostBSD one by Eric Turgeon. I see OpenBSD has several livecds/livedvds like jggimi, FuguITA, etc to showcase it. NetBSD has one as well called Jibbed. FreeBSD has specialized ones like PfSense, Monowall, FreeNAS, Mahesha, and GhostBSD. Frenzy was apparently going to be maintained but no newer releases. I have gotten feedback as to there exist mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd, http://sourceforge.net/projects/druidbsd/, but cannot do much with them :( I try to get my feet wet, but I get error and can't seem to get around it :( Any thoughts, ideas, comments, observations? I just want to create a livecd/livedvd with customized packages to take my desktop everywhere, I have tried several *BSD livecds out there, they are good, but I want to have the packages that I use and more newer than FreeSBIE 2.0, and roFreeSBIE 1.3. I have seen linux-live scripts [http://www.linux-live.org/] by Tomas M, and wonder if there exist such a utility in the *BSDs, a universal script to create a livecd/livedvd of a running BSD ? if there is not any utility, how can I get around the error about /bin/csh, if it is apparently there: tricorehome# which csh /bin/csh so I can chroot to it and add packages/ports to customize the livecd/dvd I want to create? Regards, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No network in mixed FBSD81/90 chroot environment
On 29 Nov 2011, at 23:27, Erik Nørgaard wrote: > On 29/11/2011 15:58, Damien Fleuriot wrote: > >> On 11/29/11 1:58 PM, Erik Nørgaard wrote: >>>> Today I finished make build/install world/kernel in /mnt, and now I no >>>> longer have network access, interfaces are visible with ifconfig but >>>> no ip is set and can't be set from within the chroot environment. >>>> >>>> Is this to be expected? How do I get my network access back? >>> Should add: Network on the host FBSD81 system works fine. >> >> When you chroot to your /mnt/ folder you're still using the 8.x kernel >> and thus the 8.x NIC drivers, with a 9.x userland. >> >> This might be your problem. > > That seems strange though, first, drivers are loaded into the kernel so there > is no mismatch there, 8.1 drivers in 8.1 kernel. And then, this is the output > from ifconfig, first the chroot environment, then the host environment: > > FreeBSD chroot # ifconfig > re0: flags=8943 metric 0 mtu > 1500 > options=389b >ether e0:69:95:77:f1:20 >media: Ethernet autoselect (100baseTX ) > status: active > plip0: flags=8810 metric 0 mtu 1500 > lo0: flags=8049 metric 0 mtu 16384 >options=3 > pflog0: flags=141 metric 0 mtu 33200 > FreeBSD chroot # exit > > alpha# ifconfig > re0: flags=8943 metric 0 mtu > 1500 > options=389b >ether e0:69:95:77:f1:20 >inet 192.168.0.1 netmask 0xfe00 broadcast 192.168.1.255 >media: Ethernet autoselect (100baseTX ) >status: active > plip0: flags=8810 metric 0 mtu 1500 > lo0: flags=8049 metric 0 mtu 16384 >options=3 >inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 >inet6 ::1 prefixlen 128 >inet 127.0.0.1 netmask 0xff00 >nd6 options=3 > pflog0: flags=141 metric 0 mtu 33200 > > So, the devices are there, just no network connectivity. > >> What are you trying to achieve with this, a smooth 8.x -> 9.x transition ? > > Well, I don't know what happened on the host system, but the kernel fails > building, even kernel 8.2, at if_vlan. Since I decided to migrate to the > other disk and upgrade to 9.0 I created a chrooted environment on the new > disk and build sources there. > > Now, the tricky part is that this is a headless system and I need it to be up > or at least be sure that I can roll back if something fails. > >> You may want to, instead, install your 9.0 on a different machine >> (possibly a VM), then use dump on the filesystems to inject them >> properly on your new disk on the original machine. >> >> You should then be able to reboot on the new disk just fine. > > Thanks, for the suggestion, but sounds risky, the disks are not identical > size. > Disk/slice sizes are not relevant, dunp only injects the actual data (ie files/folders) You can dump a 20gb partition then import it into a 50gb one. > It seems I have a workaround that will get my new disk ready: Using > fetch-recursive I've downloaded the sources of the ports I need installed, so > I can build in the chroot without network access. > > BR, Erik > > -- > M: +34 666 334 818 > T: +34 915 211 157 > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No network in mixed FBSD81/90 chroot environment
On 29/11/2011 15:58, Damien Fleuriot wrote: On 11/29/11 1:58 PM, Erik Nørgaard wrote: Today I finished make build/install world/kernel in /mnt, and now I no longer have network access, interfaces are visible with ifconfig but no ip is set and can't be set from within the chroot environment. Is this to be expected? How do I get my network access back? Should add: Network on the host FBSD81 system works fine. When you chroot to your /mnt/ folder you're still using the 8.x kernel and thus the 8.x NIC drivers, with a 9.x userland. This might be your problem. That seems strange though, first, drivers are loaded into the kernel so there is no mismatch there, 8.1 drivers in 8.1 kernel. And then, this is the output from ifconfig, first the chroot environment, then the host environment: FreeBSD chroot # ifconfig re0: flags=8943 metric 0 mtu 1500 options=389b ether e0:69:95:77:f1:20 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 pflog0: flags=141 metric 0 mtu 33200 FreeBSD chroot # exit alpha# ifconfig re0: flags=8943 metric 0 mtu 1500 options=389b ether e0:69:95:77:f1:20 inet 192.168.0.1 netmask 0xfe00 broadcast 192.168.1.255 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3 pflog0: flags=141 metric 0 mtu 33200 So, the devices are there, just no network connectivity. What are you trying to achieve with this, a smooth 8.x -> 9.x transition ? Well, I don't know what happened on the host system, but the kernel fails building, even kernel 8.2, at if_vlan. Since I decided to migrate to the other disk and upgrade to 9.0 I created a chrooted environment on the new disk and build sources there. Now, the tricky part is that this is a headless system and I need it to be up or at least be sure that I can roll back if something fails. You may want to, instead, install your 9.0 on a different machine (possibly a VM), then use dump on the filesystems to inject them properly on your new disk on the original machine. You should then be able to reboot on the new disk just fine. Thanks, for the suggestion, but sounds risky, the disks are not identical size. It seems I have a workaround that will get my new disk ready: Using fetch-recursive I've downloaded the sources of the ports I need installed, so I can build in the chroot without network access. BR, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No network in mixed FBSD81/90 chroot environment
On 11/29/11 1:58 PM, Erik Nørgaard wrote: > On 29/11/2011 13:50, Erik Nørgaard wrote: >> Today I finished make build/install world/kernel in /mnt, and now I no >> longer have network access, interfaces are visible with ifconfig but >> no ip is set and can't be set from within the chroot environment. >> >> Is this to be expected? How do I get my network access back? > Should add: Network on the host FBSD81 system works fine. > When you chroot to your /mnt/ folder you're still using the 8.x kernel and thus the 8.x NIC drivers, with a 9.x userland. This might be your problem. What are you trying to achieve with this, a smooth 8.x -> 9.x transition ? You may want to, instead, install your 9.0 on a different machine (possibly a VM), then use dump on the filesystems to inject them properly on your new disk on the original machine. You should then be able to reboot on the new disk just fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: No network in mixed FBSD81/90 chroot environment
On 29/11/2011 13:50, Erik Nørgaard wrote: Today I finished make build/install world/kernel in /mnt, and now I no longer have network access, interfaces are visible with ifconfig but no ip is set and can't be set from within the chroot environment. Is this to be expected? How do I get my network access back? Should add: Network on the host FBSD81 system works fine. -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
No network in mixed FBSD81/90 chroot environment
Hi: I have a system running FBSD81 preparing migrate to 90 on a different disk, so the new disk and partitions are mounted in /mnt. To build FBSD90 on the new disk I mount devfs on /mnt/dev and chroot to /mnt. Today I finished make build/install world/kernel in /mnt, and now I no longer have network access, interfaces are visible with ifconfig but no ip is set and can't be set from within the chroot environment. Is this to be expected? How do I get my network access back? Thanks, Erik -- M: +34 666 334 818 T: +34 915 211 157 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Clarification: "Jail" -vs- "Chroot"
On 14/07/2010 00:30, Aiza wrote: > Ed Flecko wrote: >> Hi folks, >> I'm reading about "jails" and "chroot", and I'm not clear about the >> differences so I'm hoping someone can clarify this for me. >> >> Here's what I "think" is correct: >> >> 1.) FreeBSD has both "chroot" capability as well as "jail" capability. >> >> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? >> >> 3.) When reading something (book, article, etc.), is there a way to >> determine if the author is, in fact, talking about truly a "jail" or >> are they really just referring to a "chroot" environment? For example, >> I have a book ("Preventing web attacks with Apache") that says: >> >> "Chroot is short for change root and essentially allows you to run >> programs in a protected or jailed environment. The main benefit of a >> chroot jail is that the jail will limit the portion of the file system >> the daemon can see to the root directory of the jail. Additionally, >> since the jail only needs to support Apache, the programs available in >> the jail can be extremely limited." >> >> 4.) Jail is the more secure of the two options? >> >> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd >> edition of "Absolute FreeBSD" says: >> >> "Chrooting is useful for web servers that have multiple clients on one >> machine—that is, web servers with many virtual hosts." >> >> Comments??? Suggestions??? >> >> Thank you! >> >> Ed > > Well let me take a shot at this. First of all we are only talking > about the FreeBSD operating system. The ability to chroot a directory > tree has been available since RELEASES 2.0. The jail utility first > appeared in RELEASE 4.0. The jail utility is just a basic effort to > automate the building and administration of an chrooted directory tree > which is pretty much useless unless it contains a complete copy of the > Freebsd operating system binaries. Actually as the manpage says "In the other extreme case a jail might contain only one file: the executable to be run in the jail." you put in a jail what you need. It doesnt have to be a complete install its just commonly for that purpose. Also a jail offers more features than chroot, such as sperate securelevels from the host, limits on number of child jails (Hierarchical Jails) etc. > The major short coming of the jail command jail system is each jail > has it's own copy of the hosts running system binaries. Freebsd > reserves a limited number of control structures for storing files and > directories, called inodes. Creating a few jails consumes many of > these valuable inodes, eventually preventing the creation of new jails > and new files on the host. Worst yet is each jail loads it's own copy > of it's running binaries into memory which causes thrashing on the > swap device as memory pages are swapped in and out as the limited > memory is shared between the host and jails. Besides consuming > resources and creating performance degradation, this also causes a > major administration headache when wanting to update the host running > system, because the host and the jails all have to be running the same > RELEASE version. > you can run other (lower) version userland if you want to as long as the host has the correct COMPAT options in its kernel config. I'll agree on the administration headache though. > Now with some considerable hand jobbing per the jail section of the > handbook, a jail environment can be created where by a single copy of > the jailed running binaries are shared among all the jails. But this > still leaves you with an administration nightmare as the number of > jails deployed grows past 5. Now there are some ports in the port > system that are utility wrappers around the jail command that tries to > address this administration nightmare. My experience with these are > they are very poorly documented and you really need to have a good > grasp on how jails work and network ip address usage before they are > useful. Their easy of use quickly evaporates as the number of jails > deployed reaches 10. > > The next generation of a jail utility for the deployment of a large > number of jails is in project phase right now. Keep checking the ports > system for qjail. > I quite like ezjail but I'll be sure to keep an eye open for qjail. Vince > Now about what to run in a jail. Well since each jail is like a > complete stand-a-lone operating system, you can populate it with any > application you want. The real limita
Re: Clarification: "Jail" -vs- "Chroot"
On Wed, Jul 14, 2010 at 2:30 AM, Aiza wrote: > Ed Flecko wrote: > >> Hi folks, >> I'm reading about "jails" and "chroot", and I'm not clear about the >> differences so I'm hoping someone can clarify this for me. >> >> Here's what I "think" is correct: >> >> 1.) FreeBSD has both "chroot" capability as well as "jail" capability. >> >> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? >> >> 3.) When reading something (book, article, etc.), is there a way to >> determine if the author is, in fact, talking about truly a "jail" or >> are they really just referring to a "chroot" environment? For example, >> I have a book ("Preventing web attacks with Apache") that says: >> >> "Chroot is short for change root and essentially allows you to run >> programs in a protected or jailed environment. The main benefit of a >> chroot jail is that the jail will limit the portion of the file system >> the daemon can see to the root directory of the jail. Additionally, >> since the jail only needs to support Apache, the programs available in >> the jail can be extremely limited." >> >> 4.) Jail is the more secure of the two options? >> >> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd >> edition of "Absolute FreeBSD" says: >> >> "Chrooting is useful for web servers that have multiple clients on one >> machine—that is, web servers with many virtual hosts." >> >> Comments??? Suggestions??? >> >> Thank you! >> >> Ed >> > > Well let me take a shot at this. First of all we are only talking about the > FreeBSD operating system. The ability to chroot a directory tree has been > available since RELEASES 2.0. The jail utility first appeared in RELEASE > 4.0. The jail utility is just a basic effort to automate the building and > administration of an chrooted directory tree which is pretty much useless > unless it contains a complete copy of the Freebsd operating system binaries. > The major short coming of the jail command jail system is each jail has it's > own copy of the hosts running system binaries. Freebsd reserves a limited > number of control structures for storing files and directories, called > inodes. Creating a few jails consumes many of these valuable inodes, > eventually preventing the creation of new jails and new files on the host. > Worst yet is each jail loads it's own copy of it's running binaries into > memory which causes thrashing on the swap device as memory pages are swapped > in and out as the limited memory is shared between the host and jails. > Besides consuming resources and creating performance degradation, this also > causes a major administration headache when wanting to update the host > running system, because the host and the jails all have to be running the > same RELEASE version. > > Now with some considerable hand jobbing per the jail section of the > handbook, a jail environment can be created where by a single copy of the > jailed running binaries are shared among all the jails. But this still > leaves you with an administration nightmare as the number of jails deployed > grows past 5. Now there are some ports in the port system that are utility > wrappers around the jail command that tries to address this administration > nightmare. My experience with these are they are very poorly documented and > you really need to have a good grasp on how jails work and network ip > address usage before they are useful. Their easy of use quickly evaporates > as the number of jails deployed reaches 10. > > The next generation of a jail utility for the deployment of a large number > of jails is in project phase right now. Keep checking the ports system for > qjail. > > Now about what to run in a jail. Well since each jail is like a complete > stand-a-lone operating system, you can populate it with any application you > want. The real limitation is how is that jail going to gain public internet > access so the domain name of your apache website can be found and accessed. > A static ip address is pretty much required, though with some creative ip > address assignments this can be circumvented. Thats a whole other subject > area. Hello community, Aiza could you please tell us more about qjail. google isn't very helpful and I am very interested in the subject. thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Clarification: "Jail" -vs- "Chroot"
Ed Flecko wrote: Hi folks, I'm reading about "jails" and "chroot", and I'm not clear about the differences so I'm hoping someone can clarify this for me. Here's what I "think" is correct: 1.) FreeBSD has both "chroot" capability as well as "jail" capability. 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? 3.) When reading something (book, article, etc.), is there a way to determine if the author is, in fact, talking about truly a "jail" or are they really just referring to a "chroot" environment? For example, I have a book ("Preventing web attacks with Apache") that says: "Chroot is short for change root and essentially allows you to run programs in a protected or jailed environment. The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon can see to the root directory of the jail. Additionally, since the jail only needs to support Apache, the programs available in the jail can be extremely limited." 4.) Jail is the more secure of the two options? 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd edition of "Absolute FreeBSD" says: "Chrooting is useful for web servers that have multiple clients on one machine—that is, web servers with many virtual hosts." Comments??? Suggestions??? Thank you! Ed Well let me take a shot at this. First of all we are only talking about the FreeBSD operating system. The ability to chroot a directory tree has been available since RELEASES 2.0. The jail utility first appeared in RELEASE 4.0. The jail utility is just a basic effort to automate the building and administration of an chrooted directory tree which is pretty much useless unless it contains a complete copy of the Freebsd operating system binaries. The major short coming of the jail command jail system is each jail has it's own copy of the hosts running system binaries. Freebsd reserves a limited number of control structures for storing files and directories, called inodes. Creating a few jails consumes many of these valuable inodes, eventually preventing the creation of new jails and new files on the host. Worst yet is each jail loads it's own copy of it's running binaries into memory which causes thrashing on the swap device as memory pages are swapped in and out as the limited memory is shared between the host and jails. Besides consuming resources and creating performance degradation, this also causes a major administration headache when wanting to update the host running system, because the host and the jails all have to be running the same RELEASE version. Now with some considerable hand jobbing per the jail section of the handbook, a jail environment can be created where by a single copy of the jailed running binaries are shared among all the jails. But this still leaves you with an administration nightmare as the number of jails deployed grows past 5. Now there are some ports in the port system that are utility wrappers around the jail command that tries to address this administration nightmare. My experience with these are they are very poorly documented and you really need to have a good grasp on how jails work and network ip address usage before they are useful. Their easy of use quickly evaporates as the number of jails deployed reaches 10. The next generation of a jail utility for the deployment of a large number of jails is in project phase right now. Keep checking the ports system for qjail. Now about what to run in a jail. Well since each jail is like a complete stand-a-lone operating system, you can populate it with any application you want. The real limitation is how is that jail going to gain public internet access so the domain name of your apache website can be found and accessed. A static ip address is pretty much required, though with some creative ip address assignments this can be circumvented. Thats a whole other subject area. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Clarification: "Jail" -vs- "Chroot"
Hi, > 1.) FreeBSD has both "chroot" capability as well as "jail" capability. Yes, it has both of them. You still want to use chroot, also it is kind of 'part' of a jail (technically perhaps it's implemented separately). > 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? In Solaris, you have zones, and there are several projects to do the same thing with Linux (Linux-vserver etc). > 3.) When reading something (book, article, etc.), is there a way to > determine if the author is, in fact, talking about truly a "jail" or > are they really just referring to a "chroot" environment? For example, > I have a book ("Preventing web attacks with Apache") that says: > > "Chroot is short for change root and essentially allows you to run > programs in a protected or jailed environment. The main benefit of a > chroot jail is that the jail will limit the portion of the file system > the daemon can see to the root directory of the jail. Additionally, > since the jail only needs to support Apache, the programs available in > the jail can be extremely limited." Usually, only FreeBSD-specific books will talk about jails, as chroot is the generic Unix-way for that. Anyway, in many cases you can use a jail for the same things a chroot-environment is talked about. In this case, I think he's really talking about a chroot, as he's only talking about the file system, not the network etc. > 4.) Jail is the more secure of the two options? I cannot really answer this, but a jail is the more separated way. So, I would say, a jail is more secure. If the extras of a jail are not needed, it is perhaps more insecure, as there are more points to break into theu system. But, don't rely on my answer, I never looked at the kernel-side of jails the very technical way. > 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd > edition of "Absolute FreeBSD" says: > > "Chrooting is useful for web servers that have multiple clients on one > machine—that is, web servers with many virtual hosts." On the FreeBSD-machines I manage, I use chroot for the services that are not that security-relevant or can easily be separated, i.e. on some distributions you can put your apache or bind easily into a chroot-environment. Also, a chroot-environment can have other targets than a jail, e.g. if you only want to have another file system-visibility instead of a new jail as you do when you have to start with a live-cd into a non-booting system. Sorry for my English. :) Regards, Julian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Clarification: "Jail" -vs- "Chroot"
Hi folks, I'm reading about "jails" and "chroot", and I'm not clear about the differences so I'm hoping someone can clarify this for me. Here's what I "think" is correct: 1.) FreeBSD has both "chroot" capability as well as "jail" capability. 2.) Only FreeBSD has true, "jail" functionality? Yes?...No? 3.) When reading something (book, article, etc.), is there a way to determine if the author is, in fact, talking about truly a "jail" or are they really just referring to a "chroot" environment? For example, I have a book ("Preventing web attacks with Apache") that says: "Chroot is short for change root and essentially allows you to run programs in a protected or jailed environment. The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon can see to the root directory of the jail. Additionally, since the jail only needs to support Apache, the programs available in the jail can be extremely limited." 4.) Jail is the more secure of the two options? 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd edition of "Absolute FreeBSD" says: "Chrooting is useful for web servers that have multiple clients on one machine—that is, web servers with many virtual hosts." Comments??? Suggestions??? Thank you! Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot scp only network storage?
On Tue, May 25, 2010 11:23 pm, Balázs Mátéffy wrote: > Hello, > > > Try /usr/ports/shells/scponly . > > Look up the features, this way you can assign the restrictive scponly > shell > to the users: > > http://sublimation.org/scponly/wiki/index.php/Main_Page Thanks, I have used this before on linux. In this case it might not be exactly what I want. Thanks, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot scp only network storage?
On Tue, May 25, 2010 11:05 pm, Matthew Seaman wrote: > Checkout the security/openssh-portable port which has options to enable > chroot'ing. You should be able to configure the account to only be able > to use scp(1) or sftp(1) by editing sshd_config or by using forced > commands in the user authorized_keys files. This sounds pretty close to what I want. I don't want the user to be able to get a shell on the box but do want to allow them to run a small subset of useful commands over ssh such as 'ls' and of course scp files to and from it. > Another alternative is WebDAV. Run it over HTTPS for security, and use > the standard Apache authn/authz controls to give each user access to > only their own area. In principle your users can mount their WebDAV > areas as networked filesystems on their desktops. In practice, this > works fine with MacOS X, is horribly buggy under Windows, needs quite a > lot of effort to make work on Linux, and I don't think it's actually > available at all on FreeBSD. However, commandline clients like cadaver > will work fine on anything Unixy. I've had problems with exactly this before on linux. I only need to allow linux, FreeBSD and Solaris users access to this resource so will persevere with something SSH based I think. Thanks, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot scp only network storage?
Hello, Try /usr/ports/shells/scponly . Look up the features, this way you can assign the restrictive scponly shell to the users: http://sublimation.org/scponly/wiki/index.php/Main_Page Best Regards: Balázs Mátéffy On 26 May 2010 00:05, Matthew Seaman wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 25/05/2010 22:29:57, Matthew Law wrote: > > > > I want to provide some users with secure network attached storage over > > SCP. The intent is to provide people with a similar thing to, e.g. > > rsync.net but inside of our network only. > > > > Security is obviously a priority so I would like each user to be chrooted > > into their allocated directory and allow them only to execute a small set > > of commands. > > Checkout the security/openssh-portable port which has options to enable > chroot'ing. You should be able to configure the account to only be able > to use scp(1) or sftp(1) by editing sshd_config or by using forced > commands in the user authorized_keys files. > > > I have come across scponly before. Is this the best way of achieving > this > > with FreeBSD or is there some other better way? > > Another alternative is WebDAV. Run it over HTTPS for security, and use > the standard Apache authn/authz controls to give each user access to > only their own area. In principle your users can mount their WebDAV > areas as networked filesystems on their desktops. In practice, this > works fine with MacOS X, is horribly buggy under Windows, needs quite a > lot of effort to make work on Linux, and I don't think it's actually > available at all on FreeBSD. However, commandline clients like cadaver > will work fine on anything Unixy. > >Cheers > >Matthew > > - -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf > CnUAnj668eKglbUe8RIfp8actDj13gYe > =jATZ > -END PGP SIGNATURE- > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot scp only network storage?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/05/2010 22:29:57, Matthew Law wrote: > > I want to provide some users with secure network attached storage over > SCP. The intent is to provide people with a similar thing to, e.g. > rsync.net but inside of our network only. > > Security is obviously a priority so I would like each user to be chrooted > into their allocated directory and allow them only to execute a small set > of commands. Checkout the security/openssh-portable port which has options to enable chroot'ing. You should be able to configure the account to only be able to use scp(1) or sftp(1) by editing sshd_config or by using forced commands in the user authorized_keys files. > I have come across scponly before. Is this the best way of achieving this > with FreeBSD or is there some other better way? Another alternative is WebDAV. Run it over HTTPS for security, and use the standard Apache authn/authz controls to give each user access to only their own area. In principle your users can mount their WebDAV areas as networked filesystems on their desktops. In practice, this works fine with MacOS X, is horribly buggy under Windows, needs quite a lot of effort to make work on Linux, and I don't think it's actually available at all on FreeBSD. However, commandline clients like cadaver will work fine on anything Unixy. Cheers Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf CnUAnj668eKglbUe8RIfp8actDj13gYe =jATZ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
chroot scp only network storage?
I want to provide some users with secure network attached storage over SCP. The intent is to provide people with a similar thing to, e.g. rsync.net but inside of our network only. Security is obviously a priority so I would like each user to be chrooted into their allocated directory and allow them only to execute a small set of commands. I have come across scponly before. Is this the best way of achieving this with FreeBSD or is there some other better way? Thanks in advance, Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
How can I confirm proper chroot ?
Hello, I am using a particular program that has a command line option to "chroot to the current directory". But I would like to make sure ... I want to be sure what directory the executable is actually rooted in. How can I do this ? Perhaps with lsof ? I don't see any information from the 'ps' output that would give me definitive information: nobody 96074 0.0 0.1 8804 3896 ?? Ss 11:16AM 0:00.01 /usr/local/sbin/thttpd -d /htdocs -r -l /dev/null So I'd like some independent confirmation of where this running program is actually rooted... Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot a few apps
2010/1/9 Vadkan Jozsef > Hi. > > What kind of chroot should I use, if I want to make a more secured > desktop, running e.g.: > > pdf reader > webbrowser > audio player > video player > openoffice > picture viewer > mua > ooo > virtualbox > > e.g.: if theres a javascript vulnerability in google chrome [I haven't > heard a NoScript extension for it :( ] a chroot would be good for > stopping it from doing something bad with the whole system. > > or e.g.: I have to open a .doc file, that I don't trust, or a PDF can > contain malicious code :( > > Any tips/docs/howtos? > > Thank you! > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > the best way might be to look at implementing the trusted bsd mac system. It's a bit hairly though and would take a while to get your head around ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
chroot a few apps
Hi. What kind of chroot should I use, if I want to make a more secured desktop, running e.g.: pdf reader webbrowser audio player video player openoffice picture viewer mua ooo virtualbox e.g.: if theres a javascript vulnerability in google chrome [I haven't heard a NoScript extension for it :( ] a chroot would be good for stopping it from doing something bad with the whole system. or e.g.: I have to open a .doc file, that I don't trust, or a PDF can contain malicious code :( Any tips/docs/howtos? Thank you! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot SSH users.
2009/12/27 Marwan Sultan > > Dear Krad, > Thank you for your reply, regarding your answer, i have few questions here > > 1- > in sshd_config file the default line is : > Subsystem sftp/usr/libexec/sftp-server > > So should i comment out the line? or just add your line ? > Subsystem sftp internal-sftp > > Either should work, however I only know that the one i put works. > 2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot > compile > SSH in the system. Are you asking me to install additional packages? > or to recompile ssh when you wrote : > > "Make sure chroot support was compiled in" > > Default should probably be ok, but again I haven't actually tested it so cant say for certain. If you do ever upgrade the base ssh from ports make sure you have the chroot bit compiled in > 3- SSH users are using passwords not keygen, where do i get the keys for > thier >login? > > Thank you > > - Marwan > > You don't need to use key based auth, but we I generally do. The users have to create them with ssh-keygen. I usually use dsa. If you support windows users stay away from puttygen. It does work fine, its just it tends to generate keys in the wrong format which often leads to confusion. > > > > > > > Hello people, > > > > Im on FreeBSD 7.2-R P5 > > > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes > the > > > job easy. > > > > > > How about if I want to chroot the SSH users (not ftp) > > > > > > any easy way? no need for jail installation or anything like this.. > >> > I saw sshd_config file and it has a chrootdirectory but not sure how > to > > > use it.. > > > Anyone? any tips? any easy way? > > > Thank you > > > -Marwan > > > > > > _____ > > > Hotmail: Free, trusted and rich email service. > > > > > > > > > > > fairly easy if you read the man page 8) I wrote this howto for sun boxes > at > > work but it was using openssh so same rules should apply. Make sure > chroot > > support was compiled in though > > > > > > 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris > > > 10 are bundled with openssh though. > > 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) > > 3. Add these lines to sshd config > > > > > Match Group sftponly > > ChrootDirectory /home/chroot/%u > > X11Forwarding no > > AllowTcpForwarding no > > ForceCommand internal-sftp > > > > 4. Make sure the Subsystem line is this > > > > Subsystem sftp internal-sftp > > > > 5. create the sftponly group on the system > > 6. put the relevent users in this group. be careful as you will stop them > > > being able to ssh in!! > > 7. Dead important this bit !!! > > > > > mkdir -p /home/chroot//home//.ssh > > chown -R root /home/chroot/ > > chown -R /home/chroot/ > > chmod -R 755 /home/chroot/ /home/chroot//home/ > > ln -s /home/chroot//home/ /home/. > > > > 8. Put their ssh keys in /home/chroot//home//.ssh > > > > > All should now work > > > > If not check /etc/shadow the account might be locked, this just caught me > > out :) > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > > > -- > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > now. <http://clk.atdmt.com/GBL/go/171222985/direct/01/> > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot SSH users.
2009/12/28 Tijl Coosemans > On Sunday 27 December 2009 18:16:47 krad wrote: > > fairly easy if you read the man page 8) I wrote this howto for sun > > boxes at work but it was using openssh so same rules should apply. > > Make sure chroot support was compiled in though > > > >1. Dont bother with sun ssh it wont work. Opensolaris and later > solaris > >10 are bundled with openssh though. > >2. Make sure openssh version is 5 or above (some 4s do work but 5 > better) > >3. Add these lines to sshd config > > > >Match Group sftponly > > ChrootDirectory /home/chroot/%u > > X11Forwarding no > > AllowTcpForwarding no > > ForceCommand internal-sftp > > > > 4. Make sure the Subsystem line is this > > > >Subsystem sftpinternal-sftp > > > > 5. create the sftponly group on the system > >6. put the relevent users in this group. be careful as you will stop > them > >being able to ssh in!! > >7. Dead important this bit !!! > > > >mkdir -p /home/chroot//home//.ssh > >chown -R root /home/chroot/ > >chown -R /home/chroot/ > > Shouldn't this line be: > chown -R /home/chroot//home/ strictly yes I probably missed i step where i sym linked it as i was copying stuff from the shell history > > >chmod -R 755 /home/chroot/ /home/chroot//home/ > >ln -s /home/chroot//home/ /home/. > > > > 8. Put their ssh keys in /home/chroot//home//.ssh > > > > All should now work > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot SSH users.
On Sunday 27 December 2009 18:16:47 krad wrote: > fairly easy if you read the man page 8) I wrote this howto for sun > boxes at work but it was using openssh so same rules should apply. > Make sure chroot support was compiled in though > >1. Dont bother with sun ssh it wont work. Opensolaris and later solaris >10 are bundled with openssh though. >2. Make sure openssh version is 5 or above (some 4s do work but 5 better) >3. Add these lines to sshd config > >Match Group sftponly > ChrootDirectory /home/chroot/%u > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > > 4. Make sure the Subsystem line is this > >Subsystem sftpinternal-sftp > > 5. create the sftponly group on the system >6. put the relevent users in this group. be careful as you will stop them >being able to ssh in!! >7. Dead important this bit !!! > >mkdir -p /home/chroot//home//.ssh >chown -R root /home/chroot/ >chown -R /home/chroot/ Shouldn't this line be: chown -R /home/chroot//home/ >chmod -R 755 /home/chroot/ /home/chroot//home/ >ln -s /home/chroot//home/ /home/. > > 8. Put their ssh keys in /home/chroot//home//.ssh > > All should now work ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: chroot SSH users.
Dear Krad, Thank you for your reply, regarding your answer, i have few questions here 1- in sshd_config file the default line is : Subsystem sftp/usr/libexec/sftp-server So should i comment out the line? or just add your line ? Subsystem sftp internal-sftp 2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot compile SSH in the system. Are you asking me to install additional packages? or to recompile ssh when you wrote : "Make sure chroot support was compiled in" 3- SSH users are using passwords not keygen, where do i get the keys for thier login? Thank you - Marwan > > > > Hello people, > > Im on FreeBSD 7.2-R P5 > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the > > job easy. > > > > How about if I want to chroot the SSH users (not ftp) > > > > any easy way? no need for jail installation or anything like this.. >> > I saw sshd_config file and it has a chrootdirectory but not sure how to > > use it.. > > Anyone? any tips? any easy way? > > Thank you > > -Marwan > > > > _ > > Hotmail: Free, trusted and rich email service. > > > > > > fairly easy if you read the man page 8) I wrote this howto for sun boxes at > work but it was using openssh so same rules should apply. Make sure chroot > support was compiled in though > > > 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris > 10 are bundled with openssh though. > 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) > 3. Add these lines to sshd config > > Match Group sftponly > ChrootDirectory /home/chroot/%u > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > > 4. Make sure the Subsystem line is this > > Subsystem sftp internal-sftp > > 5. create the sftponly group on the system > 6. put the relevent users in this group. be careful as you will stop them > being able to ssh in!! > 7. Dead important this bit !!! > > mkdir -p /home/chroot//home//.ssh > chown -R root /home/chroot/ > chown -R /home/chroot/ > chmod -R 755 /home/chroot/ /home/chroot//home/ > ln -s /home/chroot//home/ /home/. > > 8. Put their ssh keys in /home/chroot//home//.ssh > > All should now work > > If not check /etc/shadow the account might be locked, this just caught me > out :) > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/171222985/direct/01/___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: chroot SSH users.
2009/12/27 Marwan Sultan > > Hello people, > > > > Im on FreeBSD 7.2-R P5 > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the > job easy. > > > > How about if I want to chroot the SSH users (not ftp) > > any easy way? no need for jail installation or anything like this.. > > > > I saw sshd_config file and it has a chrootdirectory but not sure how to > use it.. > > > > Anyone? any tips? any easy way? > > > > Thank you > > > > -Marwan > > _ > Hotmail: Free, trusted and rich email service. > > http://clk.atdmt.com/GBL/go/171222984/direct/01/___ > freebsd-questions@freebsd.org<http://clk.atdmt.com/GBL/go/171222984/direct/01/___%0afreebsd-questi...@freebsd.org>mailing > list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftpinternal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot//home//.ssh chown -R root /home/chroot/ chown -R /home/chroot/ chmod -R 755 /home/chroot/ /home/chroot//home/ ln -s /home/chroot//home/ /home/. 8. Put their ssh keys in /home/chroot//home//.ssh All should now work If not check /etc/shadow the account might be locked, this just caught me out :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
chroot SSH users.
Hello people, Im on FreeBSD 7.2-R P5 Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the job easy. How about if I want to chroot the SSH users (not ftp) any easy way? no need for jail installation or anything like this.. I saw sshd_config file and it has a chrootdirectory but not sure how to use it.. Anyone? any tips? any easy way? Thank you -Marwan _ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/171222984/direct/01/___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
7.0 stable + postfix - how to setup chroot?
What I already did: syslogd_flags="-s -l /var/spool/postfix/var/run/log" # put into /etc/rc.conf Then I changed "n" to "y" for all lines in /usr/local/etc/postfix/master.cf in the "chroot" column. But I don't know how to create chrooted environment under /var/spool/postfix. Is there a command that can create it for me? Or is there a manual telling what files I need to copy from my root fs? Thanks, Laszlo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
problems with chroot with mod_secrity on freebsd
Hi , I have FreeBSD 7.2-RELEASE installed on amd64 , I installed apache22 with mod_security2 , when I try to activate the SecChroot , the below errors appears , the documentation denotes that it should be straight forward without any problem , but apparently I have problem with mod_rewrite . I have created the folders of /var/run , /var/run/cache , /var/run/logs , and even /var/log , and the domains are logging httpd-access & error inside the chroot . Any clues about this issue ? Starting apache22. httpd: Could not reliably determine the server's fully qualified domain name, using server01.davincihosting.com for ServerName [Wed Jul 22 01:44:46 2009] [notice] ModSecurity: chroot checkpoint #1 (pid=41214 ppid=41209) [Wed Jul 22 01:44:46 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured. [Wed Jul 22 01:44:46 2009] [notice] Original server signature: Apache/2.2.11 (FreeBSD) DAV/2 server01# [Wed Jul 22 01:44:46 2009] [notice] Digest: generating secret for digest authentication ... [Wed Jul 22 01:44:46 2009] [notice] Digest: done [Wed Jul 22 01:44:47 2009] [notice] ModSecurity: chroot checkpoint #2 (pid=41215 ppid=1) [Wed Jul 22 01:44:47 2009] [notice] ModSecurity: chroot successful, path=/home/www [Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Jul 22 01:44:47 2009] [notice] Apache/2.2.11 (FreeBSD) DAV/2 PHP/5.2.10 with Suhosin-Patch WeB Hosting Server configured -- resuming normal operations [Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child [Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite: could not init rewrite log lock in child ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD 5.4 chroot
On Monday 25 August 2008, Kris Kennaway wrote: > Mihai Donțu wrote: > > Hi, > > > > I've just installed a FreeBSD 6.0-RELEASE and I need a FreeBSD > > 5.4-RELEASE chroot to build something in it (hw shortage). All nice and > > dandy, until I hit a /dev problem: > > > > # svn up > > svn: PROPFIND request failed on '/svn/project' > > svn: PROPFIND of '/svn/project': SSL negotiation failed: SSL disabled due > > to lack of entropy (https://svn.host.com) > > > > # ls -l /dev/random > > crw-rw-rw- 1 root wheel 249, 0 Aug 25 16:19 /dev/random > > > > # cat /dev/random > > cat: /dev/random: Socket operation on non-socket > > > > # rm /dev/random > > > > # mknod /dev/mknod random c 0 10 root:wheel > > > > # chmod 0666 /dev/random > > > > # ls -l /dev/random > > crw-rw-rw- 1 root wheel0, 10 Aug 25 18:28 /dev/random > > > > # cat /dev/random > > cat: /dev/random: Socket operation on non-socket > > > > Clearly, all those years of Linux chroot-ing have affected my brain, but > > Google isn't very helpful either. :) Could someone, please, hint me about > > what I'm doing wrong? > > mount a devfs instance to create the devices (see mount_devfs) instead > of trying to mknod them by hand. Works like magic. :) Thanks! -- Mihai Donțu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 5.4 chroot
Mihai Donțu wrote: Hi, I've just installed a FreeBSD 6.0-RELEASE and I need a FreeBSD 5.4-RELEASE chroot to build something in it (hw shortage). All nice and dandy, until I hit a /dev problem: # svn up svn: PROPFIND request failed on '/svn/project' svn: PROPFIND of '/svn/project': SSL negotiation failed: SSL disabled due to lack of entropy (https://svn.host.com) # ls -l /dev/random crw-rw-rw- 1 root wheel 249, 0 Aug 25 16:19 /dev/random # cat /dev/random cat: /dev/random: Socket operation on non-socket # rm /dev/random # mknod /dev/mknod random c 0 10 root:wheel # chmod 0666 /dev/random # ls -l /dev/random crw-rw-rw- 1 root wheel0, 10 Aug 25 18:28 /dev/random # cat /dev/random cat: /dev/random: Socket operation on non-socket Clearly, all those years of Linux chroot-ing have affected my brain, but Google isn't very helpful either. :) Could someone, please, hint me about what I'm doing wrong? mount a devfs instance to create the devices (see mount_devfs) instead of trying to mknod them by hand. Kris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD 5.4 chroot
Hi, I've just installed a FreeBSD 6.0-RELEASE and I need a FreeBSD 5.4-RELEASE chroot to build something in it (hw shortage). All nice and dandy, until I hit a /dev problem: # svn up svn: PROPFIND request failed on '/svn/project' svn: PROPFIND of '/svn/project': SSL negotiation failed: SSL disabled due to lack of entropy (https://svn.host.com) # ls -l /dev/random crw-rw-rw- 1 root wheel 249, 0 Aug 25 16:19 /dev/random # cat /dev/random cat: /dev/random: Socket operation on non-socket # rm /dev/random # mknod /dev/mknod random c 0 10 root:wheel # chmod 0666 /dev/random # ls -l /dev/random crw-rw-rw- 1 root wheel0, 10 Aug 25 18:28 /dev/random # cat /dev/random cat: /dev/random: Socket operation on non-socket Clearly, all those years of Linux chroot-ing have affected my brain, but Google isn't very helpful either. :) Could someone, please, hint me about what I'm doing wrong? Thank you, -- Mihai Donțu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Getting PAM up inside chroot issues
Hi all I'm trying to getting PAM up inside a chroot. I'm using FreeBSD 7.0 on i386. su -l shows following error: su: pam_start: system error strace su -l shows following failures: access("/etc/localtime", R_OK) = 0 open("/etc/localtime", O_RDONLY)= 4 fstat(4, {st_mode=S_IFLNK|S_ISGID|052, st_size=18445798717047743530, ...}) = 0 read(4, "3\244\374\377*\244\374\3773\244\374\3773\244\374\3773\244"..., 7944) = 171 close(4)= 0 socket(PF_UNIX, SOCK_DGRAM, 0) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 connect(4, {sa_family=0xa4 /* AF_??? */, sa_data="\374\377\\[x\0%02x\0%1x"}, 106) = -1 ENOENT (No such file or directory) connect(4, {sa_family=0x2f /* AF_??? */, sa_data="ystem call\0Inp"}, 106) = -1 ENOENT (No such file or directory) connect(4, {sa_family=0x74 /* AF_??? */, sa_data="d processes\0Re"}, 106) = -1 ENOENT (No such file or directory) close(4)= 0 sendto(-1, "source deadlock avoided\0Cannot a"..., 72, 0, NULL, 0) = -1 EBADF (Bad file descriptor) socket(PF_UNIX, SOCK_DGRAM, 0) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 connect(4, {sa_family=0x6c /* AF_??? */, sa_data="nk\0\0\0\0Operatio"}, 106) = -1 ENOENT (No such file or directory) There is no failure up to reading the /etc/localtime. This shows the socket (fd=4) disappeared before the connect. What am I still missing in my chroot? Where does this socket get created? is it the current directory where su initiated or somewhere else? Appreciate your help to identify the cause. Kind regards Unga ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: It is safe to build ports for 7.0 from a 6.3 chroot?
On 04/03/2008, Mel <[EMAIL PROTECTED]> wrote: > On Tuesday 04 March 2008 01:48:37 Bogdan Ćulibrk wrote: > > > > 0) Do I need to reinvent wheel? > > > > > > Joke off. Really, why would you try alternate way of upgrading, when > > there's straight way to do it? > > > Minimize downtime of services provided by ports? > > Jose: take a look at Tinderbox - it does exactly what you want to do: build > ports for OS release X on OS release Y, using chroot. If you're unsure about > your own method, because of OSVERSION or similar, do it using Tinderbox. Thank you very much for your responses. The aim is, as you comment, minimize downtime of services. Also, I want to switch back to the 6.3 release in a fast way if I find some problem running the new one. Therefore, I cannot erase the 6.3 release. Best regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: It is safe to build ports for 7.0 from a 6.3 chroot?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mel wrote: | | Just cause it doesn't fall into your 95% slice, doesn't make it messy. It's in | fact cleaner then using compat6x, *because* compat6x doesn't fall into the | category of potential causes when things don't work. | FYI: tinderbox is based on the pointyhat build cluster, which makes all | the 'messy' packages for the FreeBSD package servers. | I will stop discussion right here, because it has tendency to bring out endless flame of you-know-what-about. Starter of this thread didn't even mention what services he is running and just by that is pointless to discuss about approaches in upgrade of anything. Hats off to tinderbox or however binary packages are made, but that has nothing to do on how to upgrade freebsd system. - -- Best regards, Bogdan Culibrk [EMAIL PROTECTED] http://default.co.yu/~bc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfNV/oACgkQo6C4vAhYtCCi7wCbBhCk7uphbo1vqK9CDxnGYx7S XycAniBYNk/QR6sUJkbBbMnCbNOZBRO1 =GXvR -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: It is safe to build ports for 7.0 from a 6.3 chroot?
On Tuesday 04 March 2008 13:07:21 Bogdan Ćulibrk wrote: > Mel wrote: > | Minimize downtime of services provided by ports? > | > | Jose: take a look at Tinderbox - it does exactly what you want to do: > > build > > | ports for OS release X on OS release Y, using chroot. If you're unsure > > about > > | your own method, because of OSVERSION or similar, do it using Tinderbox. > > IMHO, the usual procedure described in handbook will satisfy 95% of > upgrade scenarios. Others can install compat6x port right after (or > before) reboot. And then upgrade all ports, while the services are running? > In any case, be free to try whatever scenario works for you, but I would > ~ not like to be the one who inherits server with such 'messy-upgrade' :| Just cause it doesn't fall into your 95% slice, doesn't make it messy. It's in fact cleaner then using compat6x, *because* compat6x doesn't fall into the category of potential causes when things don't work. FYI: tinderbox is based on the pointyhat build cluster, which makes all the 'messy' packages for the FreeBSD package servers. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: It is safe to build ports for 7.0 from a 6.3 chroot?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mel wrote: | | Minimize downtime of services provided by ports? | | Jose: take a look at Tinderbox - it does exactly what you want to do: build | ports for OS release X on OS release Y, using chroot. If you're unsure about | your own method, because of OSVERSION or similar, do it using Tinderbox. | IMHO, the usual procedure described in handbook will satisfy 95% of upgrade scenarios. Others can install compat6x port right after (or before) reboot. In any case, be free to try whatever scenario works for you, but I would ~ not like to be the one who inherits server with such 'messy-upgrade' :| - -- Best regards, Bogdan Culibrk [EMAIL PROTECTED] http://default.co.yu/~bc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfNO3kACgkQo6C4vAhYtCBl3wCeKyRqqDZP/gwpu77c4+stVFal FPsAn03vkueNmyMHISoVa87NEYMzmTQo =l7iW -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: It is safe to build ports for 7.0 from a 6.3 chroot?
On Tuesday 04 March 2008 01:48:37 Bogdan Ćulibrk wrote: > Jose Garcia Juanino wrote: > | Hi everybody > | > | Actually, I do the following in order to update from 6.3 to 7.0: > | > | 1) dump my actual 6.3 filesystems /, /var and /usr into three new > | ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of > | course) > | > | 2) chroot /rel70 and mergemaster -p + buildkernel + buildworld + > | installkernel + installworld + mergemaster -i and such stuff > | > | 3) Inside the chroot, rebuild the ports > | > | 4) Reboot the new release > | > | > | Will I go into problems following this approach? The step 3) is the most > | dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel > | (even though only for compilation). > > 0) Do I need to reinvent wheel? > > > Joke off. Really, why would you try alternate way of upgrading, when > there's straight way to do it? Minimize downtime of services provided by ports? Jose: take a look at Tinderbox - it does exactly what you want to do: build ports for OS release X on OS release Y, using chroot. If you're unsure about your own method, because of OSVERSION or similar, do it using Tinderbox. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: It is safe to build ports for 7.0 from a 6.3 chroot?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jose Garcia Juanino wrote: | Hi everybody | | Actually, I do the following in order to update from 6.3 to 7.0: | | 1) dump my actual 6.3 filesystems /, /var and /usr into three new | ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of | course) | | 2) chroot /rel70 and mergemaster -p + buildkernel + buildworld + | installkernel + installworld + mergemaster -i and such stuff | | 3) Inside the chroot, rebuild the ports | | 4) Reboot the new release | | | Will I go into problems following this approach? The step 3) is the most | dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel | (even though only for compilation). 0) Do I need to reinvent wheel? Joke off. Really, why would you try alternate way of upgrading, when there's straight way to do it? - -- Best regards, Bogdan Culibrk [EMAIL PROTECTED] http://default.co.yu/~bc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfMnD0ACgkQo6C4vAhYtCDrTwCgoHSPgIoGgltE2plO4JsQ5Bb/ R50An3hFeeBfcNIyHlRD9za8lLnI3t0v =ZGrK -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: It is safe to build ports for 7.0 from a 6.3 chroot?
On Mon, Mar 03, 2008 at 09:09:37PM +0100, Jose Garcia Juanino wrote: > Hi everybody > > Actually, I do the following in order to update from 6.3 to 7.0: > > 1) dump my actual 6.3 filesystems /, /var and /usr into three new > ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of > course) > > 2) chroot /rel70 and mergemaster -p + buildkernel + buildworld + > installkernel + installworld + mergemaster -i and such stuff > > 3) Inside the chroot, rebuild the ports > > 4) Reboot the new release > > > Will I go into problems following this approach? The step 3) is the most > dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel > (even though only for compilation). Not only that, many ports have some tweaks dependent on OSVERSION; some have it ingrained into their configure shims. Personally, I got into a situation where I had to run 7.0 world on 6.3 kernel. Nothing bad happened, but I rebooted with a new kernel as soon as I could. All in all, I'd say you have a good chance to succeed, especially if you have your fingers crossed :) You won't be on the safe side, though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
It is safe to build ports for 7.0 from a 6.3 chroot?
Hi everybody Actually, I do the following in order to update from 6.3 to 7.0: 1) dump my actual 6.3 filesystems /, /var and /usr into three new ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of course) 2) chroot /rel70 and mergemaster -p + buildkernel + buildworld + installkernel + installworld + mergemaster -i and such stuff 3) Inside the chroot, rebuild the ports 4) Reboot the new release Will I go into problems following this approach? The step 3) is the most dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel (even though only for compilation). Best regards pgp47kcDn5bMv.pgp Description: PGP signature
i386 chroot on amd64
Hi! I just created an i386 chroot on an amd64 host (make TARGET=i386 TARGET_ARCH=i386 ...). The host is compiled with lib32 support. I'm trying to chroot into the directory to install a port (ports dir is nullfs_mount'ed): chroot /path/to/chroot /bin/sh -c "cd /usr/ports/my/port; make install clean; " but all I get is "chroot: /bin/sh: Exec format error". Google points me in the direction of i386/amd64 conflicts. The host is running 7.0-PRERELEASE #4, the chroot is compiled from CURRENT sources csupped today. Am what I'm trying to do even supposed to work? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: apache mod_ssl chroot problem
On Wed, 2007-10-17 at 13:38 +0100, Daniel Bye wrote: > On Wed, Oct 17, 2007 at 08:46:01PM +0700, Muhammad Reza wrote: > > Dear List. > > > > I have problem running apache in chroot mode with ssl enable. > > Apache in chroot mode running fine without ssl enable, but when i try to > > start with mod_ssl enable, error occured with this message. > > > > beastie#chroot /chroot/httpd /usr/local/apache2/bin/httpd > > Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog) > > Some of your private key files are encrypted for security reasons. > > In order to read them you have to provide the pass phrases. > > > > Server beastie.mra.co.id:443 (RSA) > > Enter pass phrase:Apache:mod_ssl:Error: Private key not found. > > **Stopped > > > > and with error log > > > > [Wed Oct 17 13:37:25 2007] [error] Init: Private key not found > > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218710120 > > error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag > > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218529960 > > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag > > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218595386 > > error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error > > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218734605 > > error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib > > [Wed Oct 17 13:38:32 2007] [error] Init: Private key not found > > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218710120 > > error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag > > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218529960 > > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag > > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218595386b > > error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error > > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218734605 > > error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib > > > > If i escape from chrooted enviroment, apache with mod_ssl work fine > > > > beastie# /usr/local/apache2/bin/httpd > > Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog) > > Some of your private key files are encrypted for security reasons. > > In order to read them you have to provide the pass phrases. > > > > Server www.example.com:443 (RSA) > > Enter pass phrase: > > > > OK: Pass Phrase Dialog successful. > > > > Is there something missing here, please enlight me. > > The first thing that comes to mind - are your keys inside the chroot area > you want to run apache in? > the key is in /chroot/httpd/usr/local/apache2/conf/ with 400 mode owner by root and the path in htppd-ssl.conf is SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" Is there anyway to test that my key is visible by chroot program ?? regards Reza ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: apache mod_ssl chroot problem
On Wed, 2007-10-17 at 08:29 -0600, James wrote: > > > Server beastie.mra.co.id:443 (RSA) > > Enter pass phrase:Apache:mod_ssl:Error: Private key not found. > > **Stopped > > > Isn't the private key the one on the local machine? If so, is the > private key visible with the chroot environment? > _______ the key is in /chroot/httpd/usr/local/apache2/conf/ with 400 mode owner by root and the path in htppd-ssl.conf is SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" Is there anyway to test that my key is visible by chroot program ?? regards Reza ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: apache mod_ssl chroot problem
> Server beastie.mra.co.id:443 (RSA) > Enter pass phrase:Apache:mod_ssl:Error: Private key not found. > **Stopped Isn't the private key the one on the local machine? If so, is the private key visible with the chroot environment? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: apache mod_ssl chroot problem
On Wed, Oct 17, 2007 at 08:46:01PM +0700, Muhammad Reza wrote: > Dear List. > > I have problem running apache in chroot mode with ssl enable. > Apache in chroot mode running fine without ssl enable, but when i try to > start with mod_ssl enable, error occured with this message. > > beastie#chroot /chroot/httpd /usr/local/apache2/bin/httpd > Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog) > Some of your private key files are encrypted for security reasons. > In order to read them you have to provide the pass phrases. > > Server beastie.mra.co.id:443 (RSA) > Enter pass phrase:Apache:mod_ssl:Error: Private key not found. > **Stopped > > and with error log > > [Wed Oct 17 13:37:25 2007] [error] Init: Private key not found > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218710120 > error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218529960 > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218595386 > error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218734605 > error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib > [Wed Oct 17 13:38:32 2007] [error] Init: Private key not found > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218710120 > error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218529960 > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218595386b > error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218734605 > error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib > > If i escape from chrooted enviroment, apache with mod_ssl work fine > > beastie# /usr/local/apache2/bin/httpd > Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog) > Some of your private key files are encrypted for security reasons. > In order to read them you have to provide the pass phrases. > > Server www.example.com:443 (RSA) > Enter pass phrase: > > OK: Pass Phrase Dialog successful. > > Is there something missing here, please enlight me. The first thing that comes to mind - are your keys inside the chroot area you want to run apache in? -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpi9bMgoI0Uh.pgp Description: PGP signature
apache mod_ssl chroot problem
Dear List. I have problem running apache in chroot mode with ssl enable. Apache in chroot mode running fine without ssl enable, but when i try to start with mod_ssl enable, error occured with this message. beastie#chroot /chroot/httpd /usr/local/apache2/bin/httpd Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server beastie.mra.co.id:443 (RSA) Enter pass phrase:Apache:mod_ssl:Error: Private key not found. **Stopped and with error log [Wed Oct 17 13:37:25 2007] [error] Init: Private key not found [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib [Wed Oct 17 13:38:32 2007] [error] Init: Private key not found [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218595386b error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib If i escape from chrooted enviroment, apache with mod_ssl work fine beastie# /usr/local/apache2/bin/httpd Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.example.com:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. Is there something missing here, please enlight me. regards Reza ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISC bind9 with dynamic DNS update (chroot problem)
Written by Patrick Dung on 07/28/07 10:52>> Thanks for reply. Yes, your method works. But I wonder why /var/named/etc/named/master directory permission always reset to root at starting the daemon. Regards Patrick --- Reid Linnemann <[EMAIL PROTECTED]> wrote: Written by Patrick Dung on 07/27/07 08:19>> Hi I use FreeBSD 6.2 and the base bind9. For dynamic DNS update, bind9 automatically generate the journal file (end in .jnl). The default config is to use chroot and the running user as 'bind'. The problem is that after named is started (/etc/init.d/named start), the default chroot directory /var/named/etc/named permission will be reset to own by root. So the named daemon (run as user 'bind') cannot create the journal file and complain: Jul 27 21:06:54 fbsd62 named[2862]: general: localdomain.db.jnl: create: permission denied One temp fix is to use chroot and run as root, any suggestions? Regards Patrick When I did ddns, I had my dynamic zone files in a subdirectory off of the named chroot- i.e. /var/named/etc/namedb/dynamic - and chowned it to bind, allowing the bind user to read/write anything inside. I forgot to CC: questions@ on my original reply This is because /etc/rc.d/named auto-updates the chroot to an expected state defined by the mtree at /etc/mtree/BIND.chroot.dist P.S. Please do not top post, so the conversation order progresses from oldest to newest. -Reid ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISC bind9 with dynamic DNS update (chroot problem)
Thanks for reply. Your suggestion solved my problem, thanks. Yes, /etc/init.d/named is a typo. Regards Patrick --- Doug Barton <[EMAIL PROTECTED]> wrote: > Patrick Dung wrote: > > Hi > > > > I use FreeBSD 6.2 and the base bind9. > > For dynamic DNS update, bind9 automatically generate the journal > file > > (end in .jnl). > > The default config is to use chroot and the running user as 'bind'. > > > > The problem is that after named is started (/etc/init.d/named > start), > > Are you sure you're doing this on FreeBSD? We have rc.d, not initd. > Assuming that was just a typo ... > > > the default chroot directory /var/named/etc/named > > The default directory is /etc/namedb, which is a symlink to > /var/named/etc/namedb. > > > permission will be reset to own by root. So the named daemon (run > > as user 'bind') cannot create the journal file and complain: > > You shouldn't be creating journal files in the config directory > anyway. > > > One temp fix is to use chroot and run as root, any suggestions? > > Yeah, don't run named as root. Ever. :) > > Assuming that you are actually running FreeBSD, and that you have not > turned off the mtree option, you should have the following > directories > in /etc/namedb: > > drwxr-xr-x 2 bind wheel512 Jul 23 00:47 dynamic/ > drwxr-xr-x 2 root wheel512 Jul 13 22:33 master/ > drwxr-xr-x 2 bind wheel512 Jul 27 14:05 slave/ > > The dynamic directory is obviously designed to hold dynamic zones, > and > it (like the slave directory) is chowned to user bind so that named > can write to it after it drops privileges. > > hth, > > Doug > > -- > > This .signature sanitized for your protection > Get the free Yahoo! toolbar and rest assured with the added security of spyware protection. http://new.toolbar.yahoo.com/toolbar/features/norton/index.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISC bind9 with dynamic DNS update (chroot problem)
Patrick Dung wrote: > Hi > > I use FreeBSD 6.2 and the base bind9. > For dynamic DNS update, bind9 automatically generate the journal file > (end in .jnl). > The default config is to use chroot and the running user as 'bind'. > > The problem is that after named is started (/etc/init.d/named start), Are you sure you're doing this on FreeBSD? We have rc.d, not initd. Assuming that was just a typo ... > the default chroot directory /var/named/etc/named The default directory is /etc/namedb, which is a symlink to /var/named/etc/namedb. > permission will be reset to own by root. So the named daemon (run > as user 'bind') cannot create the journal file and complain: You shouldn't be creating journal files in the config directory anyway. > One temp fix is to use chroot and run as root, any suggestions? Yeah, don't run named as root. Ever. :) Assuming that you are actually running FreeBSD, and that you have not turned off the mtree option, you should have the following directories in /etc/namedb: drwxr-xr-x 2 bind wheel512 Jul 23 00:47 dynamic/ drwxr-xr-x 2 root wheel512 Jul 13 22:33 master/ drwxr-xr-x 2 bind wheel512 Jul 27 14:05 slave/ The dynamic directory is obviously designed to hold dynamic zones, and it (like the slave directory) is chowned to user bind so that named can write to it after it drops privileges. hth, Doug -- This .signature sanitized for your protection ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ISC bind9 with dynamic DNS update (chroot problem)
Hi I use FreeBSD 6.2 and the base bind9. For dynamic DNS update, bind9 automatically generate the journal file (end in .jnl). The default config is to use chroot and the running user as 'bind'. The problem is that after named is started (/etc/init.d/named start), the default chroot directory /var/named/etc/named permission will be reset to own by root. So the named daemon (run as user 'bind') cannot create the journal file and complain: Jul 27 21:06:54 fbsd62 named[2862]: general: localdomain.db.jnl: create: permission denied One temp fix is to use chroot and run as root, any suggestions? Regards Patrick Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: scponly chroot doesn?t work FB6.2
Hello all I would like to thank david.robillard and j65nko for their efforts in trying to help with this problem. I finally got a working solution. The problem is not "scponly" nor "rssh" but the CHROOT jail implementation in FreeBSD 6.2, since the ONLY solution to both problems are solved by a series of commands to enable a proper "/dev" subdirectory inside the jail.. RSSH works ver good for a SCP, SFTP, RSYNC only environment.. Solution at: http://www.artofindo.com/~teaone/rssh.html best regards, David Robillard wrote: I can´t seem to make scponly work with a chrooted jail. I´ve read many articles on how FREEBSD´s scripts on making jails really don´t work and a manual mknod of $jail/dev/null must be done, but it still does´t work... I´d appreciate any help You might want to check out the port shells/rssh instead of shells/scponly. http://www.freebsd.org/cgi/url.cgi?ports/shells/rssh/pkg-descr I'm not sure it does exactly what you're looking for, but it has similar features as scponly. HTH, David -- MSc. Marcelo Maraboli Rosselott Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer) Ingeniero Civil Electronico, CISSP (MSc., Electronic Engineer, CISSP) Direccion Central de Servicios Computacionales (DCSC) Universidad Tecnica Federico Santa Maria phone: +56 32 2654071 Chile.http://www.usm.cl http://elqui.dcsc.utfsm.cl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: scponly chroot doesn?t work FB6.2
I can´t seem to make scponly work with a chrooted jail. I´ve read many articles on how FREEBSD´s scripts on making jails really don´t work and a manual mknod of $jail/dev/null must be done, but it still does´t work... I´d appreciate any help You might want to check out the port shells/rssh instead of shells/scponly. http://www.freebsd.org/cgi/url.cgi?ports/shells/rssh/pkg-descr I'm not sure it does exactly what you're looking for, but it has similar features as scponly. HTH, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: scponly chroot doesn´t work FB6.2
On 5/7/07, Marcelo Maraboli <[EMAIL PROTECTED]> wrote: I can´t seem to make scponly work with a chrooted jail. I´ve read many articles on how FREEBSD´s scripts on making jails really don´t work and a manual mknod of $jail/dev/null must be done, but it still does´t work... I´d appreciate any help [snip] I haven't used it myself but at http://www.bsdforums.org/forums/showthread.php?t=49388 somebody posted a solution for a similar problem with scponly ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
scponly chroot doesn´t work FB6.2
Hello I can´t seem to make scponly work with a chrooted jail. I´ve read many articles on how FREEBSD´s scripts on making jails really don´t work and a manual mknod of $jail/dev/null must be done, but it still does´t work... I´d appreciate any help thanks -- DEBUG INFO: 1.- scponly built as: cd /usr/ports/shells/scponly/ make -DWITH_SCPONLY_RSYNC -DWITH_SCPONLY_SFTP_LOGGING -DWITH_SCPONLY_WINSCP -DWITH_SCPONLY_CHROOT -DWITH_SCPONLY_SCP make install 2.- dcsc user is defined as: dcsc:*:2008:160:WWW Admin DCSC:/disk2/chroot//home/dcsc:/usr/local/sbin/scponlyc 3.- This is what I get AFTER making "/dev/null" and setting it to 666 chmod. [EMAIL PROTECTED]:/usr/local/etc/scponly$ scp debuglevel [EMAIL PROTECTED]:fo Password: scponly[65605]: chrooted binary in place, will chroot() scponly[65605]: 3 arguments in total. scponly[65605]: arg 0 is scponlyc scponly[65605]: arg 1 is -c scponly[65605]: arg 2 is scp -t fo scponly[65605]: opened log at LOG_AUTHPRIV, opts 0x0029 scponly[65605]: retrieved home directory of "/disk2/chroot//home/dcsc" for user "dcsc" scponly[65605]: chrooting to dir: "/disk2/chroot" scponly[65605]: chdiring to dir: "/home/dcsc" scponly[65605]: setting uid to 2008 scponly[65605]: processing request: "scp -t fo" scponly[65605]: Unable to find "LOG_SFTP" in the environment scponly[65605]: Found "USER" and setting it to "dcsc" scponly[65605]: Unable to find "SFTP_UMASK" in the environment scponly[65605]: Unable to find "SFTP_PERMIT_CHMOD" in the environment scponly[65605]: Unable to find "SFTP_PERMIT_CHOWN" in the environment scponly[65605]: Unable to find "SFTP_LOG_LEVEL" in the environment scponly[65605]: Unable to find "SFTP_LOG_FACILITY" in the environment scponly[65605]: Environment contains "USER=dcsc" scponly[65605]: running: /usr/bin/scp -t fo (username: dcsc(2008), IP/port: 200.1.21.103 57465 22) Couldn't open /dev/null: Operation not supportedlost connection 4.- chrooted tree: [EMAIL PROTECTED]:/disk2/chroot$ ls -lasR total 18 2 drwxr-xr-x 9 root wheel 512 May 7 16:15 ./ 2 drwxr-xr-x 6 root wheel 512 May 7 15:56 ../ 2 drwxr-xr-x 2 root wheel 512 May 7 15:57 bin/ 2 drwxr-xr-x 2 root wheel 512 May 7 16:34 dev/ 2 drwxr-xr-x 2 root wheel 512 May 7 15:57 etc/ 2 drwxr-xr-x 3 root wheel 512 May 7 15:58 home/ 2 drwxr-xr-x 2 root wheel 512 May 7 16:42 lib/ 2 drwxr-xr-x 2 root wheel 512 May 7 15:57 libexec/ 2 drwxr-xr-x 7 root wheel 512 May 7 15:57 usr/ ./bin: total 82 2 drwxr-xr-x 2 root wheel512 May 7 15:57 ./ 2 drwxr-xr-x 9 root wheel512 May 7 16:15 ../ 6 -rwxr-xr-x 1 root wheel 5808 May 7 15:57 chmod* 4 -rwxr-xr-x 1 root wheel 3848 May 7 15:57 echo* 8 -rwxr-xr-x 1 root wheel 6336 May 7 15:57 ln* 24 -rwxr-xr-x 1 root wheel 23444 May 7 15:57 ls* 6 -rwxr-xr-x 1 root wheel 5068 May 7 15:57 mkdir* 10 -rwxr-xr-x 1 root wheel 9192 May 7 15:57 mv* 4 -rwxr-xr-x 1 root wheel 3932 May 7 15:57 pwd* 12 -rwxr-xr-x 1 root wheel 10640 May 7 15:57 rm* 4 -rwxr-xr-x 1 root wheel 3996 May 7 15:57 rmdir* ./dev: total 4 2 drwxr-xr-x 2 root wheel 512 May 7 16:34 ./ 2 drwxr-xr-x 9 root wheel 512 May 7 16:15 ../ 0 crw-rw-rw- 1 root wheel2, 2 May 7 16:34 null 0 crw-rw-rw- 1 root wheel0, 12 May 7 16:16 random 0 lrwxr-xr-x 1 root wheel 6 May 7 16:16 urandom@ -> random 0 crw-rw-rw- 1 root wheel0, 7 May 7 16:16 zero ./etc: total 44 2 drwxr-xr-x 2 root wheel512 May 7 15:57 ./ 2 drwxr-xr-x 9 root wheel512 May 7 16:15 ../ 40 -rw-r--r-- 1 root wheel 40960 May 7 15:57 pwd.db ./home: total 6 2 drwxr-xr-x 3 root wheel 512 May 7 15:58 ./ 2 drwxr-xr-x 9 root wheel 512 May 7 16:15 ../ 2 drwxr-xr-x 2 dcsc wwwext 512 May 7 16:01 dcsc/ ./home/dcsc: total 20 2 drwxr-xr-x 2 dcsc wwwext 512 May 7 16:01 ./ 2 drwxr-xr-x 3 root wheel 512 May 7 15:58 ../ 2 -rw-r--r-- 1 dcsc wwwext 767 May 7 16:01 .cshrc 2 -rw-r--r-- 1 dcsc wwwext 248 May 7 16:01 .login 2 -rw-r--r-- 1 dcsc wwwext 158 May 7 16:01 .login_conf 2 -rw--- 1 dcsc wwwext 373 May 7 16:01 .mail_aliases 2 -rw-r--r-- 1 dcsc wwwext 331 May 7 16:01 .mailrc 2 -rw-r--r-- 1 dcsc wwwext 797 May 7 16:01 .profile 2 -rw--- 1 dcsc wwwext 276 May 7 16:01 .rhosts 2 -rw-r--r-- 1 dcsc wwwext 975 May 7 16:01 .shrc .wext 797 May 7 16:01 .profile 2 -rw--- 1 dcsc wwwext 276 May 7 16:01 .rhosts 2 -rw-r--r-- 1 dcsc wwwext 975 May 7 16:01 .shrc ./lib: total 3094 2 drwxr-xr-x 2 root wheel 512 May 7 16:42 ./ 2 drwxr-xr-x 9 root wheel 512 May 7 16:15 ../ 132 -r--r--r-- 1 root wheel 134060 May 7 16:38 libasn1.so.8 928 -rwxr-xr-x 1 root wheel 922668 May 7 15:57 libc.so.6* 6 -r--r--r-- 1 root wheel5544 May
Re: set env in chroot script
Elan Marikit <[EMAIL PROTECTED]> writes: > I am a newbie of FreeBSD and I want to know how to set environment > inside chroot in a shell script. > > My script looks like this: > chroot $NEWROOT /bin/sh -c "" > > And I want to set an environment, before the . > > Is it possible that it will inherit my parent environment? like the > environment set in my script? According to the chroot(8) manual, only the SHELL value will be inherited. Try making a wrapper script to set the values you want, and call the command from inside that script. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
set env in chroot script
Greetz, I am a newbie of FreeBSD and I want to know how to set environment inside chroot in a shell script. My script looks like this: chroot $NEWROOT /bin/sh -c "" And I want to set an environment, before the . Is it possible that it will inherit my parent environment? like the environment set in my script? Thanks, Elan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp chroot directory structure
On Thursday 26 April 2007 9:12 pm, Ray wrote: > Hello, > I am setting up a new web server that must host data from an existing > webserver. We've never had an organized folder structure for private data, > (passwords, secure data, etc) and I'm trying to change that. > there are currently a number of virtual sites all handled through apache > virtualhosts. all (or at least most) users must have ftp access. > my original thought was this: > > apache/priv_data/domain1 > apache/pub_data/domain1 > > where > apache/priv_data/domain1 > contains a soft link to > apache/pub_data/domain1 > and the ftpchroot is > apache/pri_data/domain1 > > this doesn't work like I wanted it to. I can't follow the link with an ftp > client. after posting, I decided I'm going to do it this way, and hope the other developers didn't cheat too bad. I think this is the right way. Ray > obviously the best solution would be > apache/priv_data/domain1 > which contains > apache/data/domain1/pub_data > with domain1 as the ftp root > and pub_data as the http root, > but I'm not the developer of all the sites, and I don't want to have to > trouble shoot other peoples possibly incorrectly written sites (hard coded > path structures) > What can you suggest as my best solution? > Thanks > Ray > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ftp chroot directory structure
Hello, I am setting up a new web server that must host data from an existing webserver. We've never had an organized folder structure for private data, (passwords, secure data, etc) and I'm trying to change that. there are currently a number of virtual sites all handled through apache virtualhosts. all (or at least most) users must have ftp access. my original thought was this: apache/priv_data/domain1 apache/pub_data/domain1 where apache/priv_data/domain1 contains a soft link to apache/pub_data/domain1 and the ftpchroot is apache/pri_data/domain1 this doesn't work like I wanted it to. I can't follow the link with an ftp client. obviously the best solution would be apache/priv_data/domain1 which contains apache/data/domain1/pub_data with domain1 as the ftp root and pub_data as the http root, but I'm not the developer of all the sites, and I don't want to have to trouble shoot other peoples possibly incorrectly written sites (hard coded path structures) What can you suggest as my best solution? Thanks Ray ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Chroot/jail mechanism in ssh and sftp connections
Thanks, I think this is the solution for the sftp connections using jail/chroot mechanism. Derek Ragona wrote: > At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote: >>Thanks for the suggestion. I intend to study about this possible solution >>but to save time I'd >>like to ask you some questions. >> >>With this software, can I control which accounts "from the unix passwd >>file" will be able to log in? > > Yes just set the shell to a non-login shell for users you don't want to > give shell access. Typically I set those user's shell to: > /usr/bin/false > > >>If there is a symbolic link in the home directory(jail/chroot) that points >>to anywhere out of it, >>will the users be able to use this symlink? Will they go out from their >>jail/chroot directory this >>way? > > You can actually specify what ftp commands are allowed in the vsftpd.conf file > in one server I manage I have set: > cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT > > But you'd probably want to remove any symlinks that shouldn't be there. > > >>Derek Ragona wrote: >> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: >> >>Hello, >> >>I want to use the chroot/jail mechanism in user's ssh and sftp >> >>connections. I've read some >> >>tutorials and possible solutions to jail/chroot the users into their >> own home directories. One >>is >> >>to install the openssh-portable(with chroot option turned on) from the >> ports collection. I've >>installed the openssh-portable, but the jail/chroot mechanism didn't work. >>I think it requires >>some configuration in its sshd_config file, but I'm not sure because I >>have found nothing about >>jail/chroot in the openssh(sshd_config) man pages. >> > >> > I have implemented a similar setup using vsftpd from the ports. It >> works well for secure ftp >>when used with the filezilla client. You can limit the ftp command in the >>vsftpd configuration >>file so users cannot get out of their home directories, which chroots them >>there. You do need to >>add one thing to the accounts, which is to change their home directory in >>/etc/passwd adding an >>additional dot. For instance if a users home directory is: >> > /home/user >> > >> > You'd need to change it to: >> > /home/./user >> > >> > vsftpd is well documented and relatively easy to get setup and running. >> > >> > -Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Chroot/jail mechanism in ssh and sftp connections
At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote: Thanks for the suggestion. I intend to study about this possible solution but to save time I'd like to ask you some questions. With this software, can I control which accounts "from the unix passwd file" will be able to log in? Yes just set the shell to a non-login shell for users you don't want to give shell access. Typically I set those user's shell to: /usr/bin/false If there is a symbolic link in the home directory(jail/chroot) that point to anywhere out of it, will the users be able to use this symlink? Will they go out from their jail/chroot directory this way? You can actually specify what ftp commands are allowed in the vsftpd.conf file in one server I manage I have set: cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT But you'd probably want to remove any symlinks that shouldn't be there. Derek Ragona wrote: > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: >>Hello, >>I want to use the chroot/jail mechanism in user's ssh and sftp >>connections. I've read some >>tutorials and possible solutions to jail/chroot the users into their own home directories. One is >>to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. > > I have implemented a similar setup using vsftpd from the ports. It works well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: > /home/user > > You'd need to change it to: > /home/./user > > vsftpd is well documented and relatively easy to get setup and running. > > -Derek > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Chroot/jail mechanism in ssh and sftp connections
Thanks for the suggestion. I intend to study about this possible solution but to save time I'd like to ask you some questions. With this software, can I control which accounts "from the unix passwd file" will be able to log in? If there is a symbolic link in the home directory(jail/chroot) that point to anywhere out of it, will the users be able to use this symlink? Will they go out from their jail/chroot directory this way? Derek Ragona wrote: > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: >>Hello, >>I want to use the chroot/jail mechanism in user's ssh and sftp >>connections. I've read some >>tutorials and possible solutions to jail/chroot the users into their own home >>directories. One is >>to install the openssh-portable(with chroot option turned on) from the ports >>collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. > > I have implemented a similar setup using vsftpd from the ports. It works > well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: > /home/user > > You'd need to change it to: > /home/./user > > vsftpd is well documented and relatively easy to get setup and running. > > -Derek > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Chroot/jail mechanism in ssh and sftp connections
At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: Hello, I want to use the chroot/jail mechanism in user's ssh and sftp connections. I've read some tutorials and possible solutions to jail/chroot the users into their own home directories. One is to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. I have implemented a similar setup using vsftpd from the ports. It works well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: /home/user You'd need to change it to: /home/./user vsftpd is well documented and relatively easy to get setup and running. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Chroot/jail mechanism in ssh and sftp connections
Hello, I want to use the chroot/jail mechanism in user's ssh and sftp connections. I've read some tutorials and possible solutions to jail/chroot the users into their own home directories. One is to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: DHCP Server V3.0.5 No BPF under chroot. Works normally otherwise.
On Tue, Mar 06, 2007 at 07:03:35PM -0600, Martin McCormick wrote: > > I found some cook-book instructions for running dhcpd in > a chroot environment. The article is 4 years old and appears to > be set up for FreeBSD5x, but it isn't far off for FreeBSD6.2 > which is what I need dhcpd to run on. > I run isc-dhcp3-server-3.0.5 from ports, started from /etc/rc.conf with the following options: dhcpd_enable="YES" # dhcpd enabled? dhcpd_flags="-q"# command option(s) dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file dhcpd_ifaces="" # ethernet interface(s) dhcpd_withumask="022" # file creation mask dhcpd_chuser_enable="YES" # runs w/o privileges? dhcpd_withuser="dhcpd" # user name to run as dhcpd_withgroup="dhcpd" # group name to run as dhcpd_chroot_enable="YES" # runs chrooted? dhcpd_devfs_enable="YES"# use devfs if available? dhcpd_rootdir="/var/db/dhcpd" # directory to run in dhcpd_includedir="" # directory with config- Here's the full pkg-message: [EMAIL PROTECTED]/usr/ports/net/isc-dhcp3-server $ make display-message To setup dhcpd, you may have to copy /usr/local/etc/dhcpd.conf.sample to /usr/local/etc/dhcpd.conf for editing. This port installs dhcp daemon, but don't invokes dhcpd by default. If you want to invoke dhcpd at startup, put these lines into /etc/rc.conf. dhcpd_enable="YES" # dhcpd enabled? dhcpd_flags="-q"# command option(s) dhcpd_conf="/usr/local/etc/dhcpd.conf" # configuration file dhcpd_ifaces="" # ethernet interface(s) dhcpd_withumask="022" # file creation mask If compiled with paranoia support (the default), the following lines are also supported: dhcpd_chuser_enable="YES" # runs w/o privileges? dhcpd_withuser="dhcpd" # user name to run as dhcpd_withgroup="dhcpd" # group name to run as dhcpd_chroot_enable="YES" # runs chrooted? dhcpd_devfs_enable="YES" # use devfs if available? dhcpd_makedev_enable="YES"# use MAKEDEV instead? dhcpd_rootdir="/var/db/dhcpd" # directory to run in dhcpd_includedir="" # directory with config- files to include dhcpd_flags="-early_chroot" # needs full root WARNING: -early_chroot requires a jail(8) like environment to work. WARNING: dhcpd_devfs_enable and dhcpd_makedev_enable are mutually exclusive dhcpd_makedev_enable make NO sense on FreeBSD 5.x and up! If compiled with jail support (the default), the following lines are also supported (-early_chroot and dhcpd_chroot_enable=YES are implied): dhcpd_jail_enable="YES" # runs imprisoned? dhcpd_hostname="" # jail hostname dhcpd_ipaddress="" # jail ip address WARNING: dhcpd_rootdir needs to point to a full jail(8) environment. WARNING: never edit the chrooted or jailed dhcpd.conf file but /usr/local/etc/dhcpd.conf instead which is always copied where needed upon startup. WARNING: /usr/local/etc/rc.isc-dhcpd.conf is obsolete. rc.conf like variables are still read there but should be moved /etc/rc.conf or /etc/rc.conf.d/dhcpd instead. Also, the dhcpd_options variable must be renamed dhcpd_flags if any. -- Kelly D. Grills [EMAIL PROTECTED] pgpuJ4kh8oKPm.pgp Description: PGP signature
DHCP Server V3.0.5 No BPF under chroot. Works normally otherwise.
I found some cook-book instructions for running dhcpd in a chroot environment. The article is 4 years old and appears to be set up for FreeBSD5x, but it isn't far off for FreeBSD6.2 which is what I need dhcpd to run on. Dhcpd runs fine when started normally as in /usr/local/sbin/dhcpd. I haven't yet gotten it to launch as the chroot'ed version. When one starts it, here is what happens: chroot /usr/local/chroot/dhcpd /usr/local/sbin/dhcpd Internet Systems Consortium DHCP Server V3.0.5 Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ WARNING: Host declarations are global. They are not limited to the scope you declared them in. Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 0 leases to leases file. No bpf devices. Please read the README section for your operating system. If I do a ls, everything looks identical: cd /usr/local/chroot/dhcpd/dev ls -l bpf* crw--- 1 root wheel0, 96 Mar 6 11:44 bpf0 crw--- 1 root wheel1, 97 Mar 6 11:44 bpf1 cd /dev ls -l bpf* crw--- 1 root wheel0, 96 Mar 5 21:00 bpf0 crw--- 1 root wheel0, 97 Mar 5 21:00 bpf1 The part of the script that makes those devices is as follows: BPF="`ls -l /dev/bpf0 | awk '{ print $6; }' | sed -e 's/,//g'`" export BPF BPF1="`ls -l /dev/bpf1 | awk '{ print $6; }' | sed -e 's/,//g'`" export BPF1 cd /usr/local/chroot/dhcpd/dev mknod bpf0 c 0 $BPF mknod bpf1 c 1 $BPF1 chmod 0600 bpf* I will post the script when it works since it appears to be about 90% good. It needs a little touch-up to make it work for FreeBSD6. My guess is that there is something else I need in the chroot environment since the bpf appears to work normally when dhcpd is run from root in the traditional way. My thanks and a lot of credit to the person who originally wrote this script which can be found at Linkname: Screaming Electron Forums - How to chroot your existing isc-dhcpd server on freebsd Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Network Operations Group URL: http://screamingelectron.org/forum/archive/index.php/t-837.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
JAIL/CHROOT question?
hello guys I am having one question... can I jail a user being login via SSH to another location/directory than user's $HOME directory? meaing if users $HOME directory is like this /home/alex and user is able to chdir to upward... but I don't want user go to user's $HOME directory. I want to limit to some other location like /home/temp and don't want to have user chdir upward... .....wanna have chroot limits... -- Thanks! BR / vj ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: /dev/null in a chroot
Thank you for describing the issue. Could you please file the PR not to miss this useful suggestion? Regards, >>> On Fri, 12 Jan 2007 18:54:39 -0800, James Long <[EMAIL PROTECTED]> said: > > Date: Sun, 07 Jan 2007 20:03:40 -0400 > > From: "Marc G. Fournier" <[EMAIL PROTECTED]> > > Subject: Re: /dev/null in a chroot > > To: Michael Grant <[EMAIL PROTECTED]>, FreeBSD Questions > > > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=us-ascii > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > > > #!/bin/sh > > /sbin/devfs -m $1 rule apply hide > > /sbin/devfs -m $1 rule apply path null unhide > > > > where $1 == the dev directory you mount within the chroot environment ... > > This issue is currently biting users of /usr/ports/security/scponly > also, I believe. > > I'm finding that recently-created scponlyc chroots do not permit sftp > login, although they do allow ftp login. The client symptom is just: > > $ sftp [EMAIL PROTECTED] > Connecting to www... > Password: > Connection closed > $ > > The cause appears to be that recent versions of > /usr/libexec/sftp-server will complain about of lack of access to > /dev/null and exit, resulting in the closed connection witnessed by > the remote client. > > The solution appears to be to create a devfs in the scponlyc chroot. > > This is a little disappointing, as scponlyc used to be delightfully > lightweight and low-maintenance. At this point, my understanding is > that the devfs requirement means that now I must run a script at boot > time that iterates through a list of chroot'ed users and create dev > nodes within each jail. scponlyc jails were previously a > set-and-forget type of setup. > > What is the proper mechanism for setting up an arbitrary number of > scponlyc chroots at boot time? /usr/share/examples/etc/devfs.conf > doesn't show an example of how to apply these rules to a non-default > dev path. I have chosen to put a script in /usr/local/etc/rc.d. > > In case other scponly users are reading this in the archives, the > manual method that works for me with 6.2-PRE and scponly-4.6_1 is: > > # cd ~user > # mkdir -p dev > # mount_devfs devfs dev > # devfs -m dev rule -s 1 applyset > # devfs -m dev rule -s 2 applyset > > One then sees: > > # ls -l dev > total 0 > crw-rw-rw- 1 root wheel0, 6 Jan 12 17:15 null > crw-rw-rw- 1 root wheel0, 12 Jan 10 07:57 random > lrwxr-xr-x 1 root wheel 6 Jan 12 16:54 urandom@ -> random > crw-rw-rw- 1 root wheel0, 7 Jan 10 15:57 zero > > which is more than enough to appease /usr/libexec/sftp-server. > > chroots created some months ago contain lib versions with numbers > typically one less, such as ./usr/lib/libssh.so.2 in the older > chroot, versus ./usr/lib/libssh.so.3 in the newer. The older > scponly chroots do net require devfs nodes! I suspect they will > eventually break though, given enough time. > > Given that scponlyc provides a setup_chroot.sh script that provides > hooks for OS-specific chroot setup steps, would it help the port > maintainer to provide the shell script below? I have it installed > in /usr/local/etc/rc.d/scponlyc.sh. > > > Jim > > > > #!/bin/sh > > # script to create devfs filesystems at boot time for scponlyc > # chroot'ed users. We will read /etc/shells to determine > # where scponlyc is installed. Then we'll iterate through > # each user in /etc/passwd to find users whose shell is set to > # scponlyc. For each such user found, we will create a > # minimal devfs under ~/dev. > > > > SCPONLYC=$(/usr/bin/grep "/scponlyc$" /etc/shells 2>/dev/null | /usr/bin/tail > -1) > > > make_devfs() { > # $1 is the user name whose home directory needs a minimal > # devfs created. If ~/dev is not a directory, it will be > # deleted and replaced with a directory. > > eval DEV="~$1/dev" > while /sbin/umount ${DEV} 2>/dev/null; do :; done > [ -h "${DEV}" ] && rm "${DEV}" > [ -f "${DEV}" ] && rm "${DEV}" > mkdir -p "${DEV}" > if /sbin/mount_devfs devfs "${DEV}"; then > /sbin/devfs -m "${DEV}" rule -s 1 applyset || /sbin/umount ${DEV} > 2>/dev/null > /sbin/devfs -m "${DEV}" rule -s 2 applyset || /sbin/umount ${DEV} > 2>/dev/null > fi > > } > > > scponly_startup() { > # $1 is the path to the /etc/passwd file > > if [ "x${SCPONLYC}" = "x"
Re: /dev/null in a chroot
> Date: Sun, 07 Jan 2007 20:03:40 -0400 > From: "Marc G. Fournier" <[EMAIL PROTECTED]> > Subject: Re: /dev/null in a chroot > To: Michael Grant <[EMAIL PROTECTED]>,FreeBSD Questions > > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > #!/bin/sh > /sbin/devfs -m $1 rule apply hide > /sbin/devfs -m $1 rule apply path null unhide > > where $1 == the dev directory you mount within the chroot environment ... This issue is currently biting users of /usr/ports/security/scponly also, I believe. I'm finding that recently-created scponlyc chroots do not permit sftp login, although they do allow ftp login. The client symptom is just: $ sftp [EMAIL PROTECTED] Connecting to www... Password: Connection closed $ The cause appears to be that recent versions of /usr/libexec/sftp-server will complain about of lack of access to /dev/null and exit, resulting in the closed connection witnessed by the remote client. The solution appears to be to create a devfs in the scponlyc chroot. This is a little disappointing, as scponlyc used to be delightfully lightweight and low-maintenance. At this point, my understanding is that the devfs requirement means that now I must run a script at boot time that iterates through a list of chroot'ed users and create dev nodes within each jail. scponlyc jails were previously a set-and-forget type of setup. What is the proper mechanism for setting up an arbitrary number of scponlyc chroots at boot time? /usr/share/examples/etc/devfs.conf doesn't show an example of how to apply these rules to a non-default dev path. I have chosen to put a script in /usr/local/etc/rc.d. In case other scponly users are reading this in the archives, the manual method that works for me with 6.2-PRE and scponly-4.6_1 is: # cd ~user # mkdir -p dev # mount_devfs devfs dev # devfs -m dev rule -s 1 applyset # devfs -m dev rule -s 2 applyset One then sees: # ls -l dev total 0 crw-rw-rw- 1 root wheel0, 6 Jan 12 17:15 null crw-rw-rw- 1 root wheel0, 12 Jan 10 07:57 random lrwxr-xr-x 1 root wheel 6 Jan 12 16:54 urandom@ -> random crw-rw-rw- 1 root wheel0, 7 Jan 10 15:57 zero which is more than enough to appease /usr/libexec/sftp-server. chroots created some months ago contain lib versions with numbers typically one less, such as ./usr/lib/libssh.so.2 in the older chroot, versus ./usr/lib/libssh.so.3 in the newer. The older scponly chroots do net require devfs nodes! I suspect they will eventually break though, given enough time. Given that scponlyc provides a setup_chroot.sh script that provides hooks for OS-specific chroot setup steps, would it help the port maintainer to provide the shell script below? I have it installed in /usr/local/etc/rc.d/scponlyc.sh. Jim #!/bin/sh # script to create devfs filesystems at boot time for scponlyc # chroot'ed users. We will read /etc/shells to determine # where scponlyc is installed. Then we'll iterate through # each user in /etc/passwd to find users whose shell is set to # scponlyc. For each such user found, we will create a # minimal devfs under ~/dev. SCPONLYC=$(/usr/bin/grep "/scponlyc$" /etc/shells 2>/dev/null | /usr/bin/tail -1) make_devfs() { # $1 is the user name whose home directory needs a minimal # devfs created. If ~/dev is not a directory, it will be # deleted and replaced with a directory. eval DEV="~$1/dev" while /sbin/umount ${DEV} 2>/dev/null; do :; done [ -h "${DEV}" ] && rm "${DEV}" [ -f "${DEV}" ] && rm "${DEV}" mkdir -p "${DEV}" if /sbin/mount_devfs devfs "${DEV}"; then /sbin/devfs -m "${DEV}" rule -s 1 applyset || /sbin/umount ${DEV} 2>/dev/null /sbin/devfs -m "${DEV}" rule -s 2 applyset || /sbin/umount ${DEV} 2>/dev/null fi } scponly_startup() { # $1 is the path to the /etc/passwd file if [ "x${SCPONLYC}" = "x" ]; then echo scponlyc is not defined in /etc/shells >&2 exit 1 fi /usr/bin/grep -v "^[ ]*#" "$1" | /usr/bin/awk -F: {'print $1 " " $7'} | while read USER SHELL; do if [ "x${SHELL}" = "x${SCPONLYC}" ]; then make_devfs "${USER}" fi done } case "$1" in start) scponly_startup "/etc/passwd" echo -n ' scponlyc' ;; *) echo "Usage: `basename $0` start" >&2 ;; esac exit 0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: /dev/null in a chroot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 #!/bin/sh /sbin/devfs -m $1 rule apply hide /sbin/devfs -m $1 rule apply path null unhide where $1 == the dev directory you mount within the chroot environment ... - --On Sunday, January 07, 2007 16:53:27 +0100 Michael Grant <[EMAIL PROTECTED]> wrote: > I chrooted apache to /www. > > In order to run a java program from a web page, java needs a /dev/null > inside the chroot. > > I don't want to create another whole /dev/ dir with all the disk raw > devices there to be read for anyone who cracks root. I just want a > /www/dev/null file. > > I tried creating a node with mknod exactly like the node in /dev but > it doesn't work in freebsd 6. /dev/ is special now and you can't just > create nodes anywhere like the old days. > > Is there a way to create a /www/dev/null which acts just like /dev/null? > > Michael Grant > - Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFoYpc4QvfyHIvDvMRAsKNAKCBQL1HfW0XiDQlWTQ7SMYxBOD7rwCeMPYk sZ45tw01yqCImIhanmHTtEQ= =YMRb -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
/dev/null in a chroot
I chrooted apache to /www. In order to run a java program from a web page, java needs a /dev/null inside the chroot. I don't want to create another whole /dev/ dir with all the disk raw devices there to be read for anyone who cracks root. I just want a /www/dev/null file. I tried creating a node with mknod exactly like the node in /dev but it doesn't work in freebsd 6. /dev/ is special now and you can't just create nodes anywhere like the old days. Is there a way to create a /www/dev/null which acts just like /dev/null? Michael Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: /dev/null in a chroot
"Michael Grant" <[EMAIL PROTECTED]> wrote: > > I chrooted apache to /www. > > In order to run a java program from a web page, java needs a /dev/null > inside the chroot. > > I don't want to create another whole /dev/ dir with all the disk raw > devices there to be read for anyone who cracks root. I just want a > /www/dev/null file. > > I tried creating a node with mknod exactly like the node in /dev but > it doesn't work in freebsd 6. /dev/ is special now and you can't just > create nodes anywhere like the old days. > > Is there a way to create a /www/dev/null which acts just like /dev/null? devfs does this now. You can mount a second devfs under /www/dev/, or anywhere else for that matter. Controlling which device nodes show up is done by devfs rulsets. See the man page for devfs for details. -Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
/dev/null in a chroot
I chrooted apache to /www. In order to run a java program from a web page, java needs a /dev/null inside the chroot. I don't want to create another whole /dev/ dir with all the disk raw devices there to be read for anyone who cracks root. I just want a /www/dev/null file. I tried creating a node with mknod exactly like the node in /dev but it doesn't work in freebsd 6. /dev/ is special now and you can't just create nodes anywhere like the old days. Is there a way to create a /www/dev/null which acts just like /dev/null? Michael Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD chroot problem...Please help!!!
On Sun, Jan 07, 2007 at 12:50:34PM +0100, VeeJay wrote: > I trying to run MySQL and Apache under a chroot envoirnment. But I am > getting these errors. [ ... ] > # /usr/local/mysql/libexec/mysqld: Can't create/write to file > '/var/tmp/ibPM3e0d' (Errcode: 13) [ ... ] > fopen: Operation not supported > httpd: could not open document config file /dev/null Are these files/directories/device nodes present in their respective chroot environment? -- Riemer PalstraAmsterdam, The Netherlands [EMAIL PROTECTED]http://www.palstra.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD chroot problem...Please help!!!
Hello there I was wondering if someone having great knowledge of FreeBSD chroot system could give me some help. I trying to run MySQL and Apache under a chroot envoirnment. But I am getting these errors. Could you please help me to solve these problems. I have googled a lot but did't find any solution. Please help! 1. When running MySQL 5.0 in a chroot envoirnment, I get following error: # chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld & [1] 599 # /usr/local/mysql/libexec/mysqld: Can't create/write to file '/var/tmp/ibPM3e0d' (Errcode: 13) 070107 10:43:49 InnoDB: Error: unable to create temporary file; errno: 13 070107 10:43:49 [Note] /usr/local/mysql/libexec/mysqld: ready for connections. Version: '5.0.27' socket: '/tmp/mysql.sock' port: 0 FreeBSD port: mysql-server-5.0.27 2. When running Apache in chroot envoirnment, I get following error: # chroot /chroot/httpd /usr/local/apache/bin/httpd fopen: Operation not supported httpd: could not open document config file /dev/null I will really appreciate your kind help! -- Thanks! BR / vj ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: chroot, performance & security
On Wed, Dec 27, 2006 at 10:16:31AM +0100, VeeJay wrote: > Hi > > I have made partations on my web server like at very outer edges of the > disks, > > I have /, then /var, /tmp, /usr and in the end /home. > > Since I read that Data modified & used often should be placed at close to > outer edges as possible. > > So, I am having all logs (apache, ftp, mysql and other logs) under /var/logs > I have all my mysql DBs under /var/mysql/db > > But if for Security reseasons, I want to chroot apache, mysql and ftp under > /home, then along with all executables and liberaries I have to move all > logs, DBs under /home/chroot > > But then I think, If I move all these data from /var... I miss performance? You need not have created so many partitions because it is going to hurt you now when you have to chroot. :) Apache running under chroot means lot of things. OpenBSD has done it by default and it means that all the files that users host have to be under the chroot. All the DSOs have to be accessible as well. chrooting ftp or sftp is not much trouble. I think a simple google search will tell you how to run sftp under chroot. I would suggest that along with chrooting ftp. mysql should not give u much trouble but then I never use it. I am a postgresql guy... Best of luck! regards, Girish - When your mind is purified like a mirror knowledge is reflected in it. Adi Sankaracharya, Hindu saint ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
chroot, performance & security
Hi I have made partations on my web server like at very outer edges of the disks, I have /, then /var, /tmp, /usr and in the end /home. Since I read that Data modified & used often should be placed at close to outer edges as possible. So, I am having all logs (apache, ftp, mysql and other logs) under /var/logs I have all my mysql DBs under /var/mysql/db But if for Security reseasons, I want to chroot apache, mysql and ftp under /home, then along with all executables and liberaries I have to move all logs, DBs under /home/chroot But then I think, If I move all these data from /var... I miss performance? Please comment? -- Thanks! BR / vj ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ftpd.conf chroot not working
I'm having problems getting the /etc/ftpd.conf chroot command to work. However, if I append a directory after the username in /etc/ftpchroot that does work. It seems like ftpd.conf isn't even getting used. The reason I want to use ftpd.conf is it supposidly allows the use of escape strings such as %u for username. The machine is running 6.0-RELEASE. (doesn't work) ftpd.conf: chroot all /usr/local/www/apache22/data/%u ftpchroot: @client (does work) ftpd.conf: #empty ftpchroot: @client /usr/local/www/apache22/data/usersite James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FTP and chroot....
Hello, For the life of me I can not get any user who FTPs into my box to be chroot'ed to a particular directory. I'm sure this should be a simple thing to do. I have setup an ~/ftp directory for each user and would like their ftp session to be chroot'ed to it. But I can't seem to get it working. Here is what I presently have setup... rc.conf ftpd_enable="YES" ftpd_flags="-S -ll" ftpd.conf chroot all /home/%u/ftp ftpusers ftpchroot @ftp All users which I grant FTP access to are members of the ftp group. They can FTP into the box, but the root dir is their home dir. They are chroot'ed to their home dir... not ~/ftp. I've tried various things in all of the config files to change it to this subdir, to no avail. Thanks, -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jails or chroot?
On May 10, 2006, at 2:33 AM, Iantcho Vassilev wrote: On 5/9/06, Chad Leigh -- Shire.Net LLC <[EMAIL PROTECTED]> wrote: On May 9, 2006, at 5:53 AM, Michael Grant wrote: > > When it comes time to upgrade, how does one upgrade 100 different > jails? This will be a nightmare! Actually, not. You only need 1 master jail and a bunch of nullfs read only mounts plus some exclusive space for each jail.I run 44 jails at the moment this way. Upgrading is relatively easy as I only have to upgrade one master jail (and unfortunately lots of jail etc if such happens but a few scripts can automate much of that). All the jails run out of one installed jail and they also have the side benefit of the main system directories being read only so exploits in one jail cannot affect all the running jails. Wow, I really like the setup you have make.. One question.How do you update the system(and the jail) ? I shut all the jails down, and update the system. Then I boot without starting the jails and rebuild the master jail according to "man jail". Then I start a special main jail that was used to install ports used, if any, into a common area and do any updates necessary -- this last one from 5.4 to 6.0 I just made sure I had the 5x compatibility stuff installed and all was fine for now so I have more time to redo individual ports or SW built frmo scratch. When that is done I restart all the jails. I had about 40 jails active when I went from 5.4 to 6.0 on this particular machine (some earlier ones I did from 5.4 to 6.0 had maybe 1 or 2 jails so they were not the definitive test case). Had no problems once I made sure all the jails were accessing the compat 5x stuff (which I did by editing in each jail /etc -- you could use a script but I am lousy at writing more than simple scripts -- the rc.conf and making sure that "ldconfig_paths=" was set appropriately to the master jail wide compat5x library location... Done, finis Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jails or chroot?
On 5/9/06, Chad Leigh -- Shire.Net LLC <[EMAIL PROTECTED]> wrote: On May 9, 2006, at 5:53 AM, Michael Grant wrote: > > When it comes time to upgrade, how does one upgrade 100 different > jails? This will be a nightmare! Actually, not. You only need 1 master jail and a bunch of nullfs read only mounts plus some exclusive space for each jail.I run 44 jails at the moment this way. Upgrading is relatively easy as I only have to upgrade one master jail (and unfortunately lots of jail etc if such happens but a few scripts can automate much of that). I basically set up /local/jails/master and install according to man jail into this place. I never start this jail. I happen to use disk backed md devices as the root for each jail. I mount each on on /local/jail/ Then I do /sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin /sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib /sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ adcmw/libexec /sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ sbin /sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr /sbin/mount -t procfs proc /local/jails/adcmw/proc devfs_domount /local/jails/adcmw/dev devfsrules_jail devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev /sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset In my master jail I have some symlinks so that each jail has its own / usr/local/ that is writable. All the jails run out of one installed jail and they also have the side benefit of the main system directories being read only so exploits in one jail cannot affect all the running jails. Wow, I really like the setup you have make.. One question.How do you update the system(and the jail) ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jails or chroot?
On May 9, 2006, at 5:53 AM, Michael Grant wrote: When it comes time to upgrade, how does one upgrade 100 different jails? This will be a nightmare! Actually, not. You only need 1 master jail and a bunch of nullfs read only mounts plus some exclusive space for each jail.I run 44 jails at the moment this way. Upgrading is relatively easy as I only have to upgrade one master jail (and unfortunately lots of jail etc if such happens but a few scripts can automate much of that). I basically set up /local/jails/master and install according to man jail into this place. I never start this jail. I happen to use disk backed md devices as the root for each jail. I mount each on on /local/jail/ Then I do /sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin /sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib /sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ adcmw/libexec /sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ sbin /sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr /sbin/mount -t procfs proc /local/jails/adcmw/proc devfs_domount /local/jails/adcmw/dev devfsrules_jail devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev /sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset In my master jail I have some symlinks so that each jail has its own / usr/local/ that is writable. All the jails run out of one installed jail and they also have the side benefit of the main system directories being read only so exploits in one jail cannot affect all the running jails. Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jails or chroot?
With the inclusion of mergemaster -u subsequent base system upgrades are much less painful. Using null mounts for the common areas should lessen the version sync issues. Once unionfs is stable again, you could just use one jail as a base image and allow the others to be cloned off of that. ezjail might come in handy as well... http://erdgeist.org/arts/software/ezjail/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jails or chroot?
On Tuesday 09 May 2006 08:24, Michael Grant wrote: > I'll try to be more explicit on my requirements. I'm not worried > about mail. I'm mostly worried about web. Each client has a web > site with one or more domains. I currently offer them > apache+php+mysql+mod_perl+mod_ssl. One of them needs java server > pages, tomcat I think. Everyone gets access to their own logs and > to geolizer (webalizer). Some clients would like shell access. > Most clients write their web site using ftp. Certain ones need > also the MS Front Page Extensions. Some clients want an ftp upload > area. Ssl poses a special problem in that I need to allocate an ip > address for those who have their own ssl certificate. It's pretty > much all standard stuff. I use suphp with apache in a mass hosting configuration for about 50 websites to take care of the php access issues. You'll need to setup the ACLs correctly so there is no snooping. I then use scponly to allow chrooted sftp access to their web directories. Webalizer logs are automatically generated an placed in their chrooted directory for download. As for shell access I don't allow it. If people want easy command line access I just tell use sshfs on FreeBSD or Linux. The Windows and Mac users don't care about shell access. For the Tomcat, Frontpage, and SSL users just setup jails for them. With the inclusion of mergemaster -u subsequent base system upgrades are much less painful. Using null mounts for the common areas should lessen the version sync issues. Once unionfs is stable again, you could just use one jail as a base image and allow the others to be cloned off of that. Hopefully some of the above helps you in your situation. > > But yes, I totally agree with you, it is an administration > nightmare to set up separate jails and keep track of which has > which version of what and so on. There must be an easier way to do > this. Some of you folks who run hosting sites, how do you manage > large numbers of clients? > > Michael Grant > > On 5/9/06, Subhro <[EMAIL PROTECTED]> wrote: > > On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote: > > > I host a bunch of websites on my box. Recently I had some > > > problems with file access problems with php which caused me to > > > look into putting each of my clients into their own jail or > > > chroot. I have roughly 100 different domains I'd need to > > > split. > > > > I won't be doing this even if someone pays me twice for doing it. > > This is going to create a HELL lot of problems later on, > > especially during upgrades. > > > > BTW can you tell us your exact requirements? > > > > Thanks and Best Regards > > Subhro > > > > -- > > Subhro Kar > > Security Engineer > > iViZ Techno Solutions Pvt. Ltd. > > eRevMax House, 1st Floor > > Plot XI-16, Sector V > > Salt Lake City > > 700091 > > India > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" -- Anish Mistry pgpQunBnXtHJk.pgp Description: PGP signature
RE: jails or chroot?
Hi, Sure, jails require more work regarding administration. Ports are not the biggest problem I think, it's the easy part. The problem is when you have to update the world. But even here, with a good script, it's not such a nightmare. Maybe all you need is Michael's solution. But take into account that with jails, you have a great flexibility regarding the application you install for a particular client. And all the security that a jail system can offer, plus a fantastic way of managing your backups. I personally run a jail based VPS server, based on FreeBSD 6.0, with 13 jails at the moment. It's a dual xeon, with 4GB RAM, and RAID 5 SCSI HDs. I have 355 MB RAM active, 1525 inactive and 1679 MB RAM are free. I intend to run a maximum of 50 jails on this server. And until now, nothing seems to oppose to my plans. Beware of one thing with jails, though: a bug in FreeBSD does not permit a clean shutdown of jails. But tust me: you never need to! Hope this helps, and keep us informed of your choice. Philippe Lang -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Jahilliya Envoyé : mardi, 9. mai 2006 14:48 À : Michael Grant Cc : freebsd-questions@freebsd.org Objet : Re: jails or chroot? On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote: > > I host a bunch of websites on my box. Recently I had some problems > with file access problems with php which caused me to look into > putting each of my clients into their own jail or chroot. I have > roughly 100 different domains I'd need to split. > > Has anyone done this for more than a handfull of clients? Using > apache and their "mass virtual hosting", 100 domains is a breeze. But > with a jail or chroot, I need a separate apache process for each > domain. This is going to mean hundreds of apache processes. This > seems unreasonable. Agreed that creation hundreds of chroots or jails would be an administrative nightmare. File access can be solved with suexec (compile apache with suexec enabled), this means that for each virtual host entry in your apache config you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html or your apache version doc set). This will make each apache process run as the user specified in virtual host entry (not www) allowing you to restrict their access to files with filesystem ACL's and even ugidfw, you could also then setup process/memory restrictions in /etc/login.conf It will also make updating pretty much as standard as it is now. Give it a burl if it sounds like what you need. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" smime.p7s Description: S/MIME cryptographic signature
Re: jails or chroot?
On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote: I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. Has anyone done this for more than a handfull of clients? Using apache and their "mass virtual hosting", 100 domains is a breeze. But with a jail or chroot, I need a separate apache process for each domain. This is going to mean hundreds of apache processes. This seems unreasonable. Agreed that creation hundreds of chroots or jails would be an administrative nightmare. File access can be solved with suexec (compile apache with suexec enabled), this means that for each virtual host entry in your apache config you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html or your apache version doc set). This will make each apache process run as the user specified in virtual host entry (not www) allowing you to restrict their access to files with filesystem ACL's and even ugidfw, you could also then setup process/memory restrictions in /etc/login.conf It will also make updating pretty much as standard as it is now. Give it a burl if it sounds like what you need. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jails or chroot?
I'll try to be more explicit on my requirements. I'm not worried about mail. I'm mostly worried about web. Each client has a web site with one or more domains. I currently offer them apache+php+mysql+mod_perl+mod_ssl. One of them needs java server pages, tomcat I think. Everyone gets access to their own logs and to geolizer (webalizer). Some clients would like shell access. Most clients write their web site using ftp. Certain ones need also the MS Front Page Extensions. Some clients want an ftp upload area. Ssl poses a special problem in that I need to allocate an ip address for those who have their own ssl certificate. It's pretty much all standard stuff. But yes, I totally agree with you, it is an administration nightmare to set up separate jails and keep track of which has which version of what and so on. There must be an easier way to do this. Some of you folks who run hosting sites, how do you manage large numbers of clients? Michael Grant On 5/9/06, Subhro <[EMAIL PROTECTED]> wrote: On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote: > I host a bunch of websites on my box. Recently I had some problems > with file access problems with php which caused me to look into > putting each of my clients into their own jail or chroot. I have > roughly 100 different domains I'd need to split. I won't be doing this even if someone pays me twice for doing it. This is going to create a HELL lot of problems later on, especially during upgrades. BTW can you tell us your exact requirements? Thanks and Best Regards Subhro -- Subhro Kar Security Engineer iViZ Techno Solutions Pvt. Ltd. eRevMax House, 1st Floor Plot XI-16, Sector V Salt Lake City 700091 India ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jails or chroot?
On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote: I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. I won't be doing this even if someone pays me twice for doing it. This is going to create a HELL lot of problems later on, especially during upgrades. BTW can you tell us your exact requirements? Thanks and Best Regards Subhro -- Subhro Kar Security Engineer iViZ Techno Solutions Pvt. Ltd. eRevMax House, 1st Floor Plot XI-16, Sector V Salt Lake City 700091 India ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
jails or chroot?
I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. Has anyone done this for more than a handfull of clients? Using apache and their "mass virtual hosting", 100 domains is a breeze. But with a jail or chroot, I need a separate apache process for each domain. This is going to mean hundreds of apache processes. This seems unreasonable. When it comes time to upgrade, how does one upgrade 100 different jails? This will be a nightmare! What do you folks do who run lots of domains on freebsd? Michael Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: chroot and /dev
On Thu, Dec 15, 2005 at 07:18:11PM +, Dieter wrote: > How does one provide one or two devices, e.g. /dev/null > for a chroot environment? > > Device nodes created by mknod do not work. > > mount_devfs creates an entire device tree, negating > the security of the chroot. See the jail manpage (jail is better than chroot if security is your goal). Kris pgptHJjQW11pZ.pgp Description: PGP signature
chroot and /dev
How does one provide one or two devices, e.g. /dev/null for a chroot environment? Device nodes created by mknod do not work. mount_devfs creates an entire device tree, negating the security of the chroot. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How do I chroot rsync like I chroot ftp ?
On Thu, 10 Nov 2005, user wrote: scponly is another restricted shell like rssh. It is under more active development, and seems to have more features. It's in the ports tree under shells. I was looking for it under security. Will try it this weekend.. Have you tried it yet? I am also leaning towards scponly because it supports both rsync and unison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How do I chroot rsync like I chroot ftp ?
On Wed, 9 Nov 2005, [EMAIL PROTECTED] wrote: > user writes: > > > What is the equivalent mechanism for rsync ? > > > I have not used it myself, but was looking at rssh tonight. There is also a > program, not in the ports, called scopy or something of the like. > > Check the rssh port in the /usr/pots tree.. go to their web page. The > mention the URL for the other program. > > I am looking to do the same thing, chroot rsync, so will be looking at those > two options I mentioned above in coming days. scponly is another restricted shell like rssh. It is under more active development, and seems to have more features. It's in the ports tree under shells. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How do I chroot rsync like I chroot ftp ?
user writes: What is the equivalent mechanism for rsync ? I have not used it myself, but was looking at rssh tonight. There is also a program, not in the ports, called scopy or something of the like. Check the rssh port in the /usr/pots tree.. go to their web page. The mention the URL for the other program. I am looking to do the same thing, chroot rsync, so will be looking at those two options I mentioned above in coming days. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How do I chroot rsync like I chroot ftp ?
On Fri, 21 Oct 2005, Dan Nelson wrote: > In the last episode (Oct 21), user said: > > Generally I chroot ftp users by simply adding their username to > > /etc/ftpchroot. In older days, I used login.conf, etc. > > > > The point is, it's easy to take a specific user and set a chroot that > > applies to what they can see when they use ftp. > > > > What is the equivalent mechanism for rsync ? > > See the rsyncd.conf manpage; it explains how to chroot rsyncd. Yes ... I saw that ... is there anyway to "chroot" rsync over ssh, so I can use public keys and not run the actual rsync server ? I'd like to do the same thing with rdist as well, and am not sure ... how that would even work. I do rdist now over ssh, and it works fine, but ... not sure how to get rdist users to only see their own directory. Is it possible taht what I really want to do is chroot ssh, if I am doing all of my rsync/rdist over ssh ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How do I chroot rsync like I chroot ftp ?
In the last episode (Oct 21), user said: > Generally I chroot ftp users by simply adding their username to > /etc/ftpchroot. In older days, I used login.conf, etc. > > The point is, it's easy to take a specific user and set a chroot that > applies to what they can see when they use ftp. > > What is the equivalent mechanism for rsync ? See the rsyncd.conf manpage; it explains how to chroot rsyncd. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
How do I chroot rsync like I chroot ftp ?
Generally I chroot ftp users by simply adding their username to /etc/ftpchroot. In older days, I used login.conf, etc. The point is, it's easy to take a specific user and set a chroot that applies to what they can see when they use ftp. What is the equivalent mechanism for rsync ? thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"