* Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd

[Devin Teske]

Sent from my iPhone

On Dec 23, 2011, at 8:28 PM, Antonio Olivares  wrote:

> Dear folks,
> 
> I am trying to build a simple livecd to learn more.  I have
> successfully run some commands found here:
> 
> http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD
> 
> # cd /usr/src
> # make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/
> # make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/
> # make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/
> # make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/
> # make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/
> 
> all these commands are successful
> 
> I mount devfs as instructed in command
> 
> # mount -t devfs devfs /path/to/livecd/dev
> # chroot /path/to/livecd
> 
> ===
> 
> tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/
> tricorehome# chroot /usr/home/olivares/tmp/tmp/R/
> chroot: /bin/csh: No such file or directory
> 
> ===
> 
> I have tried to use freesbie script(s) by installing freesbie port,
> but it failed and I asked questions but got few to no responses.
> I have tried to look for some scripts/SDK but not have been successful
> like frenzy's to create frenzy livecd.  There are few to no FreeBSD
> LiveCDs, only one that has been working and updated is the GhostBSD
> one by Eric Turgeon.   I see OpenBSD has several livecds/livedvds like
> jggimi, FuguITA, etc to showcase it.  NetBSD has one as well called
> Jibbed.  FreeBSD has specialized ones like PfSense, Monowall, FreeNAS,
> Mahesha, and GhostBSD.  Frenzy was apparently going to be maintained
> but no newer releases.  I have gotten feedback as to there exist
> mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd,
> http://sourceforge.net/projects/druidbsd/, but cannot do much with
> them :(
> 
> I try to get my feet wet, but I get error and can't seem to get around it :(
> 
> Any thoughts, ideas, comments, observations?
> I just want to create a livecd/livedvd with customized packages to
> take my desktop everywhere,

That should be pretty easy with druidbsd as it gives you a convenient 
dumping-ground to throw extras.

Note, however, that there is a very large code-drop around the corner that will 
bring about 1.5 years of enhancements in soon. So if it doesn't do quite what 
you want now, it may soon.

That being said, one of the things I feel makes DruidBSD unique is an 
insanely-customized mfsroot designed to break you out into the larger (and more 
expansive) ISO-9660 structure so that you -- as a developer of your own custom 
LiveCD -- CAN expand the functionality simply by dumping binaries and libs into 
the ISO-9660 structure while the mfsroot stays nice and compact.

If you wanted to, you could add X windows even.
-- 
Devin

> I have tried several *BSD livecds out
> there, they are good, but I want to have the packages that I use and
> more newer than FreeSBIE 2.0, and roFreeSBIE 1.3.
> 
> I have seen linux-live scripts [http://www.linux-live.org/] by Tomas
> M, and wonder if there exist such a utility in the *BSDs, a universal
> script to create a livecd/livedvd of a running BSD ? if there is not
> any utility, how can I get around the error about /bin/csh, if it is
> apparently there:
> 
> tricorehome# which csh
> /bin/csh
> 
> so I can chroot to it and add packages/ports to customize the
> livecd/dvd I want to create?
> 
> Regards,
> 
> 
> Antonio
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

_
The information contained in this message is proprietary and/or confidential. 
If you are not the intended recipient, please: (i) delete the message and all 
copies; (ii) do not disclose, distribute or use the message in any manner; and 
(iii) notify the sender immediately. In addition, please be aware that any 
message addressed to our domain is subject to archiving and review by persons 
other than the intended recipient. Thank you.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd

[Antonio Olivares]

On Sat, Dec 24, 2011 at 7:03 AM, Da Rock
 wrote:
> On 12/24/11 22:57, Antonio Olivares wrote:
>>>
>>> I'll ask a stupid question, and you're more than welcome to give a stupid
>>> answer: Is /bin/csh actually _in_ your chroot?
>>>
>>> So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh
>>>
>>> HTH
>>> ___
>>> freebsd-questions@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to
>>> "freebsd-questions-unsubscr...@freebsd.org"
>>
>> tricorehome# pwd
>> /usr/home/olivares/tmp/tmp/R
>> tricorehome# ls -l /bin/csh
>> -r-xr-xr-x  2 root  wheel  369288 Apr  2  2011 /bin/csh
>>
>> I am not sure if it is there now :(
>
> I think you may have missed something there- you do realise that even though
> you've changed directory, you haven't chrooted. So when you run ls -l
> /bin/csh it is still checking your system root- not the chroot. Sometimes a
> single typo can cause huge hassles, eh? :)
>
> Try:
>
> cd /usr/home/olivares/tmp/tmp/R && ls -l bin/csh
>
> Watch the "bin/csh"- don't make it an absolute path by adding the root (/)
> at the beginning.
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

I am trying to do what you have suggested, it appears that /bin/csh is
not present in the /usr/home/olivares/tmp/tmp/R directory :(

tricorehome# ls /usr/home/olivares/tmp/tmp/
R
tricorehome# ls -l /usr/home/olivares/tmp/tmp/
total 2
drwxr-xr-x  17 root  wheel  512 Dec 23 21:56 R
tricorehome# ls -l /usr/home/olivares/tmp/tmp/R/
total 46
-rw-r--r--   2 root  wheel   798 Dec 23 21:56 .cshrc
-rw-r--r--   2 root  wheel   265 Dec 23 21:56 .profile
-r--r--r--   1 root  wheel  6200 Dec 23 21:56 COPYRIGHT
drwxr-xr-x   2 root  wheel  1024 Dec 23 21:30 bin
drwxr-xr-x   7 root  wheel   512 Dec 23 21:56 boot
dr-xr-xr-x   2 root  wheel   512 Dec 23 21:30 dev
drwxr-xr-x  20 root  wheel  2048 Dec 23 21:56 etc
drwxr-xr-x   3 root  wheel  1536 Dec 23 21:30 lib
drwxr-xr-x   2 root  wheel   512 Dec 23 21:31 libexec
drwxr-xr-x   2 root  wheel   512 Dec 23 21:30 media
drwxr-xr-x   2 root  wheel   512 Dec 23 21:30 mnt
dr-xr-xr-x   2 root  wheel   512 Dec 23 21:30 proc
drwxr-xr-x   2 root  wheel  2560 Dec 23 21:30 rescue
drwxr-xr-x   2 root  wheel   512 Dec 23 21:56 root
drwxr-xr-x   2 root  wheel  2560 Dec 23 21:31 sbin
lrwxr-xr-x   1 root  wheel11 Dec 23 21:30 sys -> usr/src/sys
drwxrwxrwt   2 root  wheel   512 Dec 23 21:30 tmp
drwxr-xr-x  14 root  wheel   512 Dec 23 21:31 usr
drwxr-xr-x  22 root  wheel   512 Dec 23 21:30 var
tricorehome# ls -l /usr/home/olivares/tmp/tmp/R/bin/
total 1692
-r-xr-xr-x  2 root  wheel   11472 Dec 23 21:30 [
-r-xr-xr-x  1 root  wheel   11448 Dec 23 21:30 cat
-r-xr-xr-x  1 root  wheel7912 Dec 23 21:30 chflags
-r-xr-xr-x  1 root  wheel   17576 Dec 23 21:30 chio
-r-xr-xr-x  1 root  wheel8392 Dec 23 21:30 chmod
-r-xr-xr-x  1 root  wheel   21304 Dec 23 21:30 cp
-r-xr-xr-x  2 root  wheel  369288 Dec 23 21:30 csh
-r-xr-xr-x  1 root  wheel   18440 Dec 23 21:30 date
-r-xr-xr-x  1 root  wheel   22104 Dec 23 21:30 dd
-r-xr-xr-x  1 root  wheel   13920 Dec 23 21:30 df
-r-xr-xr-x  1 root  wheel5704 Dec 23 21:30 domainname
-r-xr-xr-x  1 root  wheel5592 Dec 23 21:30 echo
-r-xr-xr-x  2 root  wheel   56880 Dec 23 21:30 ed
-r-xr-xr-x  1 root  wheel   16408 Dec 23 21:30 expr
-r-xr-xr-x  1 root  wheel   10336 Dec 23 21:30 getfacl
-r-xr-xr-x  1 root  wheel5840 Dec 23 21:30 hostname
-r-xr-xr-x  1 root  wheel7128 Dec 23 21:30 kenv
-r-xr-xr-x  1 root  wheel7640 Dec 23 21:30 kill
-r-xr-xr-x  2 root  wheel   11368 Dec 23 21:30 link
-r-xr-xr-x  2 root  wheel   11368 Dec 23 21:30 ln
-r-xr-xr-x  1 root  wheel   30496 Dec 23 21:30 ls
-r-xr-xr-x  1 root  wheel7152 Dec 23 21:30 mkdir
-r-xr-xr-x  1 root  wheel   13576 Dec 23 21:30 mv
-r-xr-xr-x  1 root  wheel   95448 Dec 23 21:30 pax
-r-xr-xr-x  2 root  wheel   16520 Dec 23 21:30 pgrep
-r-xr-xr-x  2 root  wheel   16520 Dec 23 21:30 pkill
-r-xr-xr-x  1 root  wheel   43312 Dec 23 21:30 ps
-r-xr-xr-x  1 root  wheel7128 Dec 23 21:30 pwait
-r-xr-xr-x  1 root  wheel5696 Dec 23 21:30 pwd
-r-sr-xr-x  1 root  wheel   20416 Dec 23 21:30 rcp
-r-xr-xr-x  1 root  wheel5456 Dec 23 21:30 realpath
-r-xr-xr-x  2 root  wheel   56880 Dec 23 21:30 red
-r-xr-xr-x  2 root  wheel   15880 Dec 23 21:30 rm
-r-xr-xr-x  1 root  wheel   72744 Dec 23 21:30 rmail
-r-xr-xr-x  1 root  wheel5784 Dec 23 21:30 rmdir
-r-xr-xr-x  1 root  wheel   18832 Dec 23 21:30 setfacl
-r-xr-xr-x  1 root  wheel  136696 D

Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd

[Antonio Olivares]

> I'll ask a stupid question, and you're more than welcome to give a stupid
> answer: Is /bin/csh actually _in_ your chroot?
>
> So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh
>
> HTH
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

tricorehome# pwd
/usr/home/olivares/tmp/tmp/R
tricorehome# ls -l /bin/csh
-r-xr-xr-x  2 root  wheel  369288 Apr  2  2011 /bin/csh

I am not sure if it is there now :(

Thanks,

Antonio
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd

[Da Rock]

On 12/24/11 22:57, Antonio Olivares wrote:

I'll ask a stupid question, and you're more than welcome to give a stupid
answer: Is /bin/csh actually _in_ your chroot?

So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh

HTH
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

tricorehome# pwd
/usr/home/olivares/tmp/tmp/R
tricorehome# ls -l /bin/csh
-r-xr-xr-x  2 root  wheel  369288 Apr  2  2011 /bin/csh

I am not sure if it is there now :(
I think you may have missed something there- you do realise that even 
though you've changed directory, you haven't chrooted. So when you run 
ls -l /bin/csh it is still checking your system root- not the chroot. 
Sometimes a single typo can cause huge hassles, eh? :)


Try:

cd /usr/home/olivares/tmp/tmp/R && ls -l bin/csh

Watch the "bin/csh"- don't make it an absolute path by adding the root 
(/) at the beginning.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd

[Da Rock]

On 12/24/11 14:28, Antonio Olivares wrote:

Dear folks,

I am trying to build a simple livecd to learn more.  I have
successfully run some commands found here:

http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD

# cd /usr/src
# make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/

all these commands are successful

I mount devfs as instructed in command

# mount -t devfs devfs /path/to/livecd/dev
# chroot /path/to/livecd

===

tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/
tricorehome# chroot /usr/home/olivares/tmp/tmp/R/
chroot: /bin/csh: No such file or directory

===

I have tried to use freesbie script(s) by installing freesbie port,
but it failed and I asked questions but got few to no responses.
I have tried to look for some scripts/SDK but not have been successful
like frenzy's to create frenzy livecd.  There are few to no FreeBSD
LiveCDs, only one that has been working and updated is the GhostBSD
one by Eric Turgeon.   I see OpenBSD has several livecds/livedvds like
jggimi, FuguITA, etc to showcase it.  NetBSD has one as well called
Jibbed.  FreeBSD has specialized ones like PfSense, Monowall, FreeNAS,
Mahesha, and GhostBSD.  Frenzy was apparently going to be maintained
but no newer releases.  I have gotten feedback as to there exist
mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd,
http://sourceforge.net/projects/druidbsd/, but cannot do much with
them :(

I try to get my feet wet, but I get error and can't seem to get around it :(

Any thoughts, ideas, comments, observations?
I just want to create a livecd/livedvd with customized packages to
take my desktop everywhere, I have tried several *BSD livecds out
there, they are good, but I want to have the packages that I use and
more newer than FreeSBIE 2.0, and roFreeSBIE 1.3.

I have seen linux-live scripts [http://www.linux-live.org/] by Tomas
M, and wonder if there exist such a utility in the *BSDs, a universal
script to create a livecd/livedvd of a running BSD ? if there is not
any utility, how can I get around the error about /bin/csh, if it is
apparently there:

tricorehome# which csh
/bin/csh

so I can chroot to it and add packages/ports to customize the
livecd/dvd I want to create?

I'll ask a stupid question, and you're more than welcome to give a 
stupid answer: Is /bin/csh actually _in_ your chroot?


So csh should be this path: /usr/home/olivares/tmp/tmp/R/bin/csh

HTH
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

chroot error: /bin/csh: No such file or directory; trying to create customized livecd/dvd

[Antonio Olivares]

Dear folks,

I am trying to build a simple livecd to learn more.  I have
successfully run some commands found here:

http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD

# cd /usr/src
# make buildworld DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make installworld DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make buildkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make installkernel DESTDIR=/usr/home/olivares/tmp/tmp/R/
# make distribution DESTDIR=/usr/home/olivares/tmp/tmp/R/

all these commands are successful

I mount devfs as instructed in command

# mount -t devfs devfs /path/to/livecd/dev
# chroot /path/to/livecd

===

tricorehome# mount -t devfs devfs /usr/home/olivares/tmp/tmp/R/
tricorehome# chroot /usr/home/olivares/tmp/tmp/R/
chroot: /bin/csh: No such file or directory

===

I have tried to use freesbie script(s) by installing freesbie port,
but it failed and I asked questions but got few to no responses.
I have tried to look for some scripts/SDK but not have been successful
like frenzy's to create frenzy livecd.  There are few to no FreeBSD
LiveCDs, only one that has been working and updated is the GhostBSD
one by Eric Turgeon.   I see OpenBSD has several livecds/livedvds like
jggimi, FuguITA, etc to showcase it.  NetBSD has one as well called
Jibbed.  FreeBSD has specialized ones like PfSense, Monowall, FreeNAS,
Mahesha, and GhostBSD.  Frenzy was apparently going to be maintained
but no newer releases.  I have gotten feedback as to there exist
mfsBSD by Martin Matruska, http://mfsbsd.vx.sk/, and druidbsd,
http://sourceforge.net/projects/druidbsd/, but cannot do much with
them :(

I try to get my feet wet, but I get error and can't seem to get around it :(

Any thoughts, ideas, comments, observations?
I just want to create a livecd/livedvd with customized packages to
take my desktop everywhere, I have tried several *BSD livecds out
there, they are good, but I want to have the packages that I use and
more newer than FreeSBIE 2.0, and roFreeSBIE 1.3.

I have seen linux-live scripts [http://www.linux-live.org/] by Tomas
M, and wonder if there exist such a utility in the *BSDs, a universal
script to create a livecd/livedvd of a running BSD ? if there is not
any utility, how can I get around the error about /bin/csh, if it is
apparently there:

tricorehome# which csh
/bin/csh

so I can chroot to it and add packages/ports to customize the
livecd/dvd I want to create?

Regards,


Antonio
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No network in mixed FBSD81/90 chroot environment

[Damien Fleuriot]

On 29 Nov 2011, at 23:27, Erik Nørgaard  wrote:

> On 29/11/2011 15:58, Damien Fleuriot wrote:
> 
>> On 11/29/11 1:58 PM, Erik Nørgaard wrote:
>>>> Today I finished make build/install world/kernel in /mnt, and now I no
>>>> longer have network access, interfaces are visible with ifconfig but
>>>> no ip is set and can't be set from within the chroot environment.
>>>> 
>>>> Is this to be expected? How do I get my network access back?
>>> Should add: Network on the host FBSD81 system works fine.
>> 
>> When you chroot to your /mnt/ folder you're still using the 8.x kernel
>> and thus the 8.x NIC drivers, with a 9.x userland.
>> 
>> This might be your problem.
> 
> That seems strange though, first, drivers are loaded into the kernel so there 
> is no mismatch there, 8.1 drivers in 8.1 kernel. And then, this is the output 
> from ifconfig, first the chroot environment, then the host environment:
> 
> FreeBSD chroot # ifconfig
> re0: flags=8943 metric 0 mtu 
> 1500 
> options=389b
>ether e0:69:95:77:f1:20
>media: Ethernet autoselect (100baseTX )
>    status: active
> plip0: flags=8810 metric 0 mtu 1500
> lo0: flags=8049 metric 0 mtu 16384
>options=3
> pflog0: flags=141 metric 0 mtu 33200
> FreeBSD chroot # exit
> 
> alpha# ifconfig
> re0: flags=8943 metric 0 mtu 
> 1500
> options=389b
>ether e0:69:95:77:f1:20
>inet 192.168.0.1 netmask 0xfe00 broadcast 192.168.1.255
>media: Ethernet autoselect (100baseTX )
>status: active
> plip0: flags=8810 metric 0 mtu 1500
> lo0: flags=8049 metric 0 mtu 16384
>options=3
>inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>inet6 ::1 prefixlen 128
>inet 127.0.0.1 netmask 0xff00
>nd6 options=3
> pflog0: flags=141 metric 0 mtu 33200
> 
> So, the devices are there, just no network connectivity.
> 
>> What are you trying to achieve with this, a smooth 8.x ->  9.x transition ?
> 
> Well, I don't know what happened on the host system, but the kernel fails 
> building, even kernel 8.2, at if_vlan. Since I decided to migrate to the 
> other disk and upgrade to 9.0 I created a chrooted environment on the new 
> disk and build sources there.
> 
> Now, the tricky part is that this is a headless system and I need it to be up 
> or at least be sure that I can roll back if something fails.
> 
>> You may want to, instead, install your 9.0 on a different machine
>> (possibly a VM), then use dump on the filesystems to inject them
>> properly on your new disk on the original machine.
>> 
>> You should then be able to reboot on the new disk just fine.
> 
> Thanks, for the suggestion, but sounds risky, the disks are not identical 
> size.
> 

Disk/slice sizes are not relevant, dunp only injects the actual data (ie 
files/folders)

You can dump a 20gb partition then import it into a 50gb one.


> It seems I have a workaround that will get my new disk ready: Using 
> fetch-recursive I've downloaded the sources of the ports I need installed, so 
> I can build in the chroot without network access.
> 
> BR, Erik
> 
> -- 
> M: +34 666 334 818
> T: +34 915 211 157
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No network in mixed FBSD81/90 chroot environment

[Erik Nørgaard]

On 29/11/2011 15:58, Damien Fleuriot wrote:


On 11/29/11 1:58 PM, Erik Nørgaard wrote:

Today I finished make build/install world/kernel in /mnt, and now I no
longer have network access, interfaces are visible with ifconfig but
no ip is set and can't be set from within the chroot environment.

Is this to be expected? How do I get my network access back?

Should add: Network on the host FBSD81 system works fine.


When you chroot to your /mnt/ folder you're still using the 8.x kernel
and thus the 8.x NIC drivers, with a 9.x userland.

This might be your problem.


That seems strange though, first, drivers are loaded into the kernel so 
there is no mismatch there, 8.1 drivers in 8.1 kernel. And then, this is 
the output from ifconfig, first the chroot environment, then the host 
environment:


FreeBSD chroot # ifconfig
re0: flags=8943 metric 0 
mtu 1500 
options=389b

ether e0:69:95:77:f1:20
media: Ethernet autoselect (100baseTX )
status: active
plip0: flags=8810 metric 0 mtu 1500
lo0: flags=8049 metric 0 mtu 16384
options=3
pflog0: flags=141 metric 0 mtu 33200
FreeBSD chroot # exit

alpha# ifconfig
re0: flags=8943 metric 0 
mtu 1500

options=389b
ether e0:69:95:77:f1:20
inet 192.168.0.1 netmask 0xfe00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX )
status: active
plip0: flags=8810 metric 0 mtu 1500
lo0: flags=8049 metric 0 mtu 16384
options=3
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
nd6 options=3
pflog0: flags=141 metric 0 mtu 33200

So, the devices are there, just no network connectivity.


What are you trying to achieve with this, a smooth 8.x ->  9.x transition ?


Well, I don't know what happened on the host system, but the kernel 
fails building, even kernel 8.2, at if_vlan. Since I decided to migrate 
to the other disk and upgrade to 9.0 I created a chrooted environment on 
the new disk and build sources there.


Now, the tricky part is that this is a headless system and I need it to 
be up or at least be sure that I can roll back if something fails.



You may want to, instead, install your 9.0 on a different machine
(possibly a VM), then use dump on the filesystems to inject them
properly on your new disk on the original machine.

You should then be able to reboot on the new disk just fine.


Thanks, for the suggestion, but sounds risky, the disks are not 
identical size.


It seems I have a workaround that will get my new disk ready: Using 
fetch-recursive I've downloaded the sources of the ports I need 
installed, so I can build in the chroot without network access.


BR, Erik

--
M: +34 666 334 818
T: +34 915 211 157
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No network in mixed FBSD81/90 chroot environment

[Damien Fleuriot]

On 11/29/11 1:58 PM, Erik Nørgaard wrote:
> On 29/11/2011 13:50, Erik Nørgaard wrote:
>> Today I finished make build/install world/kernel in /mnt, and now I no
>> longer have network access, interfaces are visible with ifconfig but
>> no ip is set and can't be set from within the chroot environment.
>>
>> Is this to be expected? How do I get my network access back?
> Should add: Network on the host FBSD81 system works fine.
> 

When you chroot to your /mnt/ folder you're still using the 8.x kernel
and thus the 8.x NIC drivers, with a 9.x userland.

This might be your problem.


What are you trying to achieve with this, a smooth 8.x -> 9.x transition ?

You may want to, instead, install your 9.0 on a different machine
(possibly a VM), then use dump on the filesystems to inject them
properly on your new disk on the original machine.

You should then be able to reboot on the new disk just fine.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No network in mixed FBSD81/90 chroot environment

[Erik Nørgaard]

On 29/11/2011 13:50, Erik Nørgaard wrote:
Today I finished make build/install world/kernel in /mnt, and now I no 
longer have network access, interfaces are visible with ifconfig but 
no ip is set and can't be set from within the chroot environment.


Is this to be expected? How do I get my network access back?

Should add: Network on the host FBSD81 system works fine.

--
M: +34 666 334 818
T: +34 915 211 157

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

No network in mixed FBSD81/90 chroot environment

[Erik Nørgaard]

Hi:

I have a system running FBSD81 preparing migrate to 90 on a different 
disk, so the new disk and partitions are mounted in /mnt. To build 
FBSD90 on the new disk I mount devfs on /mnt/dev and chroot to /mnt.


Today I finished make build/install world/kernel in /mnt, and now I no 
longer have network access, interfaces are visible with ifconfig but no 
ip is set and can't be set from within the chroot environment.


Is this to be expected? How do I get my network access back?

Thanks, Erik

--
M: +34 666 334 818
T: +34 915 211 157

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Clarification: "Jail" -vs- "Chroot"

[Vincent Hoffman]

On 14/07/2010 00:30, Aiza wrote:
> Ed Flecko wrote:
>> Hi folks,
>> I'm reading about "jails" and "chroot", and I'm not clear about the
>> differences so I'm hoping someone can clarify this for me.
>>
>> Here's what I "think" is correct:
>>
>> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
>>
>> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
>>
>> 3.) When reading something (book, article, etc.), is there a way to
>> determine if the author is, in fact, talking about truly a "jail" or
>> are they really just referring to a "chroot" environment? For example,
>> I have a book ("Preventing web attacks with Apache") that says:
>>
>> "Chroot is short for change root and essentially allows you to run
>> programs in a protected or jailed environment. The main benefit of a
>> chroot jail is that the jail will limit the portion of the file system
>> the daemon can see to the root directory of the jail. Additionally,
>> since the jail only needs to support Apache, the programs available in
>> the jail can be extremely limited."
>>
>> 4.) Jail is the more secure of the two options?
>>
>> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
>> edition of "Absolute FreeBSD" says:
>>
>> "Chrooting is useful for web servers that have multiple clients on one
>> machine—that is, web servers with many virtual hosts."
>>
>> Comments??? Suggestions???
>>
>> Thank you!
>>
>> Ed
>
> Well let me take a shot at this. First of all we are only talking
> about the FreeBSD operating system. The ability to chroot a directory
> tree has been available since RELEASES 2.0. The jail utility first
> appeared in RELEASE 4.0. The jail utility is just a basic effort to
> automate the building and administration of an chrooted directory tree
> which is pretty much useless unless it contains a complete copy of the
> Freebsd operating system binaries. 
Actually as the manpage says  "In the other extreme case a jail might
contain only one file: the executable to be run in the jail."
you put in a jail what you need. It doesnt have to be a complete install
its just commonly for that purpose. Also a jail offers more features
than chroot, such as sperate securelevels from the host, limits on
number of child jails (Hierarchical Jails) etc.
> The major short coming of the jail command jail system is each jail
> has it's own copy of the hosts running system binaries. Freebsd
> reserves a limited number of control structures for storing files and
> directories, called inodes. Creating a few jails consumes many of
> these valuable inodes, eventually preventing the creation of new jails
> and new files on the host. Worst yet is each jail loads it's own copy
> of it's running binaries into memory which causes thrashing on the
> swap device as memory pages are swapped in and out as the limited
> memory is shared between the host and jails. Besides consuming
> resources and creating performance degradation, this also causes a
> major administration headache when wanting to update the host running
> system, because the host and the jails all have to be running the same
> RELEASE version.
>
you can run other (lower) version userland if you want to as long as the
host has the correct COMPAT options in its kernel config. I'll agree on
the administration headache though.
> Now with some considerable hand jobbing per the jail section of the
> handbook, a jail environment can be created where by a single copy of
> the jailed running binaries are shared among all the jails. But this
> still leaves you with an administration nightmare as the number of
> jails deployed grows past 5. Now there are some ports in the port
> system that are utility wrappers around the jail command that tries to
> address this administration nightmare. My experience with these are
> they are very poorly documented and you really need to have a good
> grasp on how jails work and network ip address usage before they are
> useful. Their easy of use quickly evaporates as the number of jails
> deployed reaches 10.
>
> The next generation of a jail utility for the deployment of a large
> number of jails is in project phase right now. Keep checking the ports
> system for qjail.
>
I quite like ezjail but I'll be sure to keep an eye open for qjail.

Vince
> Now about what to run in a jail. Well since each jail is like a
> complete stand-a-lone operating system, you can populate it with any
> application you want. The real limita

Re: Clarification: "Jail" -vs- "Chroot"

[Valentin Bud]

On Wed, Jul 14, 2010 at 2:30 AM, Aiza  wrote:

> Ed Flecko wrote:
>
>> Hi folks,
>> I'm reading about "jails" and "chroot", and I'm not clear about the
>> differences so I'm hoping someone can clarify this for me.
>>
>> Here's what I "think" is correct:
>>
>> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
>>
>> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
>>
>> 3.) When reading something (book, article, etc.), is there a way to
>> determine if the author is, in fact, talking about truly a "jail" or
>> are they really just referring to a "chroot" environment? For example,
>> I have a book ("Preventing web attacks with Apache") that says:
>>
>> "Chroot is short for change root and essentially allows you to run
>> programs in a protected or jailed environment. The main benefit of a
>> chroot jail is that the jail will limit the portion of the file system
>> the daemon can see to the root directory of the jail. Additionally,
>> since the jail only needs to support Apache, the programs available in
>> the jail can be extremely limited."
>>
>> 4.) Jail is the more secure of the two options?
>>
>> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
>> edition of "Absolute FreeBSD" says:
>>
>> "Chrooting is useful for web servers that have multiple clients on one
>> machine—that is, web servers with many virtual hosts."
>>
>> Comments??? Suggestions???
>>
>> Thank you!
>>
>> Ed
>>
>
> Well let me take a shot at this. First of all we are only talking about the
> FreeBSD operating system. The ability to chroot a directory tree has been
> available since RELEASES 2.0. The jail utility first appeared in RELEASE
> 4.0. The jail utility is just a basic effort to automate the building and
> administration of an chrooted directory tree which is pretty much useless
> unless it contains a complete copy of the Freebsd operating system binaries.
> The major short coming of the jail command jail system is each jail has it's
> own copy of the hosts running system binaries. Freebsd reserves a limited
> number of control structures for storing files and directories, called
> inodes. Creating a few jails consumes many of these valuable inodes,
> eventually preventing the creation of new jails and new files on the host.
> Worst yet is each jail loads it's own copy of it's running binaries into
> memory which causes thrashing on the swap device as memory pages are swapped
> in and out as the limited memory is shared between the host and jails.
> Besides consuming resources and creating performance degradation, this also
> causes a major administration headache when wanting to update the host
> running system, because the host and the jails all have to be running the
> same RELEASE version.
>
> Now with some considerable hand jobbing per the jail section of the
> handbook, a jail environment can be created where by a single copy of the
> jailed running binaries are shared among all the jails. But this still
> leaves you with an administration nightmare as the number of jails deployed
> grows past 5. Now there are some ports in the port system that are utility
> wrappers around the jail command that tries to address this administration
> nightmare. My experience with these are they are very poorly documented and
> you really need to have a good grasp on how jails work and network ip
> address usage before they are useful. Their easy of use quickly evaporates
> as the number of jails deployed reaches 10.
>
> The next generation of a jail utility for the deployment of a large number
> of jails is in project phase right now. Keep checking the ports system for
> qjail.
>
> Now about what to run in a jail. Well since each jail is like a complete
> stand-a-lone operating system, you can populate it with any application you
> want. The real limitation is how is that jail going to gain public internet
> access so the domain name of your apache website can be found and accessed.
> A static ip address is pretty much required, though with some creative ip
> address assignments this can be circumvented. Thats a whole other subject
> area.


Hello community,

 Aiza could you please tell us more about qjail. google isn't very helpful
and I am very interested in the subject.

thank you.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Clarification: "Jail" -vs- "Chroot"

[Aiza]

Ed Flecko wrote:

Hi folks,
I'm reading about "jails" and "chroot", and I'm not clear about the
differences so I'm hoping someone can clarify this for me.

Here's what I "think" is correct:

1.) FreeBSD has both "chroot" capability as well as "jail" capability.

2.) Only FreeBSD has true, "jail" functionality? Yes?...No?

3.) When reading something (book, article, etc.), is there a way to
determine if the author is, in fact, talking about truly a "jail" or
are they really just referring to a "chroot" environment? For example,
I have a book ("Preventing web attacks with Apache") that says:

"Chroot is short for change root and essentially allows you to run
programs in a protected or jailed environment. The main benefit of a
chroot jail is that the jail will limit the portion of the file system
the daemon can see to the root directory of the jail. Additionally,
since the jail only needs to support Apache, the programs available in
the jail can be extremely limited."

4.) Jail is the more secure of the two options?

5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
edition of "Absolute FreeBSD" says:

"Chrooting is useful for web servers that have multiple clients on one
machine—that is, web servers with many virtual hosts."

Comments??? Suggestions???

Thank you!

Ed


Well let me take a shot at this. First of all we are only talking about 
the FreeBSD operating system. The ability to chroot a directory tree has 
been available since RELEASES 2.0. The jail utility first appeared in 
RELEASE 4.0. The jail utility is just a basic effort to automate the 
building and administration of an chrooted directory tree which is 
pretty much useless unless it contains a complete copy of the Freebsd 
operating system binaries. The major short coming of the jail command 
jail system is each jail has it's own copy of the hosts running system 
binaries. Freebsd reserves a limited number of control structures for 
storing files and directories, called inodes. Creating a few jails 
consumes many of these valuable inodes, eventually preventing the 
creation of new jails and new files on the host. Worst yet is each jail 
loads it's own copy of it's running binaries into memory which causes 
thrashing on the swap device as memory pages are swapped in and out as 
the limited memory is shared between the host and jails. Besides 
consuming resources and creating performance degradation, this also 
causes a major administration headache when wanting to update the host 
running system, because the host and the jails all have to be running 
the same RELEASE version.


Now with some considerable hand jobbing per the jail section of the 
handbook, a jail environment can be created where by a single copy of 
the jailed running binaries are shared among all the jails. But this 
still leaves you with an administration nightmare as the number of jails 
deployed grows past 5. Now there are some ports in the port system that 
are utility wrappers around the jail command that tries to address this 
administration nightmare. My experience with these are they are very 
poorly documented and you really need to have a good grasp on how jails 
work and network ip address usage before they are useful. Their easy of 
use quickly evaporates as the number of jails deployed reaches 10.


The next generation of a jail utility for the deployment of a large 
number of jails is in project phase right now. Keep checking the ports 
system for qjail.


Now about what to run in a jail. Well since each jail is like a complete 
stand-a-lone operating system, you can populate it with any application 
you want. The real limitation is how is that jail going to gain public 
internet access so the domain name of your apache website can be found 
and accessed. A static ip address is pretty much required, though with 
some creative ip address assignments this can be circumvented. Thats a 
whole other subject area.














___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Clarification: "Jail" -vs- "Chroot"

[Julian Fagir]

Hi,

> 1.) FreeBSD has both "chroot" capability as well as "jail" capability.
Yes, it has both of them. You still want to use chroot, also it is kind of
'part' of a jail (technically perhaps it's implemented separately).

> 2.) Only FreeBSD has true, "jail" functionality? Yes?...No?
In Solaris, you have zones, and there are several projects to do the same
thing with Linux (Linux-vserver etc).

> 3.) When reading something (book, article, etc.), is there a way to
> determine if the author is, in fact, talking about truly a "jail" or
> are they really just referring to a "chroot" environment? For example,
> I have a book ("Preventing web attacks with Apache") that says:
> 
> "Chroot is short for change root and essentially allows you to run
> programs in a protected or jailed environment. The main benefit of a
> chroot jail is that the jail will limit the portion of the file system
> the daemon can see to the root directory of the jail. Additionally,
> since the jail only needs to support Apache, the programs available in
> the jail can be extremely limited."
Usually, only FreeBSD-specific books will talk about jails, as chroot is the
generic Unix-way for that. Anyway, in many cases you can use a jail for the
same things a chroot-environment is talked about.
In this case, I think he's really talking about a chroot, as he's only
talking about the file system, not the network etc.

> 4.) Jail is the more secure of the two options?
I cannot really answer this, but a jail is the more separated way. So, I
would say, a jail is more secure. If the extras of a jail are not needed, it
is perhaps more insecure, as there are more points to break into theu system.
But, don't rely on my answer, I never looked at the kernel-side of jails the
very technical way.

> 5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
> edition of "Absolute FreeBSD" says:
> 
> "Chrooting is useful for web servers that have multiple clients on one
> machine—that is, web servers with many virtual hosts."
On the FreeBSD-machines I manage, I use chroot for the services that are not
that security-relevant or can easily be separated, i.e. on some
distributions you can put your apache or bind easily into a
chroot-environment.
Also, a chroot-environment can have other targets than a jail, e.g. if you
only want to have another file system-visibility instead of a new jail as you
do when you have to start with a live-cd into a non-booting system.


Sorry for my English. :)
Regards, Julian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Clarification: "Jail" -vs- "Chroot"

[Ed Flecko]

Hi folks,
I'm reading about "jails" and "chroot", and I'm not clear about the
differences so I'm hoping someone can clarify this for me.

Here's what I "think" is correct:

1.) FreeBSD has both "chroot" capability as well as "jail" capability.

2.) Only FreeBSD has true, "jail" functionality? Yes?...No?

3.) When reading something (book, article, etc.), is there a way to
determine if the author is, in fact, talking about truly a "jail" or
are they really just referring to a "chroot" environment? For example,
I have a book ("Preventing web attacks with Apache") that says:

"Chroot is short for change root and essentially allows you to run
programs in a protected or jailed environment. The main benefit of a
chroot jail is that the jail will limit the portion of the file system
the daemon can see to the root directory of the jail. Additionally,
since the jail only needs to support Apache, the programs available in
the jail can be extremely limited."

4.) Jail is the more secure of the two options?

5.) When would you "typically" use a jail -vs- a chroot? The new, 2nd
edition of "Absolute FreeBSD" says:

"Chrooting is useful for web servers that have multiple clients on one
machine—that is, web servers with many virtual hosts."

Comments??? Suggestions???

Thank you!

Ed
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot scp only network storage?

[Matthew Law]

On Tue, May 25, 2010 11:23 pm, Balázs Mátéffy wrote:
> Hello,
>
>
> Try /usr/ports/shells/scponly .
>
> Look up the features, this way you can assign the restrictive scponly
> shell
> to the users:
>
> http://sublimation.org/scponly/wiki/index.php/Main_Page

Thanks,

I have used this before on linux. In this case it might not be exactly
what I want.


Thanks,

Matt

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot scp only network storage?

[Matthew Law]

On Tue, May 25, 2010 11:05 pm, Matthew Seaman wrote:
> Checkout the security/openssh-portable port which has options to enable
> chroot'ing.  You should be able to configure the account to only be able
> to use scp(1) or sftp(1) by editing sshd_config or by using forced
> commands in the user authorized_keys files.

This sounds pretty close to what I want.  I don't want the user to be able
to get a shell on the box but do want to allow them to run a small subset
of useful commands over ssh such as 'ls' and of course scp files to and
from it.

> Another alternative is WebDAV.  Run it over HTTPS for security, and use
> the standard Apache authn/authz controls to give each user access to
> only their own area.  In principle your users can mount their WebDAV
> areas as networked filesystems on their desktops.  In practice, this
> works fine with MacOS X, is horribly buggy under Windows, needs quite a
> lot of effort to make work on Linux, and I don't think it's actually
> available at all on FreeBSD.  However, commandline clients like cadaver
> will work fine on anything Unixy.

I've had problems with exactly this before on linux.  I only need to allow
linux, FreeBSD and Solaris users access to this resource so will persevere
with something SSH based I think.


Thanks,

Matt.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot scp only network storage?

[Balázs Mátéffy]

Hello,


Try /usr/ports/shells/scponly .

Look up the features, this way you can assign the restrictive scponly shell
to the users:

http://sublimation.org/scponly/wiki/index.php/Main_Page

Best Regards:

Balázs Mátéffy



On 26 May 2010 00:05, Matthew Seaman wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 25/05/2010 22:29:57, Matthew Law wrote:
> >
> > I want to provide some users with secure network attached storage over
> > SCP.  The intent is to provide people with a similar thing to, e.g.
> > rsync.net but inside of our network only.
> >
> > Security is obviously a priority so I would like each user to be chrooted
> > into their allocated directory and allow them only to execute a small set
> > of commands.
>
> Checkout the security/openssh-portable port which has options to enable
> chroot'ing.  You should be able to configure the account to only be able
> to use scp(1) or sftp(1) by editing sshd_config or by using forced
> commands in the user authorized_keys files.
>
> > I have come across scponly before.  Is this the best way of achieving
> this
> > with FreeBSD or is there some other better way?
>
> Another alternative is WebDAV.  Run it over HTTPS for security, and use
> the standard Apache authn/authz controls to give each user access to
> only their own area.  In principle your users can mount their WebDAV
> areas as networked filesystems on their desktops.  In practice, this
> works fine with MacOS X, is horribly buggy under Windows, needs quite a
> lot of effort to make work on Linux, and I don't think it's actually
> available at all on FreeBSD.  However, commandline clients like cadaver
> will work fine on anything Unixy.
>
>Cheers
>
>Matthew
>
> - --
> Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
>  Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf
> CnUAnj668eKglbUe8RIfp8actDj13gYe
> =jATZ
> -END PGP SIGNATURE-
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot scp only network storage?

[Matthew Seaman]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 25/05/2010 22:29:57, Matthew Law wrote:
> 
> I want to provide some users with secure network attached storage over
> SCP.  The intent is to provide people with a similar thing to, e.g.
> rsync.net but inside of our network only.
> 
> Security is obviously a priority so I would like each user to be chrooted
> into their allocated directory and allow them only to execute a small set
> of commands.

Checkout the security/openssh-portable port which has options to enable
chroot'ing.  You should be able to configure the account to only be able
to use scp(1) or sftp(1) by editing sshd_config or by using forced
commands in the user authorized_keys files.

> I have come across scponly before.  Is this the best way of achieving this
> with FreeBSD or is there some other better way?

Another alternative is WebDAV.  Run it over HTTPS for security, and use
the standard Apache authn/authz controls to give each user access to
only their own area.  In principle your users can mount their WebDAV
areas as networked filesystems on their desktops.  In practice, this
works fine with MacOS X, is horribly buggy under Windows, needs quite a
lot of effort to make work on Linux, and I don't think it's actually
available at all on FreeBSD.  However, commandline clients like cadaver
will work fine on anything Unixy.

Cheers

Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf
CnUAnj668eKglbUe8RIfp8actDj13gYe
=jATZ
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

chroot scp only network storage?

[Matthew Law]

I want to provide some users with secure network attached storage over
SCP.  The intent is to provide people with a similar thing to, e.g.
rsync.net but inside of our network only.

Security is obviously a priority so I would like each user to be chrooted
into their allocated directory and allow them only to execute a small set
of commands.

I have come across scponly before.  Is this the best way of achieving this
with FreeBSD or is there some other better way?

Thanks in advance,

Matt.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

How can I confirm proper chroot ?

[George Sanders]

Hello,

I am using a particular program that has a command line option to "chroot to 
the current directory".

But I would like to make sure ... I want to be sure what directory the 
executable is actually rooted in.

How can I do this ?  Perhaps with lsof ?

I don't see any information from the 'ps' output that would give me definitive 
information:

nobody   96074  0.0  0.1  8804  3896  ??  Ss   11:16AM   0:00.01 
/usr/local/sbin/thttpd -d /htdocs -r -l /dev/null

So I'd like some independent confirmation of where this running program is 
actually rooted...

Thanks.


  

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot a few apps

[krad]

2010/1/9 Vadkan Jozsef 

> Hi.
>
> What kind of chroot should I use, if I want to make a more secured
> desktop, running e.g.:
>
> pdf reader
> webbrowser
> audio player
> video player
> openoffice
> picture viewer
> mua
> ooo
> virtualbox
>
> e.g.: if theres a javascript vulnerability in google chrome [I haven't
> heard a NoScript extension for it :( ] a chroot would be good for
> stopping it from doing something bad with the whole system.
>
> or e.g.: I have to open a .doc file, that I don't trust, or a PDF can
> contain malicious code :(
>
> Any tips/docs/howtos?
>
> Thank you!
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
>

the best way might be to look at implementing the trusted bsd mac system.
It's a bit hairly though and would take a while to get your head around
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

chroot a few apps

[Vadkan Jozsef]

Hi.

What kind of chroot should I use, if I want to make a more secured
desktop, running e.g.:

pdf reader
webbrowser
audio player
video player
openoffice
picture viewer
mua
ooo
virtualbox

e.g.: if theres a javascript vulnerability in google chrome [I haven't
heard a NoScript extension for it :( ] a chroot would be good for
stopping it from doing something bad with the whole system.

or e.g.: I have to open a .doc file, that I don't trust, or a PDF can
contain malicious code :(

Any tips/docs/howtos?

Thank you!

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot SSH users.

[krad]

2009/12/27 Marwan Sultan 

>
> Dear Krad,
>  Thank you for your reply, regarding your answer, i have few questions here
>
> 1-
>  in sshd_config file the default line is :
>  Subsystem   sftp/usr/libexec/sftp-server
>
>  So should i comment out the line? or just add your line ?
>  Subsystem sftp internal-sftp
>
>
Either should work, however I only know that the one i put works.


> 2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot
> compile
> SSH in the system. Are you asking me to install additional packages?
> or to recompile ssh when you wrote :
>
> "Make sure chroot support was compiled in"
>
>

Default should probably be ok, but again I haven't actually tested it so
cant say for certain. If you do ever upgrade the base ssh from ports make
sure you have the chroot bit compiled in


> 3- SSH users are using passwords not keygen, where do i get the keys for
> thier
>login?
>
>  Thank you
>
> - Marwan
>
> You don't need to use key based auth, but we I generally do. The users have
to create them with ssh-keygen. I usually use dsa. If you support windows
users stay away from puttygen. It does work fine, its just it tends to
generate keys in the wrong format which often leads to confusion.


>
> > >
> > > Hello people,
>
> > > Im on FreeBSD 7.2-R P5
> > >
> > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes
> the
> > > job easy.
> > >
> > > How about if I want to chroot the SSH users (not ftp)
> > >
> > > any easy way? no need for jail installation or anything like this..
> >> > I saw sshd_config file and it has a chrootdirectory but not sure how
> to
> > > use it..
> > > Anyone? any tips? any easy way?
> > > Thank you
> > > -Marwan
> > >
> > > _____
> > > Hotmail: Free, trusted and rich email service.
> > >
> > >
>
> >
> > fairly easy if you read the man page 8) I wrote this howto for sun boxes
> at
> > work but it was using openssh so same rules should apply. Make sure
> chroot
> > support was compiled in though
> >
> >
> > 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris
>
> > 10 are bundled with openssh though.
> > 2. Make sure openssh version is 5 or above (some 4s do work but 5 better)
> > 3. Add these lines to sshd config
>
> >
> > Match Group sftponly
> > ChrootDirectory /home/chroot/%u
> > X11Forwarding no
> > AllowTcpForwarding no
> > ForceCommand internal-sftp
> >
> > 4. Make sure the Subsystem line is this
> >
> > Subsystem sftp internal-sftp
> >
> > 5. create the sftponly group on the system
> > 6. put the relevent users in this group. be careful as you will stop them
>
> > being able to ssh in!!
> > 7. Dead important this bit !!!
>
> >
> > mkdir -p /home/chroot//home//.ssh
> > chown -R root /home/chroot/
> > chown -R  /home/chroot/
> > chmod -R 755 /home/chroot/ /home/chroot//home/
> > ln -s /home/chroot//home/ /home/.
> >
> > 8. Put their ssh keys in /home/chroot//home//.ssh
>
> >
> > All should now work
> >
> > If not check /etc/shadow the account might be locked, this just caught me
> > out :)
> > ___
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
>
>
> --
> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up
> now. <http://clk.atdmt.com/GBL/go/171222985/direct/01/>
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot SSH users.

[krad]

2009/12/28 Tijl Coosemans 

> On Sunday 27 December 2009 18:16:47 krad wrote:
> > fairly easy if you read the man page 8) I wrote this howto for sun
> > boxes at work but it was using openssh so same rules should apply.
> > Make sure chroot support was compiled in though
> >
> >1. Dont bother with sun ssh it wont work. Opensolaris and later
> solaris
> >10 are bundled with openssh though.
> >2. Make sure openssh version is 5 or above (some 4s do work but 5
> better)
> >3. Add these lines to sshd config
> >
> >Match Group sftponly
> > ChrootDirectory /home/chroot/%u
> > X11Forwarding no
> > AllowTcpForwarding no
> > ForceCommand internal-sftp
> >
> > 4. Make sure the Subsystem line is this
> >
> >Subsystem   sftpinternal-sftp
> >
> > 5. create the sftponly group on the system
> >6. put the relevent users in this group. be careful as you will stop
> them
> >being able to ssh in!!
> >7. Dead important this bit !!!
> >
> >mkdir -p /home/chroot//home//.ssh
> >chown -R root /home/chroot/
> >chown -R  /home/chroot/
>
> Shouldn't this line be:
>   chown -R  /home/chroot//home/

strictly yes I probably missed i step where i sym linked it as i was copying
stuff from the shell history


>
> >chmod -R 755 /home/chroot/ /home/chroot//home/
> >ln -s /home/chroot//home/ /home/.
> >
> > 8. Put their ssh keys in /home/chroot//home//.ssh
> >
> >  All should now work
>
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot SSH users.

[Tijl Coosemans]

On Sunday 27 December 2009 18:16:47 krad wrote:
> fairly easy if you read the man page 8) I wrote this howto for sun
> boxes at work but it was using openssh so same rules should apply.
> Make sure chroot support was compiled in though
> 
>1. Dont bother with sun ssh it wont work. Opensolaris and later solaris
>10 are bundled with openssh though.
>2. Make sure openssh version is 5 or above (some 4s do work but 5 better)
>3. Add these lines to sshd config
> 
>Match Group sftponly
>     ChrootDirectory /home/chroot/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
> 
> 4. Make sure the Subsystem line is this
> 
>Subsystem   sftpinternal-sftp
> 
> 5. create the sftponly group on the system
>6. put the relevent users in this group. be careful as you will stop them
>being able to ssh in!!
>7. Dead important this bit !!!
> 
>mkdir -p /home/chroot//home//.ssh
>chown -R root /home/chroot/
>chown -R  /home/chroot/

Shouldn't this line be:
   chown -R  /home/chroot//home/

>chmod -R 755 /home/chroot/ /home/chroot//home/
>ln -s /home/chroot//home/ /home/.
> 
> 8. Put their ssh keys in /home/chroot//home//.ssh
> 
>  All should now work

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

RE: chroot SSH users.

[Marwan Sultan]

 

Dear Krad,

 Thank you for your reply, regarding your answer, i have few questions here

 

1-

 in sshd_config file the default line is :

 Subsystem   sftp/usr/libexec/sftp-server

 

 So should i comment out the line? or just add your line ?

 Subsystem sftp internal-sftp


2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot compile

SSH in the system. Are you asking me to install additional packages?

or to recompile ssh when you wrote :

"Make sure chroot support was compiled in"

 

3- SSH users are using passwords not keygen, where do i get the keys for thier

   login? 

 

 Thank you

 

- Marwan


> >
> > Hello people,

> > Im on FreeBSD 7.2-R P5
> >
> > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the
> > job easy.
> >
> > How about if I want to chroot the SSH users (not ftp)
> >
> > any easy way? no need for jail installation or anything like this..
>> > I saw sshd_config file and it has a chrootdirectory but not sure how to
> > use it..
> > Anyone? any tips? any easy way?
> > Thank you
> > -Marwan
> >
> > _
> > Hotmail: Free, trusted and rich email service.
> >
> > 

> 
> fairly easy if you read the man page 8) I wrote this howto for sun boxes at
> work but it was using openssh so same rules should apply. Make sure chroot
> support was compiled in though
> 
> 
> 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris
> 10 are bundled with openssh though.
> 2. Make sure openssh version is 5 or above (some 4s do work but 5 better)
> 3. Add these lines to sshd config
> 
> Match Group sftponly
> ChrootDirectory /home/chroot/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
> 
> 4. Make sure the Subsystem line is this
> 
> Subsystem sftp internal-sftp
> 
> 5. create the sftponly group on the system
> 6. put the relevent users in this group. be careful as you will stop them
> being able to ssh in!!
> 7. Dead important this bit !!!
> 
> mkdir -p /home/chroot//home//.ssh
> chown -R root /home/chroot/
> chown -R  /home/chroot/
> chmod -R 755 /home/chroot/ /home/chroot//home/
> ln -s /home/chroot//home/ /home/.
> 
> 8. Put their ssh keys in /home/chroot//home//.ssh
> 
> All should now work
> 
> If not check /etc/shadow the account might be locked, this just caught me
> out :)
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/171222985/direct/01/___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: chroot SSH users.

[krad]

2009/12/27 Marwan Sultan 

>
> Hello people,
>
>
>
>  Im on FreeBSD 7.2-R P5
>
>
>
>  Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the
> job easy.
>
>
>
>  How about if I want to chroot the SSH users (not ftp)
>
>  any easy way? no need for jail installation or anything like this..
>
>
>
>  I saw sshd_config file and it has a chrootdirectory but not sure how to
> use it..
>
>
>
>  Anyone? any tips? any easy way?
>
>
>
>  Thank you
>
>
>
> -Marwan
>
> _
> Hotmail: Free, trusted and rich email service.
>
> http://clk.atdmt.com/GBL/go/171222984/direct/01/___
> freebsd-questions@freebsd.org<http://clk.atdmt.com/GBL/go/171222984/direct/01/___%0afreebsd-questi...@freebsd.org>mailing
>  list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
>


fairly easy if you read the man page 8) I wrote this howto for sun boxes at
work but it was using openssh so same rules should apply. Make sure chroot
support was compiled in though


   1. Dont bother with sun ssh it wont work. Opensolaris and later solaris
   10 are bundled with openssh though.
   2. Make sure openssh version is 5 or above (some 4s do work but 5 better)
   3. Add these lines to sshd config

   Match Group sftponly
ChrootDirectory /home/chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

4. Make sure the Subsystem line is this

   Subsystem   sftpinternal-sftp

5. create the sftponly group on the system
   6. put the relevent users in this group. be careful as you will stop them
   being able to ssh in!!
   7. Dead important this bit !!!

   mkdir -p /home/chroot//home//.ssh
   chown -R root /home/chroot/
   chown -R  /home/chroot/
   chmod -R 755 /home/chroot/ /home/chroot//home/
   ln -s /home/chroot//home/ /home/.

8. Put their ssh keys in /home/chroot//home//.ssh

 All should now work

If not check /etc/shadow the account might be locked, this just caught me
out :)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

chroot SSH users.

[Marwan Sultan]

Hello people,

 

 Im on FreeBSD 7.2-R P5

 

 Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the job 
easy.

 

 How about if I want to chroot the SSH users (not ftp)

 any easy way? no need for jail installation or anything like this..

 

 I saw sshd_config file and it has a chrootdirectory but not sure how to use 
it..

 

 Anyone? any tips? any easy way?

 

 Thank you

 

-Marwan
  
_
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/171222984/direct/01/___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

7.0 stable + postfix - how to setup chroot?

[Laszlo Nagy]

What I already did:

syslogd_flags="-s -l /var/spool/postfix/var/run/log"   # put into 
/etc/rc.conf


Then I changed "n" to "y" for all lines in 
/usr/local/etc/postfix/master.cf in the "chroot" column.


But I don't know how to create chrooted environment under 
/var/spool/postfix. Is there a command that can create it for me? Or is 
there a manual telling what files I need to copy from my root fs?


Thanks,

  Laszlo


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

problems with chroot with mod_secrity on freebsd

[Rajaie Issaid]

Hi ,

I have FreeBSD 7.2-RELEASE installed on amd64 , I installed apache22 with
mod_security2 , when I try to activate the SecChroot , the below errors
appears , the documentation denotes that it should be straight forward
without any problem , but apparently I have problem with mod_rewrite .

 

I have created the folders of /var/run , /var/run/cache , /var/run/logs  ,
and even /var/log , and the domains are logging httpd-access & error inside
the chroot .

 

Any clues about this issue ?

 

Starting apache22.

httpd: Could not reliably determine the server's fully qualified domain
name, using server01.davincihosting.com for ServerName

[Wed Jul 22 01:44:46 2009] [notice] ModSecurity: chroot checkpoint #1
(pid=41214 ppid=41209)

[Wed Jul 22 01:44:46 2009] [notice] ModSecurity for Apache/2.5.9
(http://www.modsecurity.org/) configured.

[Wed Jul 22 01:44:46 2009] [notice] Original server signature: Apache/2.2.11
(FreeBSD) DAV/2

server01# [Wed Jul 22 01:44:46 2009] [notice] Digest: generating secret for
digest authentication ...

[Wed Jul 22 01:44:46 2009] [notice] Digest: done

[Wed Jul 22 01:44:47 2009] [notice] ModSecurity: chroot checkpoint #2
(pid=41215 ppid=1)

[Wed Jul 22 01:44:47 2009] [notice] ModSecurity: chroot successful,
path=/home/www

[Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite:
could not init rewrite log lock in child

[Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite:
could not init rewrite log lock in child

[Wed Jul 22 01:44:47 2009] [notice] Apache/2.2.11 (FreeBSD) DAV/2 PHP/5.2.10
with Suhosin-Patch    WeB Hosting Server 
configured -- resuming normal operations

[Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite:
could not init rewrite log lock in child

[Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite:
could not init rewrite log lock in child

[Wed Jul 22 01:44:47 2009] [crit] (2)No such file or directory: mod_rewrite:
could not init rewrite log lock in child

 

 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: FreeBSD 5.4 chroot

[Mihai Donțu]

On Monday 25 August 2008, Kris Kennaway wrote:
> Mihai Donțu wrote:
> > Hi,
> >
> > I've just installed a FreeBSD 6.0-RELEASE and I need a FreeBSD
> > 5.4-RELEASE chroot to build something in it (hw shortage). All nice and
> > dandy, until I hit a /dev problem:
> >
> > # svn up
> > svn: PROPFIND request failed on '/svn/project'
> > svn: PROPFIND of '/svn/project': SSL negotiation failed: SSL disabled due
> > to lack of entropy (https://svn.host.com)
> >
> > # ls -l /dev/random
> > crw-rw-rw-  1 root  wheel  249,   0 Aug 25 16:19 /dev/random
> >
> > # cat /dev/random
> > cat: /dev/random: Socket operation on non-socket
> >
> > # rm /dev/random
> >
> > # mknod /dev/mknod random c 0 10 root:wheel
> >
> > # chmod 0666 /dev/random
> >
> > # ls -l /dev/random
> > crw-rw-rw-  1 root  wheel0,  10 Aug 25 18:28 /dev/random
> >
> > # cat /dev/random
> > cat: /dev/random: Socket operation on non-socket
> >
> > Clearly, all those years of Linux chroot-ing have affected my brain, but
> > Google isn't very helpful either. :) Could someone, please, hint me about
> > what I'm doing wrong?
>
> mount a devfs instance to create the devices (see mount_devfs) instead
> of trying to mknod them by hand.

Works like magic. :) Thanks!

-- 
Mihai Donțu
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD 5.4 chroot

[Kris Kennaway]

Mihai Donțu wrote:

Hi,

I've just installed a FreeBSD 6.0-RELEASE and I need a FreeBSD 5.4-RELEASE 
chroot to build something in it (hw shortage). All nice and dandy, until I 
hit a /dev problem:


# svn up
svn: PROPFIND request failed on '/svn/project'
svn: PROPFIND of '/svn/project': SSL negotiation failed: SSL disabled due to 
lack of entropy (https://svn.host.com)


# ls -l /dev/random
crw-rw-rw-  1 root  wheel  249,   0 Aug 25 16:19 /dev/random

# cat /dev/random
cat: /dev/random: Socket operation on non-socket

# rm /dev/random

# mknod /dev/mknod random c 0 10 root:wheel

# chmod 0666 /dev/random

# ls -l /dev/random
crw-rw-rw-  1 root  wheel0,  10 Aug 25 18:28 /dev/random

# cat /dev/random
cat: /dev/random: Socket operation on non-socket

Clearly, all those years of Linux chroot-ing have affected my brain, but 
Google isn't very helpful either. :) Could someone, please, hint me about 
what I'm doing wrong?


mount a devfs instance to create the devices (see mount_devfs) instead 
of trying to mknod them by hand.


Kris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD 5.4 chroot

[Mihai Donțu]

Hi,

I've just installed a FreeBSD 6.0-RELEASE and I need a FreeBSD 5.4-RELEASE 
chroot to build something in it (hw shortage). All nice and dandy, until I 
hit a /dev problem:

# svn up
svn: PROPFIND request failed on '/svn/project'
svn: PROPFIND of '/svn/project': SSL negotiation failed: SSL disabled due to 
lack of entropy (https://svn.host.com)

# ls -l /dev/random
crw-rw-rw-  1 root  wheel  249,   0 Aug 25 16:19 /dev/random

# cat /dev/random
cat: /dev/random: Socket operation on non-socket

# rm /dev/random

# mknod /dev/mknod random c 0 10 root:wheel

# chmod 0666 /dev/random

# ls -l /dev/random
crw-rw-rw-  1 root  wheel0,  10 Aug 25 18:28 /dev/random

# cat /dev/random
cat: /dev/random: Socket operation on non-socket

Clearly, all those years of Linux chroot-ing have affected my brain, but 
Google isn't very helpful either. :) Could someone, please, hint me about 
what I'm doing wrong?

Thank you,

-- 
Mihai Donțu
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Getting PAM up inside chroot issues

[Unga]

Hi all

I'm trying to getting PAM up inside a chroot. I'm using FreeBSD 7.0 on i386.

su -l shows following error:
su: pam_start: system error

strace su -l shows following failures:
access("/etc/localtime", R_OK)  = 0
open("/etc/localtime", O_RDONLY)= 4
fstat(4, {st_mode=S_IFLNK|S_ISGID|052, st_size=18445798717047743530, ...}) = 0
read(4, "3\244\374\377*\244\374\3773\244\374\3773\244\374\3773\244"..., 7944) = 
171
close(4)= 0
socket(PF_UNIX, SOCK_DGRAM, 0)  = 4
fcntl(4, F_SETFD, FD_CLOEXEC)   = 0
connect(4, {sa_family=0xa4 /* AF_??? */, sa_data="\374\377\\[x\0%02x\0%1x"}, 
106) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=0x2f /* AF_??? */, sa_data="ystem call\0Inp"}, 106) = -1 
ENOENT (No such file or directory)
connect(4, {sa_family=0x74 /* AF_??? */, sa_data="d processes\0Re"}, 106) = -1 
ENOENT (No such file or directory)
close(4)= 0
sendto(-1, "source deadlock avoided\0Cannot a"..., 72, 0, NULL, 0) = -1 EBADF 
(Bad file descriptor)
socket(PF_UNIX, SOCK_DGRAM, 0)  = 4
fcntl(4, F_SETFD, FD_CLOEXEC)   = 0
connect(4, {sa_family=0x6c /* AF_??? */, sa_data="nk\0\0\0\0Operatio"}, 106) = 
-1 ENOENT (No such file or directory)

There is no failure up to reading the  /etc/localtime.

This shows the socket (fd=4) disappeared before the connect. 

What am I still missing in my chroot? Where does this socket get created? is it 
the current directory where su initiated or somewhere else? 

Appreciate your help to identify the cause.

Kind regards
Unga


  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It is safe to build ports for 7.0 from a 6.3 chroot?

[José García Juanino]

On 04/03/2008, Mel <[EMAIL PROTECTED]> wrote:
> On Tuesday 04 March 2008 01:48:37 Bogdan Ćulibrk wrote:
>  >
>  > 0) Do I need to reinvent wheel?
>  >
>  >
>  > Joke off. Really, why would you try alternate way of upgrading, when
>  > there's straight way to do it?
>
>
> Minimize downtime of services provided by ports?
>
>  Jose: take a look at Tinderbox - it does exactly what you want to do: build
>  ports for OS release X on OS release Y, using chroot. If you're unsure about
>  your own method, because of OSVERSION or similar, do it using Tinderbox.

Thank you very much for your responses.
The aim is, as you comment, minimize downtime of services. Also, I
want to switch back to the 6.3 release in a fast way if I find some
problem running the new one. Therefore, I cannot erase the 6.3
release.

Best regards
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It is safe to build ports for 7.0 from a 6.3 chroot?

[Bogdan Ćulibrk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mel wrote:
|
| Just cause it doesn't fall into your 95% slice, doesn't make it messy.
It's in
| fact cleaner then using compat6x, *because* compat6x doesn't fall into
the
| category of potential causes when things don't work.
| FYI: tinderbox is based on the pointyhat build cluster, which makes all
| the 'messy' packages for the FreeBSD package servers.
|

I will stop discussion right here, because it has tendency to bring out
endless flame of you-know-what-about.
Starter of this thread didn't even  mention what services he is running
and just by that is pointless to discuss about approaches in upgrade of
anything.

Hats off to tinderbox or however binary packages are made, but that has
nothing to do on how to upgrade freebsd system.




- --
Best regards,
Bogdan Culibrk
[EMAIL PROTECTED] http://default.co.yu/~bc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfNV/oACgkQo6C4vAhYtCCi7wCbBhCk7uphbo1vqK9CDxnGYx7S
XycAniBYNk/QR6sUJkbBbMnCbNOZBRO1
=GXvR
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It is safe to build ports for 7.0 from a 6.3 chroot?

[Mel]

On Tuesday 04 March 2008 13:07:21 Bogdan Ćulibrk wrote:
> Mel wrote:
> | Minimize downtime of services provided by ports?
> |
> | Jose: take a look at Tinderbox - it does exactly what you want to do:
>
> build
>
> | ports for OS release X on OS release Y, using chroot. If you're unsure
>
> about
>
> | your own method, because of OSVERSION or similar, do it using Tinderbox.
>
> IMHO, the usual procedure described in handbook will satisfy 95% of
> upgrade scenarios. Others can install compat6x port right after (or
> before) reboot.

And then upgrade all ports, while the services are running?

> In any case, be free to try whatever scenario works for you, but I would
> ~ not like to be the one who inherits server with such 'messy-upgrade' :|

Just cause it doesn't fall into your 95% slice, doesn't make it messy. It's in 
fact cleaner then using compat6x, *because* compat6x doesn't fall into the 
category of potential causes when things don't work.
FYI: tinderbox is based on the pointyhat build cluster, which makes all 
the 'messy' packages for the FreeBSD package servers.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It is safe to build ports for 7.0 from a 6.3 chroot?

[Bogdan Ćulibrk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mel wrote:
|
| Minimize downtime of services provided by ports?
|
| Jose: take a look at Tinderbox - it does exactly what you want to do:
build
| ports for OS release X on OS release Y, using chroot. If you're unsure
about
| your own method, because of OSVERSION or similar, do it using Tinderbox.
|

IMHO, the usual procedure described in handbook will satisfy 95% of
upgrade scenarios. Others can install compat6x port right after (or
before) reboot.

In any case, be free to try whatever scenario works for you, but I would
~ not like to be the one who inherits server with such 'messy-upgrade' :|


- --
Best regards,
Bogdan Culibrk
[EMAIL PROTECTED] http://default.co.yu/~bc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfNO3kACgkQo6C4vAhYtCBl3wCeKyRqqDZP/gwpu77c4+stVFal
FPsAn03vkueNmyMHISoVa87NEYMzmTQo
=l7iW
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It is safe to build ports for 7.0 from a 6.3 chroot?

[Mel]

On Tuesday 04 March 2008 01:48:37 Bogdan Ćulibrk wrote:
> Jose Garcia Juanino wrote:
> | Hi everybody
> |
> | Actually, I do the following in order to update from 6.3 to 7.0:
> |
> | 1) dump my actual 6.3 filesystems /, /var and /usr into three new
> | ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of
> | course)
> |
> | 2) chroot /rel70 and mergemaster -p + buildkernel + buildworld +
> | installkernel + installworld + mergemaster -i and such stuff
> |
> | 3) Inside the chroot, rebuild the ports
> |
> | 4) Reboot the new release
> |
> |
> | Will I go into problems following this approach? The step 3) is the most
> | dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel
> | (even though only for compilation).
>
> 0) Do I need to reinvent wheel?
>
>
> Joke off. Really, why would you try alternate way of upgrading, when
> there's straight way to do it?

Minimize downtime of services provided by ports?

Jose: take a look at Tinderbox - it does exactly what you want to do: build 
ports for OS release X on OS release Y, using chroot. If you're unsure about 
your own method, because of OSVERSION or similar, do it using Tinderbox.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It is safe to build ports for 7.0 from a 6.3 chroot?

[Bogdan Ćulibrk]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jose Garcia Juanino wrote:
| Hi everybody
|
| Actually, I do the following in order to update from 6.3 to 7.0:
|
| 1) dump my actual 6.3 filesystems /, /var and /usr into three new
| ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of
| course)
|
| 2) chroot /rel70 and mergemaster -p + buildkernel + buildworld +
| installkernel + installworld + mergemaster -i and such stuff
|
| 3) Inside the chroot, rebuild the ports
|
| 4) Reboot the new release
|
|
| Will I go into problems following this approach? The step 3) is the most
| dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel
| (even though only for compilation).

0) Do I need to reinvent wheel?


Joke off. Really, why would you try alternate way of upgrading, when
there's straight way to do it?

- --
Best regards,
Bogdan Culibrk
[EMAIL PROTECTED] http://default.co.yu/~bc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfMnD0ACgkQo6C4vAhYtCDrTwCgoHSPgIoGgltE2plO4JsQ5Bb/
R50An3hFeeBfcNIyHlRD9za8lLnI3t0v
=ZGrK
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: It is safe to build ports for 7.0 from a 6.3 chroot?

[Andrew Pantyukhin]

On Mon, Mar 03, 2008 at 09:09:37PM +0100, Jose Garcia Juanino wrote:
> Hi everybody
> 
> Actually, I do the following in order to update from 6.3 to 7.0:
> 
> 1) dump my actual 6.3 filesystems /, /var and /usr into three new
> ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of
> course)
> 
> 2) chroot /rel70 and mergemaster -p + buildkernel + buildworld +
> installkernel + installworld + mergemaster -i and such stuff
> 
> 3) Inside the chroot, rebuild the ports
> 
> 4) Reboot the new release
> 
> 
> Will I go into problems following this approach? The step 3) is the most
> dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel
> (even though only for compilation).

Not only that, many ports have some tweaks dependent on
OSVERSION; some have it ingrained into their configure shims.

Personally, I got into a situation where I had to run 7.0 world
on 6.3 kernel. Nothing bad happened, but I rebooted with a new
kernel as soon as I could. All in all, I'd say you have a good
chance to succeed, especially if you have your fingers crossed :)
You won't be on the safe side, though.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

It is safe to build ports for 7.0 from a 6.3 chroot?

[Jose Garcia Juanino]

Hi everybody

Actually, I do the following in order to update from 6.3 to 7.0:

1) dump my actual 6.3 filesystems /, /var and /usr into three new
ones: /rel70, /rel70/usr and /rel70/var (I use the dump command, of
course)

2) chroot /rel70 and mergemaster -p + buildkernel + buildworld +
installkernel + installworld + mergemaster -i and such stuff

3) Inside the chroot, rebuild the ports

4) Reboot the new release


Will I go into problems following this approach? The step 3) is the most
dangerous, I believe, as I have executing 7.0 commands on a 6.3 kernel
(even though only for compilation).

Best regards


pgp47kcDn5bMv.pgp
Description: PGP signature

i386 chroot on amd64

[Erik Cederstrand]

Hi!

I just created an i386 chroot on an amd64 host (make TARGET=i386 
TARGET_ARCH=i386 ...). The host is compiled with lib32 support.


I'm trying to chroot into the directory to install a port (ports dir is 
nullfs_mount'ed):


chroot /path/to/chroot /bin/sh -c "cd /usr/ports/my/port; make install 
clean; "


but all I get is "chroot: /bin/sh: Exec format error". Google points me 
in the direction of i386/amd64 conflicts. The host is running 
7.0-PRERELEASE #4, the chroot is compiled from CURRENT sources csupped 
today.


Am what I'm trying to do even supposed to work?

Thanks,
Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache mod_ssl chroot problem

[Beastie]

On Wed, 2007-10-17 at 13:38 +0100, Daniel Bye wrote:
> On Wed, Oct 17, 2007 at 08:46:01PM +0700, Muhammad Reza wrote:
> > Dear List.
> > 
> > I have problem running apache in chroot mode with ssl enable.
> > Apache in chroot mode running fine without ssl enable, but when i try to
> > start with mod_ssl enable, error occured with this message.
> > 
> > beastie#chroot /chroot/httpd /usr/local/apache2/bin/httpd
> > Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide the pass phrases.
> > 
> > Server beastie.mra.co.id:443 (RSA)
> > Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> > 
> > and with error log
> > 
> > [Wed Oct 17 13:37:25 2007] [error] Init: Private key not found
> > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218710120
> > error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
> > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218529960
> > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218595386
> > error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> > [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218734605
> > error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
> > [Wed Oct 17 13:38:32 2007] [error] Init: Private key not found
> > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218710120
> > error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
> > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218529960
> > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218595386b
> > error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> > [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218734605
> > error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
> > 
> > If i escape from chrooted enviroment, apache with mod_ssl work fine 
> > 
> > beastie# /usr/local/apache2/bin/httpd
> > Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide the pass phrases.
> > 
> > Server www.example.com:443 (RSA)
> > Enter pass phrase:
> > 
> > OK: Pass Phrase Dialog successful.
> > 
> > Is there something missing here, please enlight me.
> 
> The first thing that comes to mind - are your keys inside the chroot area
> you want to run apache in?
> 
the key is in /chroot/httpd/usr/local/apache2/conf/  with 400 mode owner
by root
and the path in htppd-ssl.conf is 
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
Is there anyway to test that my key is visible by chroot program ??

regards
Reza


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache mod_ssl chroot problem

[Muhammad Reza]

On Wed, 2007-10-17 at 08:29 -0600, James wrote:
> 
> > Server beastie.mra.co.id:443 (RSA)
> > Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> 
> 
> Isn't the private key the one on the local machine? If so, is the
> private key visible with the chroot environment?
> _______

the key is in /chroot/httpd/usr/local/apache2/conf/  with 400 mode owner
by root
and the path in htppd-ssl.conf is 
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
Is there anyway to test that my key is visible by chroot program ??

regards
Reza

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache mod_ssl chroot problem

[James]

> Server beastie.mra.co.id:443 (RSA)
> Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
> **Stopped


Isn't the private key the one on the local machine? If so, is the
private key visible with the chroot environment?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: apache mod_ssl chroot problem

[Daniel Bye]

On Wed, Oct 17, 2007 at 08:46:01PM +0700, Muhammad Reza wrote:
> Dear List.
> 
> I have problem running apache in chroot mode with ssl enable.
> Apache in chroot mode running fine without ssl enable, but when i try to
> start with mod_ssl enable, error occured with this message.
> 
> beastie#chroot /chroot/httpd /usr/local/apache2/bin/httpd
> Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide the pass phrases.
> 
> Server beastie.mra.co.id:443 (RSA)
> Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
> **Stopped
> 
> and with error log
> 
> [Wed Oct 17 13:37:25 2007] [error] Init: Private key not found
> [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218710120
> error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
> [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218529960
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218595386
> error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> [Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218734605
> error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
> [Wed Oct 17 13:38:32 2007] [error] Init: Private key not found
> [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218710120
> error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
> [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218529960
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218595386b
> error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> [Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218734605
> error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
> 
> If i escape from chrooted enviroment, apache with mod_ssl work fine 
> 
> beastie# /usr/local/apache2/bin/httpd
> Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide the pass phrases.
> 
> Server www.example.com:443 (RSA)
> Enter pass phrase:
> 
> OK: Pass Phrase Dialog successful.
> 
> Is there something missing here, please enlight me.

The first thing that comes to mind - are your keys inside the chroot area
you want to run apache in?

-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgpi9bMgoI0Uh.pgp
Description: PGP signature

apache mod_ssl chroot problem

[Muhammad Reza]

Dear List.

I have problem running apache in chroot mode with ssl enable.
Apache in chroot mode running fine without ssl enable, but when i try to
start with mod_ssl enable, error occured with this message.

beastie#chroot /chroot/httpd /usr/local/apache2/bin/httpd
Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server beastie.mra.co.id:443 (RSA)
Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
**Stopped

and with error log

[Wed Oct 17 13:37:25 2007] [error] Init: Private key not found
[Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218710120
error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218529960
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218595386
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Wed Oct 17 13:37:25 2007] [error] SSL Library Error: 218734605
error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
[Wed Oct 17 13:38:32 2007] [error] Init: Private key not found
[Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218710120
error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218529960
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218595386b
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Wed Oct 17 13:38:32 2007] [error] SSL Library Error: 218734605
error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

If i escape from chrooted enviroment, apache with mod_ssl work fine 

beastie# /usr/local/apache2/bin/httpd
Apache/2.2.6 mod_ssl/2.2.6 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

Is there something missing here, please enlight me.

regards
Reza
 




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ISC bind9 with dynamic DNS update (chroot problem)

[Reid Linnemann]

Written by Patrick Dung on 07/28/07 10:52>>

Thanks for reply.

Yes, your method works.
But I wonder why /var/named/etc/named/master directory permission
always reset to root at starting the daemon.

Regards
Patrick

--- Reid Linnemann <[EMAIL PROTECTED]> wrote:


Written by Patrick Dung on 07/27/07 08:19>>

Hi

I use FreeBSD 6.2 and the base bind9.
For dynamic DNS update, bind9 automatically generate the journal

file

(end in .jnl).
The default config is to use chroot and the running user as 'bind'.

The problem is that after named is started (/etc/init.d/named

start),

the default chroot directory /var/named/etc/named permission will

be

reset to own by root. So the named daemon (run as user 'bind')

cannot

create the journal file and complain:

Jul 27 21:06:54 fbsd62 named[2862]: general: localdomain.db.jnl:
create: permission denied

One temp fix is to use chroot and run as root, any suggestions?

Regards
Patrick



When I did ddns, I had my dynamic zone files in a subdirectory off of

the named chroot- i.e. /var/named/etc/namedb/dynamic - and chowned it
to 
bind, allowing the bind user to read/write anything inside.




I forgot to CC: questions@ on my original reply

This is because /etc/rc.d/named auto-updates the chroot to an expected 
state defined by the mtree at /etc/mtree/BIND.chroot.dist


P.S.
Please do not top post, so the conversation order progresses from oldest 
to newest.


-Reid

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ISC bind9 with dynamic DNS update (chroot problem)

[Patrick Dung]

Thanks for reply.

Your suggestion solved my problem, thanks.

Yes, /etc/init.d/named is a typo.

Regards
Patrick

--- Doug Barton <[EMAIL PROTECTED]> wrote:

> Patrick Dung wrote:
> > Hi
> > 
> > I use FreeBSD 6.2 and the base bind9.
> > For dynamic DNS update, bind9 automatically generate the journal
> file
> > (end in .jnl).
> > The default config is to use chroot and the running user as 'bind'.
> > 
> > The problem is that after named is started (/etc/init.d/named
> start),
> 
> Are you sure you're doing this on FreeBSD? We have rc.d, not initd.
> Assuming that was just a typo ...
> 
> > the default chroot directory /var/named/etc/named
> 
> The default directory is /etc/namedb, which is a symlink to
> /var/named/etc/namedb.
> 
> > permission will be reset to own by root. So the named daemon (run
> > as user 'bind') cannot create the journal file and complain:
> 
> You shouldn't be creating journal files in the config directory
> anyway.
> 
> > One temp fix is to use chroot and run as root, any suggestions?
> 
> Yeah, don't run named as root. Ever. :)
> 
> Assuming that you are actually running FreeBSD, and that you have not
> turned off the mtree option, you should have the following
> directories
> in /etc/namedb:
> 
> drwxr-xr-x  2 bind  wheel512 Jul 23 00:47 dynamic/
> drwxr-xr-x  2 root  wheel512 Jul 13 22:33 master/
> drwxr-xr-x  2 bind  wheel512 Jul 27 14:05 slave/
> 
> The dynamic directory is obviously designed to hold dynamic zones,
> and
> it (like the slave directory) is chowned to user bind so that named
> can write to it after it drops privileges.
> 
> hth,
> 
> Doug
> 
> -- 
> 
> This .signature sanitized for your protection
> 



   

Get the free Yahoo! toolbar and rest assured with the added security of spyware 
protection.
http://new.toolbar.yahoo.com/toolbar/features/norton/index.php
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ISC bind9 with dynamic DNS update (chroot problem)

[Doug Barton]

Patrick Dung wrote:
> Hi
> 
> I use FreeBSD 6.2 and the base bind9.
> For dynamic DNS update, bind9 automatically generate the journal file
> (end in .jnl).
> The default config is to use chroot and the running user as 'bind'.
> 
> The problem is that after named is started (/etc/init.d/named start),

Are you sure you're doing this on FreeBSD? We have rc.d, not initd.
Assuming that was just a typo ...

> the default chroot directory /var/named/etc/named

The default directory is /etc/namedb, which is a symlink to
/var/named/etc/namedb.

> permission will be reset to own by root. So the named daemon (run
> as user 'bind') cannot create the journal file and complain:

You shouldn't be creating journal files in the config directory anyway.

> One temp fix is to use chroot and run as root, any suggestions?

Yeah, don't run named as root. Ever. :)

Assuming that you are actually running FreeBSD, and that you have not
turned off the mtree option, you should have the following directories
in /etc/namedb:

drwxr-xr-x  2 bind  wheel512 Jul 23 00:47 dynamic/
drwxr-xr-x  2 root  wheel512 Jul 13 22:33 master/
drwxr-xr-x  2 bind  wheel512 Jul 27 14:05 slave/

The dynamic directory is obviously designed to hold dynamic zones, and
it (like the slave directory) is chowned to user bind so that named
can write to it after it drops privileges.

hth,

Doug

-- 

This .signature sanitized for your protection
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ISC bind9 with dynamic DNS update (chroot problem)

[Patrick Dung]

Hi

I use FreeBSD 6.2 and the base bind9.
For dynamic DNS update, bind9 automatically generate the journal file
(end in .jnl).
The default config is to use chroot and the running user as 'bind'.

The problem is that after named is started (/etc/init.d/named start),
the default chroot directory /var/named/etc/named permission will be
reset to own by root. So the named daemon (run as user 'bind') cannot
create the journal file and complain:

Jul 27 21:06:54 fbsd62 named[2862]: general: localdomain.db.jnl:
create: permission denied

One temp fix is to use chroot and run as root, any suggestions?

Regards
Patrick


   

Be a better Globetrotter. Get better travel answers from someone who knows. 
Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: scponly chroot doesn?t work FB6.2

[Marcelo Maraboli]

Hello all

I would like to thank david.robillard and j65nko for their
efforts in trying to help with this problem.

I finally got a working solution. The problem is not
"scponly" nor "rssh" but the CHROOT jail implementation in
FreeBSD 6.2, since the ONLY solution to both problems are
solved by a series of commands to enable a proper
"/dev" subdirectory inside the jail..

RSSH works ver good for a SCP, SFTP, RSYNC only environment..

Solution at:
http://www.artofindo.com/~teaone/rssh.html

best regards,



David Robillard wrote:

I can´t seem to make scponly work with a chrooted jail. I´ve
read many articles on how FREEBSD´s scripts on making jails
really don´t work and a manual mknod of $jail/dev/null must
be done, but it still does´t work...

I´d appreciate any help


You might want to check out the port shells/rssh instead of shells/scponly.

http://www.freebsd.org/cgi/url.cgi?ports/shells/rssh/pkg-descr

I'm not sure it does exactly what you're looking for, but it has
similar features as scponly.

HTH,

David


--
MSc. Marcelo Maraboli Rosselott
Jefe Area de Redes y Comunicaciones  (Network & UNIX Systems Engineer)
Ingeniero Civil Electronico, CISSP  (MSc., Electronic Engineer, CISSP)

Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria phone: +56 32 2654071
Chile.http://www.usm.cl http://elqui.dcsc.utfsm.cl
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: scponly chroot doesn?t work FB6.2

[David Robillard]

I can´t seem to make scponly work with a chrooted jail. I´ve
read many articles on how FREEBSD´s scripts on making jails
really don´t work and a manual mknod of $jail/dev/null must
be done, but it still does´t work...

I´d appreciate any help


You might want to check out the port shells/rssh instead of shells/scponly.

http://www.freebsd.org/cgi/url.cgi?ports/shells/rssh/pkg-descr

I'm not sure it does exactly what you're looking for, but it has
similar features as scponly.

HTH,

David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: scponly chroot doesn´t work FB6.2

[J65nko]

On 5/7/07, Marcelo Maraboli <[EMAIL PROTECTED]> wrote:


I can´t seem to make scponly work with a chrooted jail. I´ve
read many articles on how FREEBSD´s scripts on making jails
really don´t work and a manual mknod of $jail/dev/null must
be done, but it still does´t work...

I´d appreciate any help


[snip]

I haven't used it myself but at
http://www.bsdforums.org/forums/showthread.php?t=49388 somebody posted
a solution for a similar problem with scponly ;)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

scponly chroot doesn´t work FB6.2

[Marcelo Maraboli]

Hello

I can´t seem to make scponly work with a chrooted jail. I´ve
read many articles on how FREEBSD´s scripts on making jails
really don´t work and a manual mknod of $jail/dev/null must
be done, but it still does´t work...

I´d appreciate any help

thanks

--
DEBUG INFO:

1.- scponly built as:
cd /usr/ports/shells/scponly/
make -DWITH_SCPONLY_RSYNC -DWITH_SCPONLY_SFTP_LOGGING -DWITH_SCPONLY_WINSCP -DWITH_SCPONLY_CHROOT 
-DWITH_SCPONLY_SCP

make install

2.- dcsc user is defined as:

dcsc:*:2008:160:WWW Admin DCSC:/disk2/chroot//home/dcsc:/usr/local/sbin/scponlyc


3.- This is what I get AFTER making "/dev/null" and setting
it to 666 chmod.

[EMAIL PROTECTED]:/usr/local/etc/scponly$ scp debuglevel [EMAIL PROTECTED]:fo
Password:
scponly[65605]: chrooted binary in place, will chroot()
scponly[65605]: 3 arguments in total.
scponly[65605]: arg 0 is scponlyc
scponly[65605]: arg 1 is -c
scponly[65605]: arg 2 is scp -t fo
scponly[65605]: opened log at LOG_AUTHPRIV, opts 0x0029
scponly[65605]: retrieved home directory of "/disk2/chroot//home/dcsc" for user 
"dcsc"
scponly[65605]: chrooting to dir: "/disk2/chroot"
scponly[65605]: chdiring to dir: "/home/dcsc"
scponly[65605]: setting uid to 2008
scponly[65605]: processing request: "scp -t fo"
scponly[65605]: Unable to find "LOG_SFTP" in the environment
scponly[65605]: Found "USER" and setting it to "dcsc"
scponly[65605]: Unable to find "SFTP_UMASK" in the environment
scponly[65605]: Unable to find "SFTP_PERMIT_CHMOD" in the environment
scponly[65605]: Unable to find "SFTP_PERMIT_CHOWN" in the environment
scponly[65605]: Unable to find "SFTP_LOG_LEVEL" in the environment
scponly[65605]: Unable to find "SFTP_LOG_FACILITY" in the environment
scponly[65605]: Environment contains "USER=dcsc"
scponly[65605]: running: /usr/bin/scp -t fo (username: dcsc(2008), IP/port: 
200.1.21.103 57465 22)
Couldn't open /dev/null: Operation not supportedlost connection


4.- chrooted tree:

[EMAIL PROTECTED]:/disk2/chroot$ ls -lasR
total 18
2 drwxr-xr-x  9 root  wheel  512 May  7 16:15 ./
2 drwxr-xr-x  6 root  wheel  512 May  7 15:56 ../
2 drwxr-xr-x  2 root  wheel  512 May  7 15:57 bin/
2 drwxr-xr-x  2 root  wheel  512 May  7 16:34 dev/
2 drwxr-xr-x  2 root  wheel  512 May  7 15:57 etc/
2 drwxr-xr-x  3 root  wheel  512 May  7 15:58 home/
2 drwxr-xr-x  2 root  wheel  512 May  7 16:42 lib/
2 drwxr-xr-x  2 root  wheel  512 May  7 15:57 libexec/
2 drwxr-xr-x  7 root  wheel  512 May  7 15:57 usr/

./bin:
total 82
 2 drwxr-xr-x  2 root  wheel512 May  7 15:57 ./
 2 drwxr-xr-x  9 root  wheel512 May  7 16:15 ../
 6 -rwxr-xr-x  1 root  wheel   5808 May  7 15:57 chmod*
 4 -rwxr-xr-x  1 root  wheel   3848 May  7 15:57 echo*
 8 -rwxr-xr-x  1 root  wheel   6336 May  7 15:57 ln*
24 -rwxr-xr-x  1 root  wheel  23444 May  7 15:57 ls*
 6 -rwxr-xr-x  1 root  wheel   5068 May  7 15:57 mkdir*
10 -rwxr-xr-x  1 root  wheel   9192 May  7 15:57 mv*
 4 -rwxr-xr-x  1 root  wheel   3932 May  7 15:57 pwd*
12 -rwxr-xr-x  1 root  wheel  10640 May  7 15:57 rm*
 4 -rwxr-xr-x  1 root  wheel   3996 May  7 15:57 rmdir*

./dev:
total 4
2 drwxr-xr-x  2 root  wheel   512 May  7 16:34 ./
2 drwxr-xr-x  9 root  wheel   512 May  7 16:15 ../
0 crw-rw-rw-  1 root  wheel2,   2 May  7 16:34 null
0 crw-rw-rw-  1 root  wheel0,  12 May  7 16:16 random
0 lrwxr-xr-x  1 root  wheel 6 May  7 16:16 urandom@ -> random
0 crw-rw-rw-  1 root  wheel0,   7 May  7 16:16 zero

./etc:
total 44
 2 drwxr-xr-x  2 root  wheel512 May  7 15:57 ./
 2 drwxr-xr-x  9 root  wheel512 May  7 16:15 ../
40 -rw-r--r--  1 root  wheel  40960 May  7 15:57 pwd.db

./home:
total 6
2 drwxr-xr-x  3 root  wheel   512 May  7 15:58 ./
2 drwxr-xr-x  9 root  wheel   512 May  7 16:15 ../
2 drwxr-xr-x  2 dcsc  wwwext  512 May  7 16:01 dcsc/

./home/dcsc:
total 20
2 drwxr-xr-x  2 dcsc  wwwext  512 May  7 16:01 ./
2 drwxr-xr-x  3 root  wheel   512 May  7 15:58 ../
2 -rw-r--r--  1 dcsc  wwwext  767 May  7 16:01 .cshrc
2 -rw-r--r--  1 dcsc  wwwext  248 May  7 16:01 .login
2 -rw-r--r--  1 dcsc  wwwext  158 May  7 16:01 .login_conf
2 -rw---  1 dcsc  wwwext  373 May  7 16:01 .mail_aliases
2 -rw-r--r--  1 dcsc  wwwext  331 May  7 16:01 .mailrc
2 -rw-r--r--  1 dcsc  wwwext  797 May  7 16:01 .profile
2 -rw---  1 dcsc  wwwext  276 May  7 16:01 .rhosts
2 -rw-r--r--  1 dcsc  wwwext  975 May  7 16:01 .shrc

.wext  797 May  7 16:01 .profile
2 -rw---  1 dcsc  wwwext  276 May  7 16:01 .rhosts
2 -rw-r--r--  1 dcsc  wwwext  975 May  7 16:01 .shrc

./lib:
total 3094
   2 drwxr-xr-x  2 root  wheel 512 May  7 16:42 ./
   2 drwxr-xr-x  9 root  wheel 512 May  7 16:15 ../
 132 -r--r--r--  1 root  wheel  134060 May  7 16:38 libasn1.so.8
 928 -rwxr-xr-x  1 root  wheel  922668 May  7 15:57 libc.so.6*
   6 -r--r--r--  1 root  wheel5544 May 

Re: set env in chroot script

[Lowell Gilbert]

Elan Marikit <[EMAIL PROTECTED]> writes:

> I am a newbie of FreeBSD and I want to know how to set environment
> inside chroot in a shell script.
>
> My script looks like this:
> chroot $NEWROOT /bin/sh -c ""
>
> And I want to set an environment, before the .
>
> Is it possible that it will inherit my parent environment? like the
> environment set in my script?

According to the chroot(8) manual, only the SHELL value will
be inherited.

Try making a wrapper script to set the values you want, and
call the command from inside that script.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

set env in chroot script

[Elan Marikit]

Greetz,

I am a newbie of FreeBSD and I want to know how to set environment 
inside chroot in a shell script.


My script looks like this:
chroot $NEWROOT /bin/sh -c ""

And I want to set an environment, before the .

Is it possible that it will inherit my parent environment? like the 
environment set in my script?


Thanks,
Elan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ftp chroot directory structure

[Ray]

On Thursday 26 April 2007 9:12 pm, Ray wrote:
> Hello,
> I am setting up a new web server that must host data from an existing
> webserver. We've never had an organized folder structure for private data,
> (passwords, secure data, etc) and I'm trying to change that.
> there are currently a number of virtual sites all handled through apache
> virtualhosts. all (or at least most) users must have ftp access.
> my original thought was this:
>
> apache/priv_data/domain1
> apache/pub_data/domain1
>
> where
> apache/priv_data/domain1
> contains a soft link to
> apache/pub_data/domain1
> and the ftpchroot is
> apache/pri_data/domain1
>
> this doesn't work like I wanted it to. I can't follow the link with an ftp
> client. 

after posting, I decided I'm going to do it this way, and hope the other 
developers didn't cheat too bad. I think this is the right way.
Ray

> obviously the best solution would be 
> apache/priv_data/domain1
> which contains
> apache/data/domain1/pub_data
> with domain1 as the ftp root
> and pub_data as the http root,
> but I'm not the developer of all the sites, and I don't want to have to
> trouble shoot other peoples possibly incorrectly written sites (hard coded
> path structures)
> What can you suggest as my best solution?
> Thanks
> Ray
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ftp chroot directory structure

[Ray]

Hello,
I am setting up a new web server that must host data from an existing 
webserver. We've never had an organized folder structure for private data, 
(passwords, secure data, etc) and I'm trying to change that.
there are currently a number of virtual sites all handled through apache 
virtualhosts. all (or at least most) users must have ftp access.
my original thought was this:

apache/priv_data/domain1
apache/pub_data/domain1

where 
apache/priv_data/domain1 
contains a soft link to 
apache/pub_data/domain1
and the ftpchroot is 
apache/pri_data/domain1

this doesn't work like I wanted it to. I can't follow the link with an ftp 
client. obviously the best solution would be 
apache/priv_data/domain1 
which contains
apache/data/domain1/pub_data
with domain1 as the ftp root
and pub_data as the http root,
but I'm not the developer of all the sites, and I don't want to have to 
trouble shoot other peoples possibly incorrectly written sites (hard coded 
path structures)
What can you suggest as my best solution?
Thanks
Ray  

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Chroot/jail mechanism in ssh and sftp connections

[Thiago Esteves de Oliveira]

Thanks, I think this is the solution for the sftp connections using jail/chroot 
mechanism.

Derek Ragona wrote:
> At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote:
>>Thanks for the suggestion. I intend to study about this possible solution
>>but to save time I'd
>>like to ask you some questions.
>>
>>With this software, can I control which accounts "from the unix passwd
>>file" will be able to log in?
>
> Yes just set the shell to a non-login shell for users you don't want to
> give shell access.  Typically I set those user's shell to:
> /usr/bin/false
>
>
>>If there is a symbolic link in the home directory(jail/chroot) that points
>>to anywhere out of it,
>>will the users be able to use this symlink? Will they go out from their
>>jail/chroot directory this
>>way?
>
> You can actually specify what ftp commands are allowed in the vsftpd.conf file
> in one server I manage I have set:
> cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT
>
> But you'd probably want to remove any symlinks that shouldn't be there.
>
>
>>Derek Ragona wrote:
>> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
>> >>Hello,
>> >>I want to use the chroot/jail mechanism in user's ssh and sftp
>> >>connections. I've read some
>> >>tutorials and possible solutions to jail/chroot the users into their
>> own home directories. One
>>is
>> >>to install the openssh-portable(with chroot option turned on) from the
>> ports collection. I've
>>installed the openssh-portable, but the jail/chroot mechanism didn't work.
>>I think it requires
>>some configuration in its sshd_config file, but I'm not sure because I
>>have found nothing about
>>jail/chroot in the openssh(sshd_config) man pages.
>> >
>> > I have implemented a similar setup using vsftpd from the ports.  It
>> works well for secure ftp
>>when used with the filezilla client.  You can limit the ftp command in the
>>vsftpd configuration
>>file so users cannot get out of their home directories, which chroots them
>>there.  You do need to
>>add one thing to the accounts, which is to change their home directory in
>>/etc/passwd adding an
>>additional dot.  For instance if a users home directory is:
>> > /home/user
>> >
>> > You'd need to change it to:
>> > /home/./user
>> >
>> > vsftpd is well documented and relatively easy to get setup and running.
>> >
>> >  -Derek


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Chroot/jail mechanism in ssh and sftp connections

[Derek Ragona]

At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote:
Thanks for the suggestion. I intend to study about this possible solution 
but to save time I'd

like to ask you some questions.

With this software, can I control which accounts "from the unix passwd 
file" will be able to log in?


Yes just set the shell to a non-login shell for users you don't want to 
give shell access.  Typically I set those user's shell to:

/usr/bin/false


If there is a symbolic link in the home directory(jail/chroot) that point 
to anywhere out of it,
will the users be able to use this symlink? Will they go out from their 
jail/chroot directory this

way?


You can actually specify what ftp commands are allowed in the vsftpd.conf file
in one server I manage I have set:
cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT

But you'd probably want to remove any symlinks that shouldn't be there.



Derek Ragona wrote:
> At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
>>Hello,
>>I want to use the chroot/jail mechanism in user's ssh and sftp
>>connections. I've read some
>>tutorials and possible solutions to jail/chroot the users into their 
own home directories. One

is
>>to install the openssh-portable(with chroot option turned on) from the 
ports collection. I've
installed the openssh-portable, but the jail/chroot mechanism didn't work. 
I think it requires
some configuration in its sshd_config file, but I'm not sure because I 
have found nothing about

jail/chroot in the openssh(sshd_config) man pages.
>
> I have implemented a similar setup using vsftpd from the ports.  It 
works well for secure ftp
when used with the filezilla client.  You can limit the ftp command in the 
vsftpd configuration
file so users cannot get out of their home directories, which chroots them 
there.  You do need to
add one thing to the accounts, which is to change their home directory in 
/etc/passwd adding an

additional dot.  For instance if a users home directory is:
> /home/user
>
> You'd need to change it to:
> /home/./user
>
> vsftpd is well documented and relatively easy to get setup and running.
>
>  -Derek
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Chroot/jail mechanism in ssh and sftp connections

[Thiago Esteves de Oliveira]

Thanks for the suggestion. I intend to study about this possible solution but 
to save time I'd
like to ask you some questions.

With this software, can I control which accounts "from the unix passwd file" 
will be able to log in?

If there is a symbolic link in the home directory(jail/chroot) that point to 
anywhere out of it,
will the users be able to use this symlink? Will they go out from their 
jail/chroot directory this
way?

Derek Ragona wrote:
> At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
>>Hello,
>>I want to use the chroot/jail mechanism in user's ssh and sftp
>>connections. I've read some
>>tutorials and possible solutions to jail/chroot the users into their own home 
>>directories. One
is
>>to install the openssh-portable(with chroot option turned on) from the ports 
>>collection. I've
installed the openssh-portable, but the jail/chroot mechanism didn't work. I 
think it requires
some configuration in its sshd_config file, but I'm not sure because I have 
found nothing about
jail/chroot in the openssh(sshd_config) man pages.
>
> I have implemented a similar setup using vsftpd from the ports.  It works 
> well for secure ftp
when used with the filezilla client.  You can limit the ftp command in the 
vsftpd configuration
file so users cannot get out of their home directories, which chroots them 
there.  You do need to
add one thing to the accounts, which is to change their home directory in 
/etc/passwd adding an
additional dot.  For instance if a users home directory is:
> /home/user
>
> You'd need to change it to:
> /home/./user
>
> vsftpd is well documented and relatively easy to get setup and running.
>
>  -Derek
>






___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Chroot/jail mechanism in ssh and sftp connections

[Derek Ragona]

At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:

Hello,

I want to use the chroot/jail mechanism in user's ssh and sftp 
connections. I've read some
tutorials and possible solutions to jail/chroot the users into their own 
home directories. One is
to install the openssh-portable(with chroot option turned on) from the 
ports collection.


I've installed the openssh-portable, but the jail/chroot mechanism didn't 
work.
I think it requires some configuration in its sshd_config file, but I'm 
not sure because I have

found nothing about jail/chroot in the openssh(sshd_config) man pages.


I have implemented a similar setup using vsftpd from the ports.  It works 
well for secure ftp when used with the filezilla client.  You can limit the 
ftp command in the vsftpd configuration file so users cannot get out of 
their home directories, which chroots them there.  You do need to add one 
thing to the accounts, which is to change their home directory in 
/etc/passwd adding an additional dot.  For instance if a users home 
directory is:

/home/user

You'd need to change it to:
/home/./user

vsftpd is well documented and relatively easy to get setup and running.

-Derek

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Chroot/jail mechanism in ssh and sftp connections

[Thiago Esteves de Oliveira]

Hello,

I want to use the chroot/jail mechanism in user's ssh and sftp connections. 
I've read some
tutorials and possible solutions to jail/chroot the users into their own home 
directories. One is
to install the openssh-portable(with chroot option turned on) from the ports 
collection.

I've installed the openssh-portable, but the jail/chroot mechanism didn't work.
I think it requires some configuration in its sshd_config file, but I'm not 
sure because I have
found nothing about jail/chroot in the openssh(sshd_config) man pages.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: DHCP Server V3.0.5 No BPF under chroot. Works normally otherwise.

[Kelly D. Grills]

On Tue, Mar 06, 2007 at 07:03:35PM -0600, Martin McCormick wrote:
> 
>   I found some cook-book instructions for running dhcpd in
> a chroot environment.  The article is 4 years old and appears to
> be set up for FreeBSD5x, but it isn't far off for FreeBSD6.2
> which is what I need dhcpd to run on.
> 

I run isc-dhcp3-server-3.0.5 from ports, started from /etc/rc.conf with the
following options:

dhcpd_enable="YES"  # dhcpd enabled?
dhcpd_flags="-q"# command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf"  # configuration file
dhcpd_ifaces="" # ethernet interface(s)
dhcpd_withumask="022"   # file creation mask

dhcpd_chuser_enable="YES"   # runs w/o privileges?
dhcpd_withuser="dhcpd"  # user name to run as
dhcpd_withgroup="dhcpd" # group name to run as
dhcpd_chroot_enable="YES"   # runs chrooted?
dhcpd_devfs_enable="YES"# use devfs if available?
dhcpd_rootdir="/var/db/dhcpd"   # directory to run in
dhcpd_includedir="" # directory with config-

Here's the full pkg-message:

[EMAIL PROTECTED]/usr/ports/net/isc-dhcp3-server $ make display-message

  To setup dhcpd, you may have to copy /usr/local/etc/dhcpd.conf.sample
  to /usr/local/etc/dhcpd.conf for editing.

  This port installs dhcp daemon, but don't invokes dhcpd by default. If
  you want to invoke dhcpd at startup, put these lines into /etc/rc.conf.

dhcpd_enable="YES"  # dhcpd enabled?
dhcpd_flags="-q"# command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf"  # configuration file
dhcpd_ifaces="" # ethernet interface(s)
dhcpd_withumask="022"   # file creation mask

  If compiled with paranoia support (the default), the following lines
  are also supported:

dhcpd_chuser_enable="YES"   # runs w/o privileges?
dhcpd_withuser="dhcpd"  # user name to run as
dhcpd_withgroup="dhcpd" # group name to run as
dhcpd_chroot_enable="YES"   # runs chrooted?
dhcpd_devfs_enable="YES"  # use devfs if available?
dhcpd_makedev_enable="YES"# use MAKEDEV instead?
dhcpd_rootdir="/var/db/dhcpd"   # directory to run in
dhcpd_includedir=""   # directory with config-
  files to include
dhcpd_flags="-early_chroot" # needs full root

  WARNING: -early_chroot requires a jail(8) like environment to work.

  WARNING: dhcpd_devfs_enable and dhcpd_makedev_enable are mutually
   exclusive
   dhcpd_makedev_enable make NO sense on FreeBSD 5.x and up!

  If compiled with jail support (the default), the following lines are
  also supported (-early_chroot and dhcpd_chroot_enable=YES are implied):

dhcpd_jail_enable="YES" # runs imprisoned?
dhcpd_hostname="" # jail hostname
dhcpd_ipaddress=""  # jail ip address

  WARNING: dhcpd_rootdir needs to point to a full jail(8) environment.

  WARNING: never edit the chrooted or jailed dhcpd.conf file but
  /usr/local/etc/dhcpd.conf instead which is always copied where
  needed upon startup.

  WARNING: /usr/local/etc/rc.isc-dhcpd.conf is obsolete.  rc.conf like
  variables are still read there but should be moved /etc/rc.conf or
  /etc/rc.conf.d/dhcpd instead.  Also, the dhcpd_options variable must
  be renamed dhcpd_flags if any.


-- 
Kelly D. Grills
[EMAIL PROTECTED]



pgpuJ4kh8oKPm.pgp
Description: PGP signature

DHCP Server V3.0.5 No BPF under chroot. Works normally otherwise.

[Martin McCormick]

I found some cook-book instructions for running dhcpd in
a chroot environment.  The article is 4 years old and appears to
be set up for FreeBSD5x, but it isn't far off for FreeBSD6.2
which is what I need dhcpd to run on.

Dhcpd runs fine when started normally as in
/usr/local/sbin/dhcpd.  I haven't yet gotten it to launch as the
chroot'ed version.  When one starts it, here is what happens:

   chroot /usr/local/chroot/dhcpd /usr/local/sbin/dhcpd

Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
WARNING: Host declarations are global.  They are not limited to the scope you 
declared them in.
Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 0 leases to leases file.
No bpf devices.   Please read the README section for your operating system.

If I do a ls, everything looks identical:

cd /usr/local/chroot/dhcpd/dev
ls -l bpf*
crw---  1 root  wheel0,  96 Mar  6 11:44 bpf0
crw---  1 root  wheel1,  97 Mar  6 11:44 bpf1

cd /dev
ls -l bpf*
crw---  1 root  wheel0,  96 Mar  5 21:00 bpf0
crw---  1 root  wheel0,  97 Mar  5 21:00 bpf1

The part of the script that makes those devices is as follows:

BPF="`ls -l /dev/bpf0 | awk '{ print $6; }' | sed -e 's/,//g'`"
export BPF
BPF1="`ls -l /dev/bpf1 | awk '{ print $6; }' | sed -e 's/,//g'`"
export BPF1
cd /usr/local/chroot/dhcpd/dev
mknod bpf0 c 0 $BPF
mknod bpf1 c 1 $BPF1
chmod 0600 bpf*

I will post the script when it works since it appears to
be about 90% good.  It needs a little touch-up to make it work
for FreeBSD6.

My guess is that there is something else I need in the
chroot environment since the bpf appears to work normally when
dhcpd is run from root in the traditional way.

My thanks and a lot of credit to the person who
originally wrote this script which can be found at

   Linkname: Screaming Electron Forums - How to chroot your existing
  isc-dhcpd server on freebsd

Martin McCormick WB5AGZ  Stillwater, OK 
Systems Engineer
OSU Information Technology Department Network Operations Group
URL:
  http://screamingelectron.org/forum/archive/index.php/t-837.html
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

JAIL/CHROOT question?

[VeeJay]

hello guys

I am having one question...

can I jail a user being login via SSH to another location/directory than
user's $HOME directory?


meaing if users $HOME directory is like this

/home/alex

and user is able to chdir to upward...


but I don't want user go to user's $HOME directory. I want to limit to some
other location like

/home/temp

and don't want to have user chdir upward... .....wanna have chroot limits...


--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: /dev/null in a chroot

[Hideyuki KURASHINA]

Thank you for describing the issue.

Could you please file the PR not to miss this useful suggestion?

Regards,

>>> On Fri, 12 Jan 2007 18:54:39 -0800, James Long <[EMAIL PROTECTED]> said:

> > Date: Sun, 07 Jan 2007 20:03:40 -0400
> > From: "Marc G. Fournier" <[EMAIL PROTECTED]>
> > Subject: Re: /dev/null in a chroot
> > To: Michael Grant <[EMAIL PROTECTED]>,  FreeBSD Questions
> > 
> > Message-ID: <[EMAIL PROTECTED]>
> > Content-Type: text/plain; charset=us-ascii
> > 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > 
> > #!/bin/sh
> > /sbin/devfs -m $1 rule apply hide
> > /sbin/devfs -m $1 rule apply path null unhide
> > 
> > where $1 == the dev directory you mount within the chroot environment ...
> 
> This issue is currently biting users of /usr/ports/security/scponly
> also, I believe.
> 
> I'm finding that recently-created scponlyc chroots do not permit sftp 
> login, although they do allow ftp login.  The client symptom is just:
> 
> $ sftp [EMAIL PROTECTED]
> Connecting to www...
> Password:
> Connection closed
> $
> 
> The cause appears to be that recent versions of 
> /usr/libexec/sftp-server will complain about of lack of access to 
> /dev/null and exit, resulting in the closed connection witnessed by 
> the remote client.
> 
> The solution appears to be to create a devfs in the scponlyc chroot.
> 
> This is a little disappointing, as scponlyc used to be delightfully
> lightweight and low-maintenance.  At this point, my understanding is
> that the devfs requirement means that now I must run a script at boot
> time that iterates through a list of chroot'ed users and create dev 
> nodes within each jail.  scponlyc jails were previously a 
> set-and-forget type of setup.
> 
> What is the proper mechanism for setting up an arbitrary number of
> scponlyc chroots at boot time?  /usr/share/examples/etc/devfs.conf
> doesn't show an example of how to apply these rules to a non-default
> dev path.  I have chosen to put a script in /usr/local/etc/rc.d.
> 
> In case other scponly users are reading this in the archives, the 
> manual method that works for me with 6.2-PRE and scponly-4.6_1 is:
> 
> # cd ~user
> # mkdir -p dev
> # mount_devfs devfs dev
> # devfs -m dev rule -s 1 applyset
> # devfs -m dev rule -s 2 applyset
> 
> One then sees:
> 
> # ls -l dev
> total 0
> crw-rw-rw-  1 root  wheel0,   6 Jan 12 17:15 null
> crw-rw-rw-  1 root  wheel0,  12 Jan 10 07:57 random
> lrwxr-xr-x  1 root  wheel     6 Jan 12 16:54 urandom@ -> random
> crw-rw-rw-  1 root  wheel0,   7 Jan 10 15:57 zero
> 
> which is more than enough to appease /usr/libexec/sftp-server.
> 
> chroots created some months ago contain lib versions with numbers 
> typically one less, such as ./usr/lib/libssh.so.2 in the older 
> chroot, versus ./usr/lib/libssh.so.3 in the newer.  The older
> scponly chroots do net require devfs nodes!  I suspect they will 
> eventually break though, given enough time.
> 
> Given that scponlyc provides a setup_chroot.sh script that provides
> hooks for OS-specific chroot setup steps, would it help the port
> maintainer to provide the shell script below?  I have it installed
> in /usr/local/etc/rc.d/scponlyc.sh.
> 
> 
> Jim
> 
> 
> 
> #!/bin/sh
> 
> # script to create devfs filesystems at boot time for scponlyc 
> # chroot'ed users.  We will read /etc/shells to determine
> # where scponlyc is installed.  Then we'll iterate through
> # each user in /etc/passwd to find users whose shell is set to
> # scponlyc.  For each such user found, we will create a 
> # minimal devfs under ~/dev.
> 
> 
> 
> SCPONLYC=$(/usr/bin/grep "/scponlyc$" /etc/shells 2>/dev/null | /usr/bin/tail 
> -1)
> 
> 
> make_devfs() {
> # $1 is the user name whose home directory needs a minimal
> # devfs created.  If ~/dev is not a directory, it will be 
> # deleted and replaced with a directory.
> 
> eval DEV="~$1/dev"
> while /sbin/umount ${DEV} 2>/dev/null; do :; done
> [ -h "${DEV}" ] && rm "${DEV}"
> [ -f "${DEV}" ] && rm "${DEV}"
> mkdir -p "${DEV}"
> if /sbin/mount_devfs devfs "${DEV}"; then
>   /sbin/devfs -m "${DEV}" rule -s 1 applyset || /sbin/umount ${DEV} 
> 2>/dev/null
>   /sbin/devfs -m "${DEV}" rule -s 2 applyset || /sbin/umount ${DEV} 
> 2>/dev/null
> fi
> 
> }
> 
> 
> scponly_startup() {
> # $1 is the path to the /etc/passwd file
> 
> if [ "x${SCPONLYC}" = "x"

Re: /dev/null in a chroot

[James Long]

> Date: Sun, 07 Jan 2007 20:03:40 -0400
> From: "Marc G. Fournier" <[EMAIL PROTECTED]>
> Subject: Re: /dev/null in a chroot
> To: Michael Grant <[EMAIL PROTECTED]>,FreeBSD Questions
>   
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=us-ascii
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> #!/bin/sh
> /sbin/devfs -m $1 rule apply hide
> /sbin/devfs -m $1 rule apply path null unhide
> 
> where $1 == the dev directory you mount within the chroot environment ...

This issue is currently biting users of /usr/ports/security/scponly
also, I believe.

I'm finding that recently-created scponlyc chroots do not permit sftp 
login, although they do allow ftp login.  The client symptom is just:

$ sftp [EMAIL PROTECTED]
Connecting to www...
Password:
Connection closed
$

The cause appears to be that recent versions of 
/usr/libexec/sftp-server will complain about of lack of access to 
/dev/null and exit, resulting in the closed connection witnessed by 
the remote client.

The solution appears to be to create a devfs in the scponlyc chroot.

This is a little disappointing, as scponlyc used to be delightfully
lightweight and low-maintenance.  At this point, my understanding is
that the devfs requirement means that now I must run a script at boot
time that iterates through a list of chroot'ed users and create dev 
nodes within each jail.  scponlyc jails were previously a 
set-and-forget type of setup.

What is the proper mechanism for setting up an arbitrary number of
scponlyc chroots at boot time?  /usr/share/examples/etc/devfs.conf
doesn't show an example of how to apply these rules to a non-default
dev path.  I have chosen to put a script in /usr/local/etc/rc.d.

In case other scponly users are reading this in the archives, the 
manual method that works for me with 6.2-PRE and scponly-4.6_1 is:

# cd ~user
# mkdir -p dev
# mount_devfs devfs dev
# devfs -m dev rule -s 1 applyset
# devfs -m dev rule -s 2 applyset

One then sees:

# ls -l dev
total 0
crw-rw-rw-  1 root  wheel0,   6 Jan 12 17:15 null
crw-rw-rw-  1 root  wheel0,  12 Jan 10 07:57 random
lrwxr-xr-x  1 root  wheel 6 Jan 12 16:54 urandom@ -> random
crw-rw-rw-  1 root  wheel0,   7 Jan 10 15:57 zero

which is more than enough to appease /usr/libexec/sftp-server.

chroots created some months ago contain lib versions with numbers 
typically one less, such as ./usr/lib/libssh.so.2 in the older 
chroot, versus ./usr/lib/libssh.so.3 in the newer.  The older
scponly chroots do net require devfs nodes!  I suspect they will 
eventually break though, given enough time.

Given that scponlyc provides a setup_chroot.sh script that provides
hooks for OS-specific chroot setup steps, would it help the port
maintainer to provide the shell script below?  I have it installed
in /usr/local/etc/rc.d/scponlyc.sh.


Jim



#!/bin/sh

# script to create devfs filesystems at boot time for scponlyc 
# chroot'ed users.  We will read /etc/shells to determine
# where scponlyc is installed.  Then we'll iterate through
# each user in /etc/passwd to find users whose shell is set to
# scponlyc.  For each such user found, we will create a 
# minimal devfs under ~/dev.



SCPONLYC=$(/usr/bin/grep "/scponlyc$" /etc/shells 2>/dev/null | /usr/bin/tail 
-1)


make_devfs() {
# $1 is the user name whose home directory needs a minimal
# devfs created.  If ~/dev is not a directory, it will be 
# deleted and replaced with a directory.

eval DEV="~$1/dev"
while /sbin/umount ${DEV} 2>/dev/null; do :; done
[ -h "${DEV}" ] && rm "${DEV}"
[ -f "${DEV}" ] && rm "${DEV}"
mkdir -p "${DEV}"
if /sbin/mount_devfs devfs "${DEV}"; then
  /sbin/devfs -m "${DEV}" rule -s 1 applyset || /sbin/umount ${DEV} 2>/dev/null
  /sbin/devfs -m "${DEV}" rule -s 2 applyset || /sbin/umount ${DEV} 2>/dev/null
fi

}


scponly_startup() {
# $1 is the path to the /etc/passwd file

if [ "x${SCPONLYC}" = "x" ]; then
  echo scponlyc is not defined in /etc/shells >&2
  exit 1
fi

/usr/bin/grep -v "^[ ]*#" "$1" | 
  /usr/bin/awk -F: {'print $1 " " $7'} |
while read USER SHELL; do
  if [ "x${SHELL}" = "x${SCPONLYC}" ]; then
make_devfs "${USER}"
  fi
done

}


case "$1" in
start)
scponly_startup "/etc/passwd"
echo -n ' scponlyc'
;;
*)
echo "Usage: `basename $0` start" >&2
;;
esac

exit 0
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: /dev/null in a chroot

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


#!/bin/sh
/sbin/devfs -m $1 rule apply hide
/sbin/devfs -m $1 rule apply path null unhide

where $1 == the dev directory you mount within the chroot environment ...

- --On Sunday, January 07, 2007 16:53:27 +0100 Michael Grant <[EMAIL 
PROTECTED]> 
wrote:

> I chrooted apache to /www.
>
> In order to run a java program from a web page, java needs a /dev/null
> inside the chroot.
>
> I don't want to create another whole /dev/ dir with all the disk raw
> devices there to be read for anyone who cracks root.  I just want a
> /www/dev/null file.
>
> I tried creating a node with mknod exactly like the node in /dev but
> it doesn't work in freebsd 6.  /dev/ is special now and you can't just
> create nodes anywhere like the old days.
>
> Is there a way to create a /www/dev/null which acts just like /dev/null?
>
> Michael Grant
>



- 
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFoYpc4QvfyHIvDvMRAsKNAKCBQL1HfW0XiDQlWTQ7SMYxBOD7rwCeMPYk
sZ45tw01yqCImIhanmHTtEQ=
=YMRb
-END PGP SIGNATURE-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

/dev/null in a chroot

[Michael Grant]

I chrooted apache to /www.

In order to run a java program from a web page, java needs a /dev/null
inside the chroot.

I don't want to create another whole /dev/ dir with all the disk raw
devices there to be read for anyone who cracks root.  I just want a
/www/dev/null file.

I tried creating a node with mknod exactly like the node in /dev but
it doesn't work in freebsd 6.  /dev/ is special now and you can't just
create nodes anywhere like the old days.

Is there a way to create a /www/dev/null which acts just like /dev/null?

Michael Grant
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: /dev/null in a chroot

[Bill Moran]

"Michael Grant" <[EMAIL PROTECTED]> wrote:
>
> I chrooted apache to /www.
> 
> In order to run a java program from a web page, java needs a /dev/null
> inside the chroot.
> 
> I don't want to create another whole /dev/ dir with all the disk raw
> devices there to be read for anyone who cracks root.  I just want a
> /www/dev/null file.
> 
> I tried creating a node with mknod exactly like the node in /dev but
> it doesn't work in freebsd 6.  /dev/ is special now and you can't just
> create nodes anywhere like the old days.
> 
> Is there a way to create a /www/dev/null which acts just like /dev/null?

devfs does this now.  You can mount a second devfs under /www/dev/, or
anywhere else for that matter.

Controlling which device nodes show up is done by devfs rulsets.  See
the man page for devfs for details.

-Bill
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

/dev/null in a chroot

[Michael Grant]

I chrooted apache to /www.

In order to run a java program from a web page, java needs a /dev/null
inside the chroot.

I don't want to create another whole /dev/ dir with all the disk raw
devices there to be read for anyone who cracks root.  I just want a
/www/dev/null file.

I tried creating a node with mknod exactly like the node in /dev but
it doesn't work in freebsd 6.  /dev/ is special now and you can't just
create nodes anywhere like the old days.

Is there a way to create a /www/dev/null which acts just like /dev/null?

Michael Grant
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD chroot problem...Please help!!!

[Riemer Palstra]

On Sun, Jan 07, 2007 at 12:50:34PM +0100, VeeJay wrote:
> I trying to run MySQL and Apache under a chroot envoirnment. But I am
> getting these errors.

[ ... ]

> # /usr/local/mysql/libexec/mysqld: Can't create/write to file
> '/var/tmp/ibPM3e0d' (Errcode: 13)

[ ... ]

> fopen: Operation not supported
> httpd: could not open document config file /dev/null

Are these files/directories/device nodes present in their respective
chroot environment?

-- 
Riemer PalstraAmsterdam, The Netherlands
[EMAIL PROTECTED]http://www.palstra.com/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD chroot problem...Please help!!!

[VeeJay]

Hello there

I was wondering if someone having great knowledge of FreeBSD chroot system
could give me some help. I trying to run MySQL and Apache under a chroot
envoirnment. But I am getting these errors. Could you please help me to
solve these problems. I have googled a lot but did't find any solution.
Please help!


1. When running MySQL 5.0 in a chroot envoirnment, I get following error:

# chrootuid /chroot/mysql mysql /usr/local/mysql/libexec/mysqld &
[1] 599
# /usr/local/mysql/libexec/mysqld: Can't create/write to file
'/var/tmp/ibPM3e0d' (Errcode: 13)
070107 10:43:49  InnoDB: Error: unable to create temporary file; errno: 13
070107 10:43:49 [Note] /usr/local/mysql/libexec/mysqld: ready for
connections.
Version: '5.0.27'  socket: '/tmp/mysql.sock'  port: 0  FreeBSD port:
mysql-server-5.0.27



2. When running Apache in chroot envoirnment, I get following error:

# chroot /chroot/httpd /usr/local/apache/bin/httpd
fopen: Operation not supported
httpd: could not open document config file /dev/null
I will really appreciate your kind help!

--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: chroot, performance & security

[Girish Venkatachalam]

On Wed, Dec 27, 2006 at 10:16:31AM +0100, VeeJay wrote:
> Hi
> 
> I have made partations on my web server like at very outer edges of the
> disks,
> 
> I have /, then /var, /tmp, /usr and in the end /home.
> 
> Since I read that Data modified & used often should be placed at close to
> outer edges as possible.
> 
> So, I am having all logs (apache, ftp, mysql and other logs) under /var/logs
> I have all my mysql DBs under /var/mysql/db
> 
> But if for Security reseasons, I want to chroot apache, mysql and ftp under
> /home, then along with all executables and liberaries I have to move all
> logs, DBs under /home/chroot
> 
> But then I think, If I move all these data from /var... I miss performance?

You need not have created so many partitions because it is going to hurt you 
now when you have to chroot. :)

Apache running under chroot means lot of things. OpenBSD has done it by default 
and it means that all the files that users host have to be under the chroot. 
All the DSOs have to be accessible as well.

chrooting ftp or sftp is not much trouble. I think a simple google search will 
tell you how to run sftp under chroot. I would suggest that along with 
chrooting ftp.

mysql should not give u much trouble but then I never use it. 

I am a postgresql guy...

Best of luck!

regards,
Girish
- 
When your mind is purified like a mirror knowledge is reflected in it.
Adi Sankaracharya, Hindu saint
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

chroot, performance & security

[VeeJay]

Hi

I have made partations on my web server like at very outer edges of the
disks,

I have /, then /var, /tmp, /usr and in the end /home.

Since I read that Data modified & used often should be placed at close to
outer edges as possible.

So, I am having all logs (apache, ftp, mysql and other logs) under /var/logs
I have all my mysql DBs under /var/mysql/db

But if for Security reseasons, I want to chroot apache, mysql and ftp under
/home, then along with all executables and liberaries I have to move all
logs, DBs under /home/chroot

But then I think, If I move all these data from /var... I miss performance?

Please comment?

--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

ftpd.conf chroot not working

[James Earl]

I'm having problems getting the /etc/ftpd.conf chroot command to work.
However, if I append a directory after the username in /etc/ftpchroot
that does work.  It seems like ftpd.conf isn't even getting used.  The
reason I want to use ftpd.conf is it supposidly allows the use of
escape strings such as %u for username.  The machine is running
6.0-RELEASE.

(doesn't work)
ftpd.conf:
chroot all /usr/local/www/apache22/data/%u
ftpchroot:
@client

(does work)
ftpd.conf:
#empty
ftpchroot:
@client /usr/local/www/apache22/data/usersite

James
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FTP and chroot....

[Eric Schuele]

Hello,

For the life of me I can not get any user who FTPs into my box to be 
chroot'ed to a particular directory.  I'm sure this should be a simple 
thing to do.


I have setup an ~/ftp directory for each user and would like their ftp 
session to be chroot'ed to it.  But I can't seem to get it working.


Here is what I presently have setup...
rc.conf

  ftpd_enable="YES"
  ftpd_flags="-S -ll"

ftpd.conf

 chroot all /home/%u/ftp

ftpusers

 

ftpchroot

  @ftp

All users which I grant FTP access to are members of the ftp group.

They can FTP into the box, but the root dir is their home dir.  They are 
chroot'ed to their home dir... not ~/ftp.  I've tried various things in 
all of the config files to change it to this subdir, to no avail.


Thanks,
--
Regards,
Eric
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jails or chroot?

[Chad Leigh -- Shire.Net LLC]

On May 10, 2006, at 2:33 AM, Iantcho Vassilev wrote:


On 5/9/06, Chad Leigh -- Shire.Net LLC <[EMAIL PROTECTED]> wrote:



On May 9, 2006, at 5:53 AM, Michael Grant wrote:

>
> When it comes time to upgrade, how does one upgrade 100 different
> jails?  This will be a nightmare!

Actually, not.  You only need 1 master jail and a bunch of nullfs
read only mounts plus some exclusive space for each jail.I run 44
jails at the moment this way.  Upgrading is relatively easy as I only
have to upgrade one master jail (and unfortunately lots of jail etc
if such happens but a few scripts can automate much of that).





All the jails run out of one installed jail and they also have the
side benefit of the main system directories being read only so
exploits in one jail cannot affect all the running jails.





Wow,
I really like the setup you have make..

One question.How do you update the system(and the jail) ?


I shut all the jails down, and update the system.  Then I boot  
without starting the jails and rebuild the master jail according to  
"man jail".  Then I start a special main jail that was used to  
install ports used, if any, into a common area and do any updates  
necessary -- this last one from 5.4 to 6.0 I just made sure I had the  
5x compatibility stuff installed and all was fine for now so I have  
more time to redo individual ports or SW built frmo scratch.  When  
that is done I restart all the jails.


I had about 40 jails active when I went from 5.4 to 6.0 on this  
particular machine (some earlier ones I did from 5.4 to 6.0 had maybe  
1 or 2 jails so they were not the definitive test case).  Had no  
problems once I made sure all the jails were accessing the compat 5x  
stuff (which I did by editing in each jail /etc -- you could use a  
script  but I am lousy at writing more than simple scripts -- the  
rc.conf and making sure that "ldconfig_paths=" was set appropriately  
to the master jail wide compat5x library location...


Done, finis

Chad


---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jails or chroot?

[Iantcho Vassilev]

On 5/9/06, Chad Leigh -- Shire.Net LLC <[EMAIL PROTECTED]> wrote:



On May 9, 2006, at 5:53 AM, Michael Grant wrote:

>
> When it comes time to upgrade, how does one upgrade 100 different
> jails?  This will be a nightmare!

Actually, not.  You only need 1 master jail and a bunch of nullfs
read only mounts plus some exclusive space for each jail.I run 44
jails at the moment this way.  Upgrading is relatively easy as I only
have to upgrade one master jail (and unfortunately lots of jail etc
if such happens but a few scripts can automate much of that).

I basically set up

/local/jails/master  and install according to man jail into this
place.  I never start this jail.

I happen to use disk backed md devices as the root for each jail.  I
mount each on on /local/jail/

Then I do

/sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin
/sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib
/sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/
adcmw/libexec
/sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/
sbin
/sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr
/sbin/mount -t procfs proc /local/jails/adcmw/proc
devfs_domount /local/jails/adcmw/dev devfsrules_jail
devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev
/sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset

In my master jail I have some symlinks so that each jail has its own /
usr/local/ that is writable.

All the jails run out of one installed jail and they also have the
side benefit of the main system directories being read only so
exploits in one jail cannot affect all the running jails.





Wow,
I really like the setup you have make..

One question.How do you update the system(and the jail) ?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jails or chroot?

[Chad Leigh -- Shire.Net LLC]

On May 9, 2006, at 5:53 AM, Michael Grant wrote:



When it comes time to upgrade, how does one upgrade 100 different
jails?  This will be a nightmare!


Actually, not.  You only need 1 master jail and a bunch of nullfs  
read only mounts plus some exclusive space for each jail.I run 44  
jails at the moment this way.  Upgrading is relatively easy as I only  
have to upgrade one master jail (and unfortunately lots of jail etc  
if such happens but a few scripts can automate much of that).


I basically set up

/local/jails/master  and install according to man jail into this  
place.  I never start this jail.


I happen to use disk backed md devices as the root for each jail.  I  
mount each on on /local/jail/


Then I do

/sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin
/sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib
/sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ 
adcmw/libexec
/sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ 
sbin

/sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr
/sbin/mount -t procfs proc /local/jails/adcmw/proc
devfs_domount /local/jails/adcmw/dev devfsrules_jail
devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev
/sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset

In my master jail I have some symlinks so that each jail has its own / 
usr/local/ that is writable.


All the jails run out of one installed jail and they also have the  
side benefit of the main system directories being read only so  
exploits in one jail cannot affect all the running jails.


Chad


---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jails or chroot?

[Philip Hallstrom]

With the inclusion of mergemaster -u subsequent base system upgrades
are much less painful.  Using null mounts for the common areas should
lessen the version sync issues.  Once unionfs is stable again, you
could just use one jail as a base image and allow the others to be
cloned off of that.


ezjail might come in handy as well...

http://erdgeist.org/arts/software/ezjail/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jails or chroot?

[Anish Mistry]

On Tuesday 09 May 2006 08:24, Michael Grant wrote:
> I'll try to be more explicit on my requirements.  I'm not worried
> about mail.  I'm mostly worried about web.  Each client has a web
> site with one or more domains.  I currently offer them
> apache+php+mysql+mod_perl+mod_ssl.  One of them needs java server
> pages, tomcat I think.  Everyone gets access to their own logs and
> to geolizer (webalizer).  Some clients would like shell access. 
> Most clients write their web site using ftp.  Certain ones need
> also the MS Front Page Extensions.  Some clients want an ftp upload
> area.  Ssl poses a special problem in that I need to allocate an ip
> address for those who have their own ssl certificate.  It's pretty
> much all standard stuff.
I use suphp with apache in a mass hosting configuration for about 50 
websites to take care of the php access issues.  You'll need to setup 
the ACLs correctly so there is no snooping.  I then use scponly to 
allow chrooted sftp access to their web directories.  Webalizer logs 
are automatically generated an placed in their chrooted directory for 
download.
As for shell access I don't allow it.  If people want easy command 
line access I just tell use sshfs on FreeBSD or Linux.  The Windows 
and Mac users don't care about shell access.
For the Tomcat, Frontpage, and SSL users just setup jails for them.  
With the inclusion of mergemaster -u subsequent base system upgrades 
are much less painful.  Using null mounts for the common areas should 
lessen the version sync issues.  Once unionfs is stable again, you 
could just use one jail as a base image and allow the others to be 
cloned off of that.
Hopefully some of the above helps you in your situation.

>
> But yes, I totally agree with you, it is an administration
> nightmare to set up separate jails and keep track of which has
> which version of what and so on.  There must be an easier way to do
> this.  Some of you folks who run hosting sites, how do you manage
> large numbers of clients?
>
> Michael Grant
>
> On 5/9/06, Subhro <[EMAIL PROTECTED]> wrote:
> > On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote:
> > > I host a bunch of websites on my box.  Recently I had some
> > > problems with file access problems with php which caused me to
> > > look into putting each of my clients into their own jail or
> > > chroot.  I have roughly 100 different domains I'd need to
> > > split.
> >
> > I won't be doing this even if someone pays me twice for doing it.
> > This is going to create a HELL lot of problems later on,
> > especially during upgrades.
> >
> > BTW can you tell us your exact requirements?
> >
> > Thanks and Best Regards
> > Subhro
> >
> > --
> > Subhro Kar
> > Security Engineer
> > iViZ Techno Solutions Pvt. Ltd.
> > eRevMax House, 1st Floor
> > Plot XI-16, Sector V
> > Salt Lake City
> > 700091
> > India
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"

-- 
Anish Mistry


pgpQunBnXtHJk.pgp
Description: PGP signature

RE: jails or chroot?

[Philippe Lang]

Hi,

Sure, jails require more work regarding administration. Ports are not the
biggest problem I think, it's the easy part. The problem is when you have to
update the world. But even here, with a good script, it's not such a
nightmare.

Maybe all you need is Michael's solution. But take into account that with
jails, you have a great flexibility regarding the application you install
for a particular client. And all the security that a jail system can offer,
plus a fantastic way of managing your backups.

I personally run a jail based VPS server, based on FreeBSD 6.0, with 13
jails at the moment. It's a dual xeon, with 4GB RAM, and RAID 5 SCSI HDs. I
have 355 MB RAM active, 1525 inactive and 1679 MB RAM are free. I intend to
run a maximum of 50 jails on this server. And until now, nothing seems to
oppose to my plans.

Beware of one thing with jails, though: a bug in FreeBSD does not permit a
clean shutdown of jails. But tust me: you never need to!

Hope this helps, and keep us informed of your choice.

Philippe Lang


-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Jahilliya
Envoyé : mardi, 9. mai 2006 14:48
À : Michael Grant
Cc : freebsd-questions@freebsd.org
Objet : Re: jails or chroot?

On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote:
>
> I host a bunch of websites on my box.  Recently I had some problems 
> with file access problems with php which caused me to look into 
> putting each of my clients into their own jail or chroot.  I have 
> roughly 100 different domains I'd need to split.
>
> Has anyone done this for more than a handfull of clients?  Using 
> apache and their "mass virtual hosting", 100 domains is a breeze.  But 
> with a jail or chroot, I need a separate apache process for each 
> domain.  This is going to mean hundreds of apache processes.  This 
> seems unreasonable.


Agreed that creation hundreds of chroots or jails would be an administrative
nightmare. File access can be solved with suexec (compile apache with suexec
enabled), this means that for each virtual host entry in your apache config
you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html
or your apache version doc set). This will make each apache process run as
the user specified in virtual host entry (not www) allowing you to restrict
their access to files with filesystem ACL's and even ugidfw, you could also
then setup process/memory restrictions in /etc/login.conf

It will also make updating pretty much as standard as it is now.

Give it a burl if it sounds like what you need.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



smime.p7s
Description: S/MIME cryptographic signature

Re: jails or chroot?

[Jahilliya]

On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote:


I host a bunch of websites on my box.  Recently I had some problems
with file access problems with php which caused me to look into
putting each of my clients into their own jail or chroot.  I have
roughly 100 different domains I'd need to split.

Has anyone done this for more than a handfull of clients?  Using
apache and their "mass virtual hosting", 100 domains is a breeze.  But
with a jail or chroot, I need a separate apache process for each
domain.  This is going to mean hundreds of apache processes.  This
seems unreasonable.



Agreed that creation hundreds of chroots or jails would be an administrative
nightmare. File access can be solved with suexec (compile apache with suexec
enabled), this means that for each virtual host entry in your apache config
you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html or
your apache version doc set). This will make each apache process run as the
user specified in virtual host entry (not www) allowing you to restrict
their access to files with filesystem ACL's and even ugidfw, you could also
then setup process/memory restrictions in /etc/login.conf

It will also make updating pretty much as standard as it is now.

Give it a burl if it sounds like what you need.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jails or chroot?

[Michael Grant]

I'll try to be more explicit on my requirements.  I'm not worried
about mail.  I'm mostly worried about web.  Each client has a web site
with one or more domains.  I currently offer them
apache+php+mysql+mod_perl+mod_ssl.  One of them needs java server
pages, tomcat I think.  Everyone gets access to their own logs and to
geolizer (webalizer).  Some clients would like shell access.  Most
clients write their web site using ftp.  Certain ones need also the MS
Front Page Extensions.  Some clients want an ftp upload area.  Ssl
poses a special problem in that I need to allocate an ip address for
those who have their own ssl certificate.  It's pretty much all
standard stuff.

But yes, I totally agree with you, it is an administration nightmare
to set up separate jails and keep track of which has which version of
what and so on.  There must be an easier way to do this.  Some of you
folks who run hosting sites, how do you manage large numbers of
clients?

Michael Grant

On 5/9/06, Subhro <[EMAIL PROTECTED]> wrote:

On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote:
> I host a bunch of websites on my box.  Recently I had some problems
> with file access problems with php which caused me to look into
> putting each of my clients into their own jail or chroot.  I have
> roughly 100 different domains I'd need to split.

I won't be doing this even if someone pays me twice for doing it. This
is going to create a HELL lot of problems later on, especially during
upgrades.

BTW can you tell us your exact requirements?

Thanks and Best Regards
Subhro

--
Subhro Kar
Security Engineer
iViZ Techno Solutions Pvt. Ltd.
eRevMax House, 1st Floor
Plot XI-16, Sector V
Salt Lake City
700091
India



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jails or chroot?

[Subhro]

On 5/9/06, Michael Grant <[EMAIL PROTECTED]> wrote:

I host a bunch of websites on my box.  Recently I had some problems
with file access problems with php which caused me to look into
putting each of my clients into their own jail or chroot.  I have
roughly 100 different domains I'd need to split.


I won't be doing this even if someone pays me twice for doing it. This
is going to create a HELL lot of problems later on, especially during
upgrades.

BTW can you tell us your exact requirements?

Thanks and Best Regards
Subhro

--
Subhro Kar
Security Engineer
iViZ Techno Solutions Pvt. Ltd.
eRevMax House, 1st Floor
Plot XI-16, Sector V
Salt Lake City
700091
India
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

jails or chroot?

[Michael Grant]

I host a bunch of websites on my box.  Recently I had some problems
with file access problems with php which caused me to look into
putting each of my clients into their own jail or chroot.  I have
roughly 100 different domains I'd need to split.

Has anyone done this for more than a handfull of clients?  Using
apache and their "mass virtual hosting", 100 domains is a breeze.  But
with a jail or chroot, I need a separate apache process for each
domain.  This is going to mean hundreds of apache processes.  This
seems unreasonable.

When it comes time to upgrade, how does one upgrade 100 different
jails?  This will be a nightmare!

What do you folks do who run lots of domains on freebsd?

Michael Grant
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: chroot and /dev

[Kris Kennaway]

On Thu, Dec 15, 2005 at 07:18:11PM +, Dieter wrote:
> How does one provide one or two devices, e.g. /dev/null
> for a chroot environment?
> 
> Device nodes created by mknod do not work.
> 
> mount_devfs creates an entire device tree, negating
> the security of the chroot.

See the jail manpage (jail is better than chroot if security is your
goal).

Kris


pgptHJjQW11pZ.pgp
Description: PGP signature

chroot and /dev

[Dieter]

How does one provide one or two devices, e.g. /dev/null
for a chroot environment?

Device nodes created by mknod do not work.

mount_devfs creates an entire device tree, negating
the security of the chroot.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How do I chroot rsync like I chroot ftp ?

[Francisco Reyes]

On Thu, 10 Nov 2005, user wrote:

scponly is another restricted shell like rssh.  It is under more active
development, and seems to have more features.

It's in the ports tree under shells.



I was looking for it under security.
Will try it this weekend..

Have you tried it yet?

I am also leaning towards scponly because it supports both rsync and 
unison.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How do I chroot rsync like I chroot ftp ?

[user]

On Wed, 9 Nov 2005, [EMAIL PROTECTED] wrote:

> user writes:
> 
> > What is the equivalent mechanism for rsync ?
> 
> 
> I have not used it myself, but was looking at rssh tonight. There is also a 
> program, not in the ports, called scopy or something of the like.
> 
> Check the rssh port in the /usr/pots tree.. go to their web page. The 
> mention the URL for the other program.
> 
> I am looking to do the same thing, chroot rsync, so will be looking at those 
> two options I mentioned above in coming days. 


scponly is another restricted shell like rssh.  It is under more active
development, and seems to have more features.

It's in the ports tree under shells.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How do I chroot rsync like I chroot ftp ?

[[EMAIL PROTECTED]]

user writes:


What is the equivalent mechanism for rsync ?



I have not used it myself, but was looking at rssh tonight. There is also a 
program, not in the ports, called scopy or something of the like.


Check the rssh port in the /usr/pots tree.. go to their web page. The 
mention the URL for the other program.


I am looking to do the same thing, chroot rsync, so will be looking at those 
two options I mentioned above in coming days. 
___

freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How do I chroot rsync like I chroot ftp ?

[user]

On Fri, 21 Oct 2005, Dan Nelson wrote:

> In the last episode (Oct 21), user said:
> > Generally I chroot ftp users by simply adding their username to
> > /etc/ftpchroot.  In older days, I used login.conf, etc.
> > 
> > The point is, it's easy to take a specific user and set a chroot that
> > applies to what they can see when they use ftp.
> > 
> > What is the equivalent mechanism for rsync ?
> 
> See the rsyncd.conf manpage; it explains how to chroot rsyncd.


Yes ... I saw that ... is there anyway to "chroot" rsync over ssh, so I
can use public keys and not run the actual rsync server ?

I'd like to do the same thing with rdist as well, and am not sure ... how
that would even work.  I do rdist now over ssh, and it works fine, but
... not sure how to get rdist users to only see their own directory.

Is it possible taht what I really want to do is chroot ssh, if I am doing
all of my rsync/rdist over ssh ?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: How do I chroot rsync like I chroot ftp ?

[Dan Nelson]

In the last episode (Oct 21), user said:
> Generally I chroot ftp users by simply adding their username to
> /etc/ftpchroot.  In older days, I used login.conf, etc.
> 
> The point is, it's easy to take a specific user and set a chroot that
> applies to what they can see when they use ftp.
> 
> What is the equivalent mechanism for rsync ?

See the rsyncd.conf manpage; it explains how to chroot rsyncd.

-- 
Dan Nelson
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

How do I chroot rsync like I chroot ftp ?

[user]

Generally I chroot ftp users by simply adding their username to
/etc/ftpchroot.  In older days, I used login.conf, etc.

The point is, it's easy to take a specific user and set a chroot that
applies to what they can see when they use ftp.

What is the equivalent mechanism for rsync ?

thanks.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"