[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Setting up a chroot jail via ssh - a few preliminary notes

From: Dan Kegel
Subject: Setting up a chroot jail via ssh - a few preliminary notes
Date: Sun, 22 Jun 2003 21:09:09 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030529

What follows are some rough notes that I'll fold into my
"testing gcc/glibc cross-compilers with dejagnu" tutorial
once I get it working smoothly.  I'm not asking for help
or comments, just saving the notes in the archive so I
don't forget what I was doing between now and when I get
a chance to polish it up :-)

When testing a new gcc/glibc cross toolchain on an embedded system
already running a different version of glibc and Linux,
you need to set up a chroot environment on the embedded system
containing your new toolchain's shared libraries and a few binaries,
and provide a way to run programs remotely in that chroot environment
(aka jail).  Ideally, manual setup of the target
system would be simply creating a user or two and setting up one
or two scripts; the bulk of the chroot environment setup should
be done automatically, remotely, by your test script.  That lets
you test many different toolchains with no manual intervention.

I'm following the basic idea from
to get a regular account that runs all its commands in a chroot jail,
and am using ssh-keygen to allow remote execution without passwords
(see e.g. );
in the examples below, I'll use ssh's -i flag to point directly to
the private keys copied from the target system.

The recipe requires two pseudousers: foo and foo-jail.
The intent is to allow setting up the jail with remote commands
to user foo, and then run commands inside the jail as user foo-jail.
Users foo and foo-jail are both given sufficient power in /etc/sudoers,
including NOPASSWORD:, so they never get prompted for a password by sudo;
eventually I'll figure how best to trim those powers down to a minimum.

The first step is to set up those users and verify that you can
execute commands remotely without password prompting via e.g.
  ssh -l foo -i foo.id_rsa $target_ip sudo whoami
  ssh -l foo-jail -i foo-jail.id_rsa $target_ip sudo whoami

Once that's working, create the file /bin/chroot-sh containing:

REALUSER=`echo $USER | sed 's/-jail//'`
test "$1" = "-c" && shift
sudo /usr/sbin/chroot ~REALUSER/jail /bin/su - $REALUSER "$@"

Then make that be foo-jail's login shell:

echo /bin/chroot-sh >> /etc/shells
chsh -s /bin/chroot-sh foo-jail

You can't log in as user foo-jail again until the jail is set up.

Prepare chroot environment contents from your new toolchain, e.g.:

test -z "${PREFIX}"           && abort "Please set PREFIX to where the toolchain is 
PREFIX=`cd $PREFIX; pwd`
test -f $PREFIX/lib/ || abort "Couldn't find $PREFIX/lib/, check value 
rm -rf ${PREFIX}/../jail
mkdir ${PREFIX}/../jail
cd ${PREFIX}/../jail
mkdir bin dev etc home lib opt proc sbin tmp usr var
mkdir usr/bin usr/sbin usr/lib
cd ${PREFIX}
ls lib/*.so* | cpio -pmv ../jail
ls sbin/ldconfig bin/ldd bin/catchsegv | cpio -pmv ../jail
cd ..
tar -czvf jail.tar.gz jail.tar.gz

Then send that tarball and the script over to the target system:
  scp -l foo -i foo.rsa_id jail.tar.gz ${target_ip}:
where contains something like the following
(partially tested on both full linux boxes and embedded busybox systems):

umount  $JAIL/proc || /bin/true
rm -rf $JAIL
cd $HOME
tar -xzvf jail.tar.gz
mkdir ${JAIL}${HOME}
cd $JAIL/dev
mknod null   c 1 3
mknod zero   c 1 5
mknod random c 1 8
chmod 666 *
if [ -x /bin/busybox ]; then
        cp /bin/busybox      $JAIL/bin/busybox
        mkdir -p $JAIL/bin
        (cd /bin; cp ln ls rm mv cp su $JAIL/bin)
        cp /bin/ash $JAIL/bin/sh
cp /etc/passwd       $JAIL/etc
test -f /etc/shadow && cp /etc/shadow       $JAIL/etc
cp /etc/group        $JAIL/etc
if [ -d /etc/pam.d ]; then
        cp -r /etc/pam.d      $JAIL/etc
        cp -r /lib/libpam*    $JAIL/lib
        cp -r /lib/security   $JAIL/lib/security
mount -t proc proc  $JAIL/proc
if [ -x /bin/busybox ]; then
        /usr/sbin/chroot $JAIL /bin/busybox --install -s
# maybe run
#  /usr/sbin/chroot $JAIL ldconfig

Run with root privs on the target system, e.g.
   ssh -l foo -i foo.rsa_id $target_ip sudo /bin/sh /home/foo/
At this point, the jail should be fully set up.
Verify this.  The command
   ssh -l foo-jail -i foo-jail.rsa_id $target_ip whoami
should display 'foo'; the command
   ssh -l foo-jail -i foo-jail.rsa_id $target_ip ls -l /lib
should show just the lib files from the toolchain you are trying to test.

- Dan

Dan Kegel

reply via email to

[Prev in Thread] Current Thread [Next in Thread]