|
| From: | Jordi Moles Blanco |
| Subject: | [Jailkit-users] How to fix jailkit problems with /dev/null in FreeBSD |
| Date: | Tue, 29 May 2012 16:33:11 +0200 |
| User-agent: | Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120424 Thunderbird/12.0 |
|
Hi everyone, I'm running a series of FreeBSD servers, versions 7.x and 8.x and now we want to offer ssh access through Jailkit. If you try to install the FreeBSD port, it works pretty much "out of the box", although once you ssh in, you realize that there are some issues with the /dev/null from within the shell and you can't "ssh out" or "scp out", or use such binaries as svn or git which require ssh protocol. I've been googling for days, reading posts in this and other mailing lists which date back to 2006-2007. As I didn't want to necro-bump, I'm exposing here my workaround for getting the jailkit to work almost completely (I haven't tested everything thoroughly) on Freebsd 7.x and 8.x. The thing is: 1. You follow the jailkit's "official" how-to and run such commands as jk_init and jk_cp to copy all the binaries you want to use inside the shell and set-up a basic environment. 2. You edit the jailkit's own /etc/password and replace the user's shell, from jk_lsh to csh (the one that FreeBSD usually works with). 3. You copy /dev/null in the jail "the FreeBSD way", that is, cp /dev/null /jailkitpath/dev/null 4. you give /dev/null 777 permissions (you may be able to set more restrictions, but what is sure is that it doesn't work with the usual permissions) chmod 777 /jailkitpath/dev/null And that's it!! Now you should be able to run those binaries which require /dev/null. What about svn and git? Well... although this /dev/null thing allows you to run some binaries, it fails when for example you want to use git. The reason is because it needs /dev/urandom and that doesn't exist in FreeBSD. Actually, we do have /dev/urandom but... # ls -la /dev/urandom lrwxr-xr-x 1 root wheel 6 Nov 3 2011 /dev/urandom -> random it's a mere link... which causes problems because /dev/random doesn't work the same way as /dev/urandom in order to fix this... we have to literally copy /dev/random into the jail, again with "cp" and not "jk_cp" cp /dev/random /jailkitpath/dev/urandom cp /dev/random /jailkitpath/dev/random actually, you have to run these commands and then "ctrl+c", that is, cancel the commands, after a second or two. If you don't do that, the "cp" command will continue to create random numbers and store them in the /jailkitpath/dev/random file. obviously, this means that your random numbers won't be as random as one may expect, but you can fix that by regenerating this random files every day with a cron or something similar. random and urandom in the jailkit don't need any special permissions. with this I've been able to use ssh, scp, sftp, svn i git from within the jail to the world. Regards, Jordi. -- Jordi Moles Blanco Sistemes Cdmon.com ___________________________ Tlf: 902 36 41 38 Tlf: 93 567 75 77 mailto: address@hidden http://www.cdmon.com |
| [Prev in Thread] | Current Thread | [Next in Thread] |