From: Todd Herr (todd@angrysunguy.com)
Date: Mon Nov 17 2003 - 14:01:46 EST
Two answers here:
1. su doesn't use login(1). D'oh!
2. login(1) should work; run truss on it. Sure enough, there
proved to be a missing file or three in my chroot'd
environment.
Thanks to all respondents.
On Mon, 17 Nov 2003, at 13:09, Todd Herr wrote:
> Greetings.
>
> Solaris 8, kernel patch rev -23, Sun Blade 150.
>
> I'm fiddling about trying to setup a chroot jail for a generic
> user to run a random application. As far as I know, I've got all
> the relevant executables, libraries, filesystems, and whatnot
> copied to the filesystem subtree where I want the chroot'd jail
> to be. The problem comes when I try to login to or "su -" to the
> generic user.
>
> In /etc/passwd, I have this entry:
>
> foo:x:1003:10::/var/foo/jail:*
>
> In /var/foo/jail/etc/passwd, I have this entry:
>
> foo:x:1003:10:foo:/:/sbin/sh
>
> /var/foo/jail/sbin/sh exists, and is executable.
>
> The problem comes when I try to login as or su - the user foo.
>
> A login session looks like this:
>
> login: foo
> Password:
> Subsystem root: /var/foo/jail
>
> and that's it.
>
> Trying to su - foo yields this:
>
> # su - foo
> su: No shell
>
> I've run truss on the 'su - foo' command, and I can clearly see
> the source of the problem:
>
> truss su - foo
> [snip]
> chdir("/var/foo/jail") = 0
> munmap(0xFF052000, 2091) = 0
> munmap(0xFF040000, 5746) = 0
> munmap(0xFEE54000, 2936) = 0
> munmap(0xFEE40000, 13013) = 0
> munmap(0xFEE32000, 1898) = 0
> munmap(0xFEE20000, 4389) = 0
> munmap(0xFF02C000, 4416) = 0
> munmap(0xFF010000, 47222) = 0
> munmap(0xFF000000, 11552) = 0
> munmap(0xFEFE0000, 130932) = 0
> sigaction(SIGXCPU, 0xFFBEECD8, 0xFFBEED58) = 0
> sigaction(SIGXFSZ, 0xFFBEECD8, 0xFFBEED58) = 0
> execve("*", 0xFFBEED88, 0x000246A0) Err#2 ENOENT <-----
> su: No shell
> write(2, " s u : N o s h e l l".., 13) = 13
> llseek(0, 0, SEEK_CUR) = 207038
> _exit(3)
>
> What I don't understand is *why* it's trying to execve "*" for
> the shell; I had thought that it would pick up passwd entry in
> /var/foo/jail/etc/passwd. At least, that's how I interpreted the
> man page entry for login(1):
>
> If the login-shell field in the password file (see
> passwd(4)) is empty, then the default command interpreter,
> /usr/bin/sh, is used. If this field is * (asterisk), then
> the named directory becomes the root directory. At that
> point, login is re-executed at the new level, which must
> have its own root structure.
>
> Clearly, I've mis-interpreted this. Can someone provide me a
> clue as to how to get the behavior I seek, presuming it's
> possible to do so?
>
> Thanks.
>
>
-- Todd Herr todd@angrysunguy.com _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:30 EDT