Solaris 10 Zones / Chroot / SFTP

From: Miranda, George (George.Miranda@vgames.com)
Date: Fri Mar 02 2007 - 17:03:23 EST

• Next message: JV: "boot off network users like /etc/nologin"
• Previous message: Ananth.Mangu@VerizonWireless.com: "New DST impact on SUN compatible equipment"
• Next in thread: JV: "boot off network users like /etc/nologin"
• Reply: JV: "boot off network users like /etc/nologin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sun Managers,

I am attempting to set up a chroot'ed SFTP environment within a Solaris
10 Zone. I am able to make chroot'ed SSH & chroot'ed SFTP work just
fine on Solaris 10 outside of a zone. Within a Solaris 10 zone,
chroot'ed SSH works. However, within a Solaris 10 zone, chroot'ed SFTP
fails. To illustrate the problem, snippets of my session are below.

The zone user "sshtest" is configured to chroot.

root@zone1 # ssh -l sshtest zone1
sshtest@zone1's password:
Last login: Wed Feb 28 11:56:09 2007 from localhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ cd /
$ ls
bin dev home lib usr
$ ls -l /dev
total 0
crw-rw-rw- 1 0 0 13, 2 Feb 28 18:53 null
crw-rw-rw- 1 0 0 13, 12 Feb 28 18:53 zero

Clearly, chroot SSH works. However, when I attempt to SFTP...

root@zone1 # sftp sshtest@zone1
Connecting to zone1...
sshtest@zone1's password:
Connection closed

A manual attempt to start SFTP from within the chroot'ed environment
produces the following clues:

root@zone1 # ssh -l sshtest zone1
sshtest@zone1's password:
Last login: Wed Feb 28 12:10:22 2007 from localhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ /usr/local/libexec/sftp-server
Couldn't open /dev/null: No such device or address

But as seen in the session above, clearly /dev/null exists in the
chroot'ed environment.

I know that zones require explicit permission to access a raw device.
So I have added access to both the special file "null" within the
chroot/dev/ directory (using the full path to that device file from the
global zone) and to the global zone's own /dev/null (though I believe
this step is redundant).

You can see what I mean from this partial snippet of my zone config.

root@global-zone # zonecfg -z zone1
zonecfg:zone1> info
[...]
device
        match: /zone-exports/zone1/home/sshtest/chroot/dev/null
device
        match: /dev/null

After granting access to these device files, it still doesn't work. Any
push in the right direction would be appreciated.

For reference:

SSH/SFTP software - OpenSSH 4.5p1
                    w/ chroot patch (http://chrootssh.sourceforge.net)

OS: SunOS 5.10 Generic_118833-33 sun4u sparc SUNW,Sun-Fire-V240

The chroot'ed environment was configured based on the how-to posted at
http://chrootssh.sourceforge.net/docs/chrootedsftp.html

Thanks in advance!

_____________________________
George Miranda
Senior Unix Systems Engineer
Vivendi Games, Los Angeles
http://www.vugames.com
_____________________________
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: JV: "boot off network users like /etc/nologin"
• Previous message: Ananth.Mangu@VerizonWireless.com: "New DST impact on SUN compatible equipment"
• Next in thread: JV: "boot off network users like /etc/nologin"
• Reply: JV: "boot off network users like /etc/nologin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:43 EDT