A question about chroot:

I just followed the procedure described in http://www.tjw.org/chroot-login-HOWTO/ and for some reason, I get kicked out with msg: "sorry." and goes back to prompt.
This is what I see via "tail -f /var/log/messages" when I try the login:

Jan 19 22:40:23 cthulhu sudo: test : TTY=tty1 ; PWD=/home/test ; USER=root ; COMMAND=/usr/sbin/chroot /home/test /bin/su - test

(it's the same result when I try to logon via a ssh session)

when I do "root@cthulhu:~# chroot /home/test /bin/su - test" I also get:
Sorry.

Anybody have an idea here? I must be overlooking something maybe trivial to experienced users.

thanks,
Lieven

but there is some strange thing to me:

root@cthulhu:~# chroot /home/test
chroot: cannot run command `/bin/sh': No such file or directory

root@cthulhu:/bin# ll | grep sh
-rwxr-xr-x 1 root bin 94560 2002-06-02 21:13 ash
-rwxr-xr-x 1 root bin 628640 2003-06-24 01:15 bash
-rwxr-xr-x 1 root root 380 2005-01-19 21:53 chroot-shell
lrwxrwxrwx 1 root root 4 2004-10-12 23:39 csh -> tcsh
-rwxr-xr-x 1 root bin 865756 2004-02-15 09:58 ksh
lrwxrwxrwx 1 root root 3 2004-10-12 23:40 rksh -> ksh
lrwxrwxrwx 1 root root 4 2004-10-12 23:37 sh -> bash
-rwxr-xr-x 1 root bin 33472 2004-03-16 03:08 shred
-rwxr-xr-x 1 root bin 319292 2004-05-28 07:29 tcsh
-rwxr-xr-x 1 root bin 443260 2004-03-23 06:56 zsh
lrwxrwxrwx 1 root root 3 2004-10-12 23:41 zsh-4.2.0 -> zsh

So I am obliged to give the command /bin/bash when I invoke the chroot?

as this is chroot, it's using a file path relative to /home/test remeber, so /bin/sh is looking in the real location of /home/test/bin/sh

Yes, I forgot that it looks for /home/test/bin/sh and not for /home/test/bin/bash which is the shell I use and will also user for jailed users. So I just add a link from sh -> bash and try that.

but too bad..
I get the same msg when trying to login.

ok, what does "ls -laR /home/test/" say?

root@cthulhu:/home/test/bin# ls -laR /home/test
/home/test:
total 44
drwx--x--x 9 test users 4096 2005-01-19 21:47 .
drwxr-xr-x 10 root root 4096 2005-01-11 21:24 ..
-rw------- 1 root root 29 2005-01-12 17:22 .bash_history
-rw-r--r-- 1 root root 3729 2005-01-11 21:24 .screenrc
drwxr-xr-x 2 root root 4096 2005-01-19 23:15 bin
drwxr-xr-x 2 root root 4096 2005-01-13 18:12 dev
drwxr-xr-x 2 root root 4096 2005-01-19 22:34 etc
drwxr-xr-x 4 root root 4096 2005-01-12 15:28 home
drwxr-xr-x 2 root root 4096 2005-01-12 17:00 lib
drwxr-xr-x 2 root root 4096 2005-01-12 15:27 usr
drwxr-xr-x 2 root root 4096 2005-01-12 15:27 var

/home/test/bin:
total 936
drwxr-xr-x 2 root root 4096 2005-01-19 23:15 .
drwx--x--x 9 test users 4096 2005-01-19 21:47 ..
-rwxr-xr-x 1 root bin 628640 2005-01-12 16:11 bash
-rwxr-xr-x 1 root root 47608 2005-01-12 17:24 cp
-rwxr-xr-x 1 root root 22600 2005-01-12 17:26 ln
-rwxr-xr-x 1 root root 72608 2005-01-12 17:24 ls
-rwxr-xr-x 1 root root 20072 2005-01-12 17:25 mkdir
-rwxr-xr-x 1 root root 51824 2005-01-12 17:25 mv
-rwxr-xr-x 1 root root 30896 2005-01-12 17:24 rm
-rwxr-xr-x 1 root root 13368 2005-01-12 17:25 rmdir
lrwxrwxrwx 1 root root 4 2005-01-19 23:15 sh -> bash
-rwx--x--x 1 root root 35780 2005-01-19 22:19 su

/home/test/dev:
total 8
drwxr-xr-x 2 root root 4096 2005-01-13 18:12 .
drwx--x--x 9 test users 4096 2005-01-19 21:47 ..
-rw-r--r-- 1 root root 0 2005-01-13 18:12 foo
crw-rw-rw- 1 root sys 2, 2 2005-01-13 17:45 null
crw-rw-rw- 1 root sys 3, 4 2005-01-13 17:46 zero

/home/test/etc:
total 16
drwxr-xr-x 2 root root 4096 2005-01-19 22:34 .
drwx--x--x 9 test users 4096 2005-01-19 21:47 ..
-rw-r--r-- 1 root root 21 2005-01-19 22:39 group
-rw-r--r-- 1 root root 85 2005-01-19 22:39 passwd

/home/test/home:
total 16
drwxr-xr-x 4 root root 4096 2005-01-12 15:28 .
drwx--x--x 9 test users 4096 2005-01-19 21:47 ..
drwxr-xr-x 2 root root 4096 2005-01-12 15:28 gook
drwxr-xr-x 2 root root 4096 2005-01-12 15:27 test

/home/test/home/gook:
total 8
drwxr-xr-x 2 root root 4096 2005-01-12 15:28 .
drwxr-xr-x 4 root root 4096 2005-01-12 15:28 ..

/home/test/home/test:
total 8
drwxr-xr-x 2 root root 4096 2005-01-12 15:27 .
drwxr-xr-x 4 root root 4096 2005-01-12 15:28 ..

/home/test/lib:
total 1412
drwxr-xr-x 2 root root 4096 2005-01-12 17:00 .
drwx--x--x 9 test users 4096 2005-01-19 21:47 ..
-rwxr-xr-x 1 root root 83268 2005-01-12 16:24 ld-linux.so.2
-rwxr-xr-x 1 root root 1250840 2005-01-12 16:24 libc.so.6
-rwxr-xr-x 1 root root 18992 2005-01-12 16:59 libcrypt.so.1
-rwxr-xr-x 1 root root 8868 2005-01-12 16:17 libdl.so.2
-rwxr-xr-x 1 root root 41912 2005-01-12 17:00 libnss_compat.so.2
-rwxr-xr-x 1 root root 11008 2005-01-12 16:16 libtermcap.so.2

/home/test/usr:
total 8
drwxr-xr-x 2 root root 4096 2005-01-12 15:27 .
drwx--x--x 9 test users 4096 2005-01-19 21:47 ..

/home/test/var:
total 8
drwxr-xr-x 2 root root 4096 2005-01-12 15:27 .
drwx--x--x 9 test users 4096 2005-01-19 21:47 ..

But....
In the tutorial, when they add the user, he's given /tmp as homedirectory.
I used /home/test as homedir in the real passwd file. Maybe that's the problem, I'll fix that too and thinking of it, should I make also a shadow passwd file in /home/test/etc ?

edit := this didn't work either

the sudo file has the following entry:
test cthulhu= NOPASSWD:/usr/sbin/chroot,/home/test,/bin/su - test

Thanks for the help already!

ok, well i ran through the tutorial myself... and it worked..... :-s well... it's chucking me straight out again, but i think i got past whatever it is that's hanging up on you, i never got a "sorry" at all...

make sure that you're trying to log in correctly. get a real virtual terminal, (not a bad contradiction....) and not just su-ing to the user. I also found that their chroot-shell script had chroot in a different location. I think what got me past those missing /bin/sh errors was setting the /home/test/etc/passwd details, which were possibly causing permissions issues. but i never really saw anything major... maybe just trying again from scratch in a different jailed home will give you better results.

that includes the chroot entry in sudoers too remember...

yes, I think I'll try the whole thing all over again...

get a real virtual terminal, (not a bad contradiction....) and not just su-ing to the user.
=> There you lost me, what command do I use to get a "real" virtual terminal ? :-)

And about the user properties in the passwd file, I also changed that yesterday but that didn't help.

Another thing I don't understand is the following, when I try to su the user test as root or as another user, I get the following:
root@cthulhu:~# su test
/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory
=> the message looks pretty clear but it's all a lie.... I can find the /bin/su without any trouble.
root@cthulhu:/bin# ll | grep su
-rws--x--x 1 root bin 35780 2004-06-21 21:20 su
lrwxrwxrwx 1 root root 13 2004-10-12 23:39 sulogin -> /sbin/sulogin
And also:
root@cthulhu:/bin# ll /home/test/bin | grep su
-rwx--x--x 1 root root 35780 2005-01-19 22:19 su

=> hmm, maybe I just answered my own question: rwx instead of rws => I forgot to set the superuser bit in the file permissions.


thanks again.

i mean make sure you're trying to log in in a full login outisde of X. i found that if i just su in, i take the wrong usernames with me

Thanks, but I don't use X. Only command line... I didn't even install X or gnome or kde on my system when the install (slack10) asked for it :-)

too bad, even setting the suid didn't help.

I think I moved a little bit further in finding a solution here.

Stupid I: I put the following in sudo file:
test ALL= NOPASSWD:/usr/sbin/chroot,/home/test,/bin/su - test => I was looking at this as three different commands and instead, it should be only the command chroot with the nec. parameters.

It should be:
test ALL= NOPASSWD:/usr/sbin/chroot /home/test /bin/su test

I found that when doing: su - test and su test.

However, the problem still remains:
root@cthulhu:~# su test
Sorry, user test is not allowed to execute '/usr/sbin/chroot /home/lieven /bin/su - lieven' as root on cthulhu.
=> yeah, it is idd using my $LOGNAME because of the login script.


maybe I'm close to a solution now, hopefully...

But still, there is something wrong with the following: (I did USER=LOGNAME=test and then export user, export logname)

root@cthulhu:/home/test/etc# echo $USER
test
root@cthulhu:/home/test/etc# echo $LOGNAME
test
root@cthulhu:/home/test/etc# su test
Sorry, user test is not allowed to execute '/usr/sbin/chroot /home/test /bin/su - test' as root on cthulhu.


When I try to logon as test, I see the following line appear:
...
Jan 20 14:31:14 cthulhu sshd[1131]: Accepted password for test from 195.212.29.75 port 65277 ssh2

so the ssh accepts the real password but then, the test user is supposed to execute the /bin/chroot-shell script and there, he stumbles upon the chroot command which he has sudo permission for. At that time, he's still in the real system and after that sudo chroot command, he should be in the jail but according to the /var/log/messages, that command is never executed.

It looks like the login with test works but I don't know why I'm being thrown back out...

I adapted the chroot-shell with some pseudo-debug code:
logger "logging on user without parameters: $USER"
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
logger "login ok, chroot comply"

and when I do the logon, I see the following in /var/log/messages:
Jan 20 15:00:01 cthulhu sshd[1240]: Accepted password for test from 195.212.29.83 port 34628 ssh2
Jan 20 15:00:01 cthulhu test: logging on user without parameters: test
Jan 20 15:00:01 cthulhu test: login ok, chroot comply

=> But why is the "sudo /usr/sbin/chroot /home/$USER /bin/su - $USER" not appearing in the logs? I know it should! All sudo commands are logged as far as I know.