LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-20-2004, 06:55 AM   #1
proximity
LQ Newbie
 
Registered: Dec 2003
Location: vormedal, norway
Distribution: Mandrake Linux 10.0 Community. kernel 2.6.3
Posts: 20

Rep: Reputation: 0
Chroot jail user can't access internet


I have created a chroot under /home/chroot and install the basic commands/programs needed. (bash, mv, mkdir, ls etc.)

I have created a user under /home/chroot/home who wants to use bitchx, wget and links/lynx. I installed these packages, but he cant access the internet. I have looked all around for an answer, with no luck.

I did all what is done in the tutorial on:
http://www.linuxorbit.com/modules.ph...page&artid=538
Everything else except connecting to internet works perfectly!

This is an example of one of the errors using: links www.linuxquestions.org
Error loading "URL" - Host not found

BitchX: (irc-server is replaced with irc.whatever)
��� Connecting to port 6667 of server irc.whatever [refnum 0]
��� Unable to connect to port 6667 of server irc.whatever: unknown host

Why can't he access internet?
 
Old 01-20-2004, 07:06 AM   #2
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Wheezy, FreeBSD 10.0 anything *nix to get my fix
Posts: 328

Rep: Reputation: Disabled
I would suggest that you test your basic network connectivity. Can you ping any site on the internet via it's name or IP numbers?

e.g try

'ping -c4 linuxquestions.org.' or
'ping -c4 64.179.4.146'

what do you see on screen after doing this??

If you cant do either, then there is a very basic problem with your network set up. If you can ping IP numbers but not names, the problem is probably associated with DNS configuration. If you give a bit more info after perfoming these tests, im sure someone will be able to identify your problem accurately & advise on how to fix it...
 
Old 01-20-2004, 04:23 PM   #3
proximity
LQ Newbie
 
Registered: Dec 2003
Location: vormedal, norway
Distribution: Mandrake Linux 10.0 Community. kernel 2.6.3
Posts: 20

Original Poster
Rep: Reputation: 0
I couldnt install "ping" in the chroot for some reason...

So, is there no way i can make a chroot, and also giving users inside it access to the internet?

What are the alternatives? Ive heard about rbash, but i want them to be able to cd out of their home, and have a look at their chroot root - that is "cd ..'ing" out of /home/chroot/home/user, but no longer than /home/chroot (where bin, etc, var and all that is..)

As i said before, every tool I have added, works for this user, but when i try to use internet-clients like wget i get the error "unknown host"

So lets just assume its both dns and the network setup (inside chroot) theres something wrong with..what do I have to do then?

How do the shell companies do it? They have users locked into their home right?

Edit: This is the package I've been using for creating the chroot jail: http://www.jmcresearch.com/projects/jail/

Last edited by proximity; 01-20-2004 at 04:27 PM.
 
Old 01-21-2004, 02:56 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Check the chroot jail and see if libresolv.so was properly added to the jail

http://sourceforge.net/mailarchive/f...forum_id=32345

--EDIT--

Try using lynx or wget or whatever to connect to a webserver using it's IP address instead of hostname (yahoo is 216.109.118.64). That should give you an idea of whether you have basic connectivity issues or if your ability to resolve hostnames is the only thing that's screwed.

Last edited by Capt_Caveman; 01-21-2004 at 06:53 AM.
 
Old 01-21-2004, 07:38 PM   #5
proximity
LQ Newbie
 
Registered: Dec 2003
Location: vormedal, norway
Distribution: Mandrake Linux 10.0 Community. kernel 2.6.3
Posts: 20

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by Capt_Caveman
Try using lynx or wget or whatever to connect to a webserver using it's IP address instead of hostname (yahoo is 216.109.118.64). That should give you an idea of whether you have basic connectivity issues or if your ability to resolve hostnames is the only thing that's screwed.
I found out resolving hostnames was the only thing that's screwed now.. :]

I installed libresolv.so using the command addjailsw, i tried: links www.bored.com inside the chroot, but i got the same error.. "unknown host"

IP's worked fine, but i have still problems resolving hosts..so what else do i have to do?

I have to thank both of you, for getting me this far btw. Now i know its DNS related..
 
Old 01-22-2004, 09:54 AM   #6
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Wheezy, FreeBSD 10.0 anything *nix to get my fix
Posts: 328

Rep: Reputation: Disabled
Lightbulb Chroot DNS configuration



I dont think I can help much more with fixing the DNS setting for your set-up as I dont have any experience of using Chroot.

You may know this already but..

1. you do need to find out the Domain Name Server's IP address for the machine you wish to connect to the internet. This is easy enough to obtain ...if you have an account with an ISP. Their DNS should be listed on their website. normally there are two or three back up DNS addresses & you can choose to use anyone.

2. Once you know the DNS that needs to be used to resolve hostnames, you need to figure out where to put this information in your Chroot (configuration scripts??). You will probably need root privileges to do this. Hopefully someone who knows precisely what you should do next will post here soon.

Cheers.
 
Old 01-23-2004, 08:32 AM   #7
proximity
LQ Newbie
 
Registered: Dec 2003
Location: vormedal, norway
Distribution: Mandrake Linux 10.0 Community. kernel 2.6.3
Posts: 20

Original Poster
Rep: Reputation: 0
I had a look, and found a file called resolv.conf in /etc inside chroot. There i found "nameserver 192.168.0.1" on one line. This address is my firewall/router which works as dns, so I do not understand why it doesn't work..
 
Old 01-23-2004, 10:41 AM   #8
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Wheezy, FreeBSD 10.0 anything *nix to get my fix
Posts: 328

Rep: Reputation: Disabled
Im certain that you need proper guidance on setting this up. Like I say, i dont know anything about Chroot, but I have seen that it takes some effort in configuration to get it working properly.

Basically, Every individual machine on a Lan, needs to 'know' the address for the DNS server. There must be a file / script where this information needs to be entered. Your firewall / router already knows the DNS address for it's own purposes.

On my machine, if I take out the setting for DNS I cannot connect to the internet by names - even though my firwall forwards packets & *knows* how to resolve host names. Every machine must have a place where it records the DNS server to be used to resolve hostnames.

I can only suggest that you look for a tutorial on the web about Chroot configuration? Maybe there is a forum devoted specifically to Chroot where you can post the question??

Do not despair as eventually, someone here who has had direct experience of this problem, will read your post & try to help. It is just a matter of time.

Im sorry I cant assist you with this any further, but hope you get it sorted soon!
 
Old 01-23-2004, 10:51 AM   #9
neilcpp
Member
 
Registered: Jul 2003
Location: England
Distribution: Debian Wheezy, FreeBSD 10.0 anything *nix to get my fix
Posts: 328

Rep: Reputation: Disabled
I did a quick search and found this site which has an ongoing discussion about setting up Chroot. If you dont find the answer I would check it out and see if any of these folk can help:

http://forum.plesk.com/showthread.ph...5&pagenumber=2
 
Old 01-23-2004, 11:22 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Try verifying that all the libs are there, (esp /libresolv.so.2 and libc.so.6) from /lib and /usr/lib. From there, you might want to run an strace to see if you can find out what is going on:

strace links www.bored.com

It will spit out a bunch of stuff while it follows the trace, but you might be able to see an error message that helps pinpoint the root of the problem (or in this case the chroot of the problem, sorry that was reallly bad )
 
Old 01-26-2004, 12:08 AM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I setup a test chroot jail over the weekend and got links to work. I set up the jail according to the instructions here same as the link in the Security Ref thread.

The main problem is that the default jail doesn't include the libraries and config files necessary to resolve host names and I would assume other net related stuff. In order to get links to work I needed the following added to the initial default config:

Configs
/etc/resolve.conf

Libraries
Links needs these libraries to work:
libgpm.so.1
libgssapi_krb5.so.2
libkrb.5.so.3
libcom_err.so.2
libcrypto.so.4
libdl.so.2
libnss_dns.so.2
libresolv.so.2
libnssl.so.4
libz.so.1
Links needs this library to resolve:
libnss_dns.so.2

Once those files are in place, links can resolve just fine. Also, I noticed that doing: /usr/local/addjailsw to add the libnss_dns.so.2 had the nasty habit of adding libnss_dns.so.1 instead, which didn't work. It also turns out, if you add ssh in the beginning to the chroot jail then it copies all of the necessary config and libraries for you without having to maually add them. Hope that helps (if you haven't gotten it by now)

****
This is on a Fedora Core 1 stock test machine, so the lib versions may differ on other distros.

Last edited by Capt_Caveman; 01-26-2004 at 12:11 AM.
 
Old 06-10-2006, 03:42 AM   #12
k745h
LQ Newbie
 
Registered: Jun 2006
Posts: 1

Rep: Reputation: 0
Fixed same Host Resolving troubles!!!!!!

I read the thread here, and fixed it 5minutes later.

I did what Capt_Caveman was last talking about and installed all the Libraries
yet it still didnt resolve. guessing because my machine didnt have a few of the same libs. so i got to thinking.....

when you install ssh and scp you do addjailsw /home/chroot -P ssh --version
with the --version
sooooooooooooooooooooooooooo

i simply went back and installed

addjailsw /home/chroot -P ftp --version
addjailsw /home/chroot -P lynx --version
addjailsw /home/chroot -P ssh --version
addjailsw /home/chroot -P scp --version
addjailsw /home/chroot -P cc --version
addjailsw /home/chroot -P c++ --version
addjailsw /home/chroot -P gcc --version
addjailsw /home/chroot -P g++ --version


loged back into the shell and everything seemed to work.
hosts now resolve just fine!!

I believe it was just the first 4 software installs that made host resolving become working. The c installs where just for myself incase it made any difference.

hope that helps you others out there reading the posts.

www.carolinatechsolutions.com

Last edited by k745h; 06-10-2006 at 03:50 AM.
 
Old 06-27-2007, 02:52 PM   #13
lefty.crupps
Member
 
Registered: Apr 2005
Location: Minneap USA
Distribution: Debian, Mepis, Sidux
Posts: 470

Rep: Reputation: 32
Resolver re-solved

I too had this issue on a Debian box; as root I had to copy the /lib/libnss_dns.so.2 file to the jail's //lib directory. Solved it. Thanks for the help LQ'ers!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail Gimpy Linux - Software 10 05-07-2010 01:30 PM
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM
chroot jail simon Linux - Security 3 08-05-2001 08:21 PM


All times are GMT -5. The time now is 01:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration