LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   sftp chroot jail, not able to find lib files (http://www.linuxquestions.org/questions/linux-security-4/sftp-chroot-jail-not-able-to-find-lib-files-217337/)

drolic 08-13-2004 08:03 PM

sftp chroot jail, not able to find lib files
 
Im trying to create a chroot jail for an sftp server. I have the jail set up using this website.
I have created the jail and installed openssh3.8.1 with the patched tarball for the chroot on my RedHat 9 system

when i log in via psftp client using root i get the sftp server up and running like it should, but when i try and log in using my chroot'ed user the sftp-server is not starting, i think this is because it is not able to access the lib files it needs to execute, but they are in the chrooted jail where they should be

when i chroot to my chroot jail /sftp2/ root and try and start the sftpserver i get an error this
[root@localhost sftp2]# chroot /sftp2/ /bin/sh
sh-2.05b# /usr/local/libexec/sftp-server
/usr/local/libexec/sftp-server: error while loading shared libraries: libgssapi_krb5.so.2: cannot open shared object file: No such file or directory


i am including am including a cut and past of the ldd against /usr/local/libexe/sftp-server
and
ls -la /usr/kerberos/lib/libgss*
and
ls -la /sftp2/kerberos/lib/l*

since the right files seem to be in the right chrooted location i would think that
it should work

if anyone else has seen this plz give input

--------------------------------------------------------------------------------------------------
[root@localhost sftp2]# ls -la /usr/kerberos/lib/libgss*
-rw-r--r-- 1 root root 145482 Mar 6 2003 /usr/kerberos/lib/libgssapi_krb5.a
lrwxrwxrwx 1 root root 21 Oct 4 2003 /usr/kerberos/lib/libgssapi_krb5.so -> libgssapi_krb5.so.2.2
lrwxrwxrwx 1 root root 21 Oct 4 2003 /usr/kerberos/lib/libgssapi_krb5.so.2 -> libgssapi_krb5.so.2.2
-rwxr-xr-x 1 root root 73756 Mar 6 2003 /usr/kerberos/lib/libgssapi_krb5.so.2.2
-rw-r--r-- 1 root root 145518 Mar 6 2003 /usr/kerberos/lib/libgssrpc.a
lrwxrwxrwx 1 root root 16 Oct 4 2003 /usr/kerberos/lib/libgssrpc.so -> libgssrpc.so.3.0
lrwxrwxrwx 1 root root 16 Oct 4 2003 /usr/kerberos/lib/libgssrpc.so.3 -> libgssrpc.so.3.0
-rwxr-xr-x 1 root root 78336 Mar 6 2003 /usr/kerberos/lib/libgssrpc.so.3.0

[root@localhost sftp2]# ls -la /sftp2/usr/kerberos/lib/
total 548
drwxr-xr-x 2 root root 4096 Aug 13 19:25 .
drwxr-xr-x 3 root root 4096 Aug 13 19:25 ..
-rwxr-xr-x 1 root root 5572 Aug 13 19:25 libcom_err.so.3
-rwxr-xr-x 1 root root 73756 Aug 13 19:25 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 63880 Aug 13 19:25 libk5crypto.so.3
-rwxr-xr-x 1 root root 385220 Aug 13 19:25 libkrb5.so.3

[root@localhost sftp2]# ldd /usr/local/libexec/sftp-server
libresolv.so.2 => /lib/libresolv.so.2 (0x40029000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x4003b000)
libutil.so.1 => /lib/libutil.so.1 (0x4012c000)
libz.so.1 => /usr/lib/libz.so.1 (0x4012f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4013d000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40152000)
libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0x40180000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x40193000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x401f1000)
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x40201000)
libdl.so.2 => /lib/libdl.so.2 (0x40203000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

[root@localhost sftp2]# chroot /sftp2/ /bin/sh

sh-2.05b# /usr/local/libexec/sftp-server
/usr/local/libexec/sftp-server: error while loading shared libraries: libgssapi_krb5.so.2: cannot open shared object file: No such file or directory

drolic 08-13-2004 08:09 PM

sorry forgot to add the link
http://www.brandonhutchinson.com/chroot_ssh.html
this is the website i referanced while making my chroot jail
i used the script here to make my jail

mmorrey 10-18-2005 04:26 AM

This is definitely my first, and probably my last ever (useful?) contribution to a Linux forum, but I have just suffered and got round exactly this problem.

Found a helpful entry which explained the use of the "strace" command to check what dependencies are being loaded at runtime. Turns out "ldd" cannot pick up all the dependencies. You an run "strace" in your normal environment, and in your chrooted environement (if you copy it across) and compare what is happening.

I don't really know what I'm doing, but this is what I did.

$ strace -eopen,stat,stat64,access /usr/libexec/openssh/sfp-server

The output included the line:

open("/etc/ld.so.cache", O_RDONLY) = 3

On a hunch, I copied /etc/ld.so.cache into my chroot jail, and guess what, it worked. I can now give access to my chrooted accounts via sftp and scp.

Someone more knowledgeable can hopefully explain why....

Martin
Intrallect: Learning Object Repository software

zoomzoom 11-23-2005 11:57 AM

That was indeed useful! With this information, I was finally able spawn a fcgi-process with lighttpd! strace stated I forgot to copy /bin/sh to the chroot jail.

To cut a long story short: Thank you! :)


All times are GMT -5. The time now is 03:59 AM.