Defindit Docs and Howto Home

This page last modified: Oct 29 2004
- add an entry to /etc/security/chroot.conf with the userid and new root directory.

- make the directory, and all the utility directories like /usr, /bin,
  /lib, /etc and of course some kind of /home. Fill them in.

cp /bin/ls ./bin

- Use something like this to copy all the shared libraries. It may be
  necessary to make more subdirectories under /lib, although this
  appears to strip off any subdirectory info.

ldd /bin/ls |  sed -n 's/[[:blank:]][^>]\+>[[:blank:]]\([[:graph:]]\+\).*/\1 lib\/ /p' |xargs -n 2 cp -u

- Add entries to pam.d config files for any required services. su is
  odd in that it has $ISA in the middle of the path:

session    optional     /lib/security/$ISA/ debug

- The debug option prints all kinds of useful stuff into
  /var/log/secure. There are also some messages in /var/log/messages

- sshd runs as root and forks a process as the attaching user before
  pam is called, therefore sshd needs a patch if you want it to run in
  a chroot jail. Tons of ssh related stuff has to be copied into the
  jail, including /dev files. Run the file /dev/null to see what the
  device file params are then mknod ./dev/null c 1 3 (for example) to
  make the device files.

- I have never been able to get the login command to work, so my only
  testing has been done with su.

- You can test your chroot as root with a command like

 /usr/sbin/chroot /home/mst3k_root /bin/bash