For each binary you want in the chroot'd environment, run:
ldd binary
e.g.
ldd /local/sbin/sshd
libdl.so.1 => /usr/lib/libdl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libz.so => /usr/local/lib/libz.so
libpam.so.1 => /usr/lib/libpam.so.1
libcrypto.so.0 => /usr/local/lib/libcrypto.so.0
libc.so.1 => /usr/lib/libc.so.1
libmp.so.2 => /usr/lib/libmp.so.2
Now, I wouldn't put sshd there, it is just an example. In fact the output above
is from OpenSSH...
Anyway, the ldd prints out each dynamic library on the left that is needed. On
the right, it prints out the library that would be found in the current
environment. This means if you ran it from the command line at that point.
This could change if LD_LIBRARY_PATH was changed from one invocation of ldd to
the next. Also, in Solaris 8, changing /var/ld/ld.config with crle from one
invocation to the next will change the output as well.
BTW, if only a path is printed, no left => right, then the full path to the
dynamic object is included in the elf header. Now, ldd exists on Solaris 7 and
8, but I don't know how far back it goes. If ldd does not exist on your
machine, then you can run the following command to get this info from the elf
header:
/usr/ccs/bin/dump -L -v /local/sbin/sshd
which says dump the elf header in symbolic mode. The -L says to get the
dynamics and static lonk info if available in the header. The output looks ike
this:
/local/sbin/sshd:
**** DYNAMIC SECTION INFORMATION ****
.dynamic:
[INDEX] Tag Value
[1] NEEDED libdl.so.1
[2] NEEDED libsocket.so.1
[3] NEEDED libnsl.so.1
[4] NEEDED libz.so
[5] NEEDED libpam.so.1
[6] NEEDED libcrypto.so.0
[7] NEEDED libc.so.1
[8] RPATH /local/lib:/gnu/lib
[9] INIT 0x804ad20
...
The RPATH gives the builtin order for finding dynamic libraries. The search
order used, to find the needed dynamic libraries, is: LD_LIBRARY_PATH, RPATH
from elf header, ld.config in Solaris8 or /lib in older versions. Thus you can
find the correct libraries by looking in order of dirs in LD_LIBRARY_PATH, etc.
for each NEEDED line from dump above. This is much more cumbersome, but works.
If you have ldd, you can modify the attached script. It is lifted directly from
the ftpd man page under Solaris8. It is used to create an anonymous ftp
(chroot) area. The only thing needed for this is a user named ftp in passwd and
shadow, mainly to find out where to create the chroot area.
Now, this gets a lot more than the dynamic libraries. It also gets needed
security libs for pam, libs for name services switch (/usr/lib/nss*), etc. It
is worth looking at and/or modifying to create your chroot area.
NOTE: I added /etc/nsswitch.conf to the script, which was left out of the man
page. All fields should probably be set to files after the run, but you need to
decide for yourself. All options should be possible since all of the
/usr/lib/nss_* files were copied by the script.
Good luck,
--Dave
>From: Rinc�n D�az Mario <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Chroot in Solaris.
>Date: Fri, 8 Sep 2000 11:04:28 -0500
>MIME-Version: 1.0
>Content-Transfer-Encoding: 8bit
>X-MIME-Autoconverted: from quoted-printable to 8bit by mail.clinet.fi id
WAA18707
>
>In SSH-2.2.0 FAQ (Commercial version), in section 2.4, "How do I set up
>chrooted accounts (with restricted shell access, and only file transfer
>access) with sshd2?", there's the following message after the answer:
>
> NOTE: This doesn't work with Solaris. Solaris doesn't support this
> kind of static linking. You have to use the normal binaries and copy
> the needed libraries to the user's environment too. Unfortunately we
> don't have a tool for that (yet).
>
>I don't understand it. What am I supposed to do? How do I know which
>libraries should I copy? Where? I mean... what does this stuff mean?
>
>Thanks in advance.
>
>Cordialmente,
> Mario Rolando Rinc�n D�az
> Unidad de Seguridad Inform�tica
> Banco de la Rep�blica de Colombia
> Ext. 0504
--
David Knight French
Rotational Dynamics Company (RDC)
Voice: (858)279-4862
Email: [EMAIL PROTECTED]
URL: http://www.rotationaldynamics.com
mk_anon_ftp_area.sh
