Thomas Bohl <openbsd-misc-518596@aloof.de> wrote:
> Hello,
>
> > After several tries, i think the problem is the interpretation, in
> > Universal Language; usually used in OBSD, it could be:
> > Write this ....
> > Do this ....
> > But, in this case; there are not commands!
> > Please, let me ask you, How to add /bin/sh to the chroot?
> > How to add host? resolv.conf? and femail.conf?
> > How to create /var/www/etc/other files?
> > From where do i have to create every thing?
>
> That is what I always do for httpd chroot:
>
> # mkdir -p /var/www/usr/local/share/icu/
> # mkdir -p /var/www/etc/ssl/
> # cp -r /usr/local/share/icu/* /var/www/usr/local/share/icu/
> # cp /etc/ssl/openssl.cnf /var/www/etc/ssl/
> # cp /etc/ssl/cert.pem /var/www/etc/ssl/
> # cp /etc/{hosts,resolv.conf,localtime} /var/www/etc/
> # chown -R root:daemon /var/www/etc/ssl
> # chown -R root:daemon /var/www/usr/
>
>
> I haven't had the need for /bin/sh in chroot, so this is untested. But
> judging by
> $ ldd /bin/sh
>
> # mkdir /var/www/bin/
> # cp /bin/sh /var/www/bin/
>
> should be it.
No. Programs don't run in a vacuum. They need various things in
the filesystem.
I do not think we should document what those things are, because
the practice of running binaries inside such chroot spaces is highly
discouraged. It is an old less-secure practice for a less-secure
era and we don't need to help people re-create it. When people
believe they really need to do so, we provide the tools they need to
learn what is required: ktrace & kdump. And I really mean they need
to learn to use those tools. If they don't understand the low-level
system behaviours that happen, then why the HELL do they think they can
use chroot safely?
No comments:
Post a Comment