Can't run whoami(id -un) inside chroot jail using openssh native jail support - openssh

This is a discussion on Can't run whoami(id -un) inside chroot jail using openssh native jail support - openssh ; OS: RHEL5.2 Openssh: 5.0p1 and now 5.1 I have successfully setup a chroot jail using openssh's new native jail support and almost everything appears to be working (ls,cd,cat,uname,etc,ect). However I can't run any commands that identify the user.. such as ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Can't run whoami(id -un) inside chroot jail using openssh native jail support

  1. Can't run whoami(id -un) inside chroot jail using openssh native jail support

    OS: RHEL5.2
    Openssh: 5.0p1 and now 5.1

    I have successfully setup a chroot jail using openssh's new native
    jail support and almost everything appears to be working
    (ls,cd,cat,uname,etc,ect). However I can't run any commands that
    identify the user.. such as ld -un whoami logname. They all fail with
    this result:

    #whoami
    whoami: cannot find name for user ID 503
    #id
    uid=503 gid=504 groups=504
    #id -un
    id: cannot find name for user ID 503
    503
    #logname
    503

    i've made sure that /etc/passwd and even /etc/group are in the jail
    with the proper permissions but still I get the same result.. Any
    suggestions??


  2. Re: Can't run whoami(id -un) inside chroot jail using openssh native jail support

    2008/7/23, D M :

    > OS: RHEL5.2
    > Openssh: 5.0p1 and now 5.1
    >
    > I have successfully setup a chroot jail using openssh's new native
    > jail support and almost everything appears to be working
    > (ls,cd,cat,uname,etc,ect). However I can't run any commands that
    > identify the user.. such as ld -un whoami logname. They all fail with
    > this result:
    >
    > #whoami
    > whoami: cannot find name for user ID 503
    > #id
    > uid=503 gid=504 groups=504
    > #id -un
    > id: cannot find name for user ID 503
    > 503
    > #logname
    > 503
    >
    > i've made sure that /etc/passwd and even /etc/group are in the jail
    > with the proper permissions but still I get the same result.. Any
    > suggestions??


    I wonder if you are missing NSS (/etc/nsswitch.conf) in your jailed
    system? I would also check it with strace, like:

    strace id -un

    Although that would probably require setting up strace which might be
    too expensive to set up in a jailed system.

    Cheers,

    VL

    Regards,

    VL


  3. Re: Can't run whoami(id -un) inside chroot jail using openssh nativejail support

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    D M wrote:
    > OS: RHEL5.2
    > Openssh: 5.0p1 and now 5.1
    >
    > I have successfully setup a chroot jail using openssh's new native
    > jail support and almost everything appears to be working
    > (ls,cd,cat,uname,etc,ect). However I can't run any commands that
    > identify the user.. such as ld -un whoami logname. They all fail with
    > this result:
    >
    > #whoami
    > whoami: cannot find name for user ID 503
    > #id
    > uid=503 gid=504 groups=504
    > #id -un
    > id: cannot find name for user ID 503
    > 503
    > #logname
    > 503


    I don't mean to ask really dumb questions, but can you:
    cat /etc/passwd
    cat /etc/group
    grep -F ':503:' /etc/passwd
    grep -F ':504:' /etc/group

    from within the jail?

    If not, you may have directory ownership/permissions problems. For
    example, in a jail, make sure /etc o:g=root:root & perm=0551.

    I know you said you have checked... but just adding another approach.

    Jon Kibler
    - --
    Jon R. Kibler
    Chief Technical Officer
    Advanced Systems Engineering Technology, Inc.
    Charleston, SC USA
    o: 843-849-8214
    c: 843-224-2494
    s: 843-564-4224

    My PGP Fingerprint is:
    BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.8 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkiJDNQACgkQUVxQRc85QlPIgACgkdQ9F8Z954/Tv4//kb9JgtF3
    GTwAoKBgmj3+JFCtyy3JaJKDgFnhQzCX
    =KR5N
    -----END PGP SIGNATURE-----




    ==================================================
    Filtered by: TRUSTEM.COM's Email Filtering Service
    http://www.trustem.com/
    No Spam. No Viruses. Just Good Clean Email.



  4. Re: Can't run whoami(id -un) inside chroot jail using openssh native jail support

    Yeah I though maybe permissions but I also adjusted those. This is
    whats really strange look at the output of this:

    #ls -la /etc
    total 900
    drwxr-xr-x 3 0 0 4096 Jul 24 17:04 .
    drwxr-xr-x 17 0 0 4096 Jul 22 17:00 ..
    -rw-r--r-- 1 0 0 11 Jul 22 17:00 group
    -rwxr-xr-x 1 0 0 245 Jul 22 17:00 hosts
    -rwxr-xr-x 1 0 0 24120 Jul 22 17:00 ld.so.cache
    -rwxr-xr-x 1 0 0 28 Jul 22 17:00 ld.so.conf
    drwxr-xr-x 2 0 0 4096 Jul 22 17:00 ld.so.conf.d
    -rwxr-xr-x 1 0 0 1696 Jul 22 17:00 nsswitch.conf
    -rw-r--r-- 1 0 0 144 Jul 24 17:04 passwd
    -rwxr-xr-x 1 0 0 66 Jul 22 17:00 resolv.conf
    -rw-r--r-- 1 0 0 807103 Jul 22 17:00 termcap

    it doesn't even seem to be able to translate the name/groups in the
    directory listing.






    On Thu, Jul 24, 2008 at 6:14 PM, Jon Kibler wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > D M wrote:
    >> OS: RHEL5.2
    >> Openssh: 5.0p1 and now 5.1
    >>
    >> I have successfully setup a chroot jail using openssh's new native
    >> jail support and almost everything appears to be working
    >> (ls,cd,cat,uname,etc,ect). However I can't run any commands that
    >> identify the user.. such as ld -un whoami logname. They all fail with
    >> this result:
    >>
    >> #whoami
    >> whoami: cannot find name for user ID 503
    >> #id
    >> uid=503 gid=504 groups=504
    >> #id -un
    >> id: cannot find name for user ID 503
    >> 503
    >> #logname
    >> 503

    >
    > I don't mean to ask really dumb questions, but can you:
    > cat /etc/passwd
    > cat /etc/group
    > grep -F ':503:' /etc/passwd
    > grep -F ':504:' /etc/group
    >
    > from within the jail?
    >
    > If not, you may have directory ownership/permissions problems. For
    > example, in a jail, make sure /etc o:g=root:root & perm=0551.
    >
    > I know you said you have checked... but just adding another approach.
    >
    > Jon Kibler
    > - --
    > Jon R. Kibler
    > Chief Technical Officer
    > Advanced Systems Engineering Technology, Inc.
    > Charleston, SC USA
    > o: 843-849-8214
    > c: 843-224-2494
    > s: 843-564-4224
    >
    > My PGP Fingerprint is:
    > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.8 (Darwin)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    >
    > iEYEARECAAYFAkiJDNQACgkQUVxQRc85QlPIgACgkdQ9F8Z954/Tv4//kb9JgtF3
    > GTwAoKBgmj3+JFCtyy3JaJKDgFnhQzCX
    > =KR5N
    > -----END PGP SIGNATURE-----
    >
    >
    >
    >
    > ==================================================
    > Filtered by: TRUSTEM.COM's Email Filtering Service
    > http://www.trustem.com/
    > No Spam. No Viruses. Just Good Clean Email.
    >
    >



  5. Re: Can't run whoami(id -un) inside chroot jail using openssh native jail support

    On Thu, Jul 24, 2008 at 06:24:20PM -0500, D M wrote:
    > Yeah I though maybe permissions but I also adjusted those. This is
    > whats really strange look at the output of this:
    >
    > #ls -la /etc
    > total 900
    > drwxr-xr-x 3 0 0 4096 Jul 24 17:04 .
    > drwxr-xr-x 17 0 0 4096 Jul 22 17:00 ..
    > -rw-r--r-- 1 0 0 11 Jul 22 17:00 group


    > it doesn't even seem to be able to translate the name/groups in the
    > directory listing.


    ls calls upon getpwuid() to convert the numeric UID and GID into
    human-readable names like "root". getpwuid() and friends are libc
    functions that use OS-specific methods to do the lookups.

    On most modern systems, it will look for /etc/nsswitch.conf first, and
    that will tell it what overall scheme is being used for the mapping
    (NIS, NIS+, regular passwd files, etc.). Based on that, it will consult
    the appropriate scheme's resources (/etc/passwd, or open a connection to
    ypbind, or whatever) to get the actual answers.

    So, as others have already said, you need to ensure that the following
    files exist and are readable WITHIN the chroot jail:

    /etc/nsswitch.conf
    /etc/passwd
    /etc/group

    There may or may not be others, depending on your OS and how you
    configured things. For example, on Linux, you might also need an
    /etc/shadow file. On OpenBSD, you might also need an /etc/master.passwd
    file which is then converted into an /etc/pwd.db file. And so on.


  6. Re: Can't run whoami(id -un) inside chroot jail using openssh native jail support

    here is a listing of my etc directory inside the jail:
    ls -la
    total 916
    drwxr-xr-x 3 0 0 4096 Jul 28 14:31 .
    drwxr-xr-x 18 0 0 4096 Jul 28 14:35 ..
    -rw-r--r-- 1 0 0 11 Jul 22 17:00 group
    -r-------- 1 0 0 555 Jul 28 14:31 gshadow
    -rwxr-xr-x 1 0 0 245 Jul 22 17:00 hosts
    -rwxr-xr-x 1 0 0 24120 Jul 22 17:00 ld.so.cache
    -rwxr-xr-x 1 0 0 28 Jul 22 17:00 ld.so.conf
    drwxr-xr-x 2 0 0 4096 Jul 22 17:00 ld.so.conf.d
    -rw-r--r-- 1 0 0 1696 Jul 22 17:00 nsswitch.conf
    -rw-r--r-- 1 0 0 144 Jul 24 17:04 passwd
    -rwxr-xr-x 1 0 0 66 Jul 22 17:00 resolv.conf
    -r-------- 1 0 0 1607 Jul 28 14:30 shadow
    -rw-r--r-- 1 0 0 807103 Jul 22 17:00 termcap

    As you can see all required files are there and have proper
    permissions. I've copied over everything from /usr/lib into the jail
    as well. However is still not properly doing the translation of uid to
    name or guid to name.

    dm



    On Fri, Jul 25, 2008 at 12:48 PM, Greg Wooledge wrote:
    > On Thu, Jul 24, 2008 at 06:24:20PM -0500, D M wrote:
    >> Yeah I though maybe permissions but I also adjusted those. This is
    >> whats really strange look at the output of this:
    >>
    >> #ls -la /etc
    >> total 900
    >> drwxr-xr-x 3 0 0 4096 Jul 24 17:04 .
    >> drwxr-xr-x 17 0 0 4096 Jul 22 17:00 ..
    >> -rw-r--r-- 1 0 0 11 Jul 22 17:00 group

    >
    >> it doesn't even seem to be able to translate the name/groups in the
    >> directory listing.

    >
    > ls calls upon getpwuid() to convert the numeric UID and GID into
    > human-readable names like "root". getpwuid() and friends are libc
    > functions that use OS-specific methods to do the lookups.
    >
    > On most modern systems, it will look for /etc/nsswitch.conf first, and
    > that will tell it what overall scheme is being used for the mapping
    > (NIS, NIS+, regular passwd files, etc.). Based on that, it will consult
    > the appropriate scheme's resources (/etc/passwd, or open a connection to
    > ypbind, or whatever) to get the actual answers.
    >
    > So, as others have already said, you need to ensure that the following
    > files exist and are readable WITHIN the chroot jail:
    >
    > /etc/nsswitch.conf
    > /etc/passwd
    > /etc/group
    >
    > There may or may not be others, depending on your OS and how you
    > configured things. For example, on Linux, you might also need an
    > /etc/shadow file. On OpenBSD, you might also need an /etc/master.passwd
    > file which is then converted into an /etc/pwd.db file. And so on.
    >



  7. Re: Can't run whoami(id -un) inside chroot jail using openssh native jail support

    2008/7/28, D M :

    > here is a listing of my etc directory inside the jail:
    > ls -la
    > total 916
    > drwxr-xr-x 3 0 0 4096 Jul 28 14:31 .
    > drwxr-xr-x 18 0 0 4096 Jul 28 14:35 ..
    >
    > -rw-r--r-- 1 0 0 11 Jul 22 17:00 group
    >
    > -r-------- 1 0 0 555 Jul 28 14:31 gshadow
    >
    > -rwxr-xr-x 1 0 0 245 Jul 22 17:00 hosts
    > -rwxr-xr-x 1 0 0 24120 Jul 22 17:00 ld.so.cache
    > -rwxr-xr-x 1 0 0 28 Jul 22 17:00 ld.so.conf
    >
    > drwxr-xr-x 2 0 0 4096 Jul 22 17:00 ld.so.conf.d
    > -rw-r--r-- 1 0 0 1696 Jul 22 17:00 nsswitch.conf
    >
    > -rw-r--r-- 1 0 0 144 Jul 24 17:04 passwd
    > -rwxr-xr-x 1 0 0 66 Jul 22 17:00 resolv.conf
    >
    > -r-------- 1 0 0 1607 Jul 28 14:30 shadow
    >
    > -rw-r--r-- 1 0 0 807103 Jul 22 17:00 termcap
    >
    >
    > As you can see all required files are there and have proper
    > permissions. I've copied over everything from /usr/lib into the jail
    > as well. However is still not properly doing the translation of uid to
    > name or guid to name.


    What is passwd section set to in nsswitch.conf? On my Debian testing
    system it's "compat":

    $ grep passwd /etc/nsswitch.conf
    passwd: compat

    Make sure you have the nss libraries available for the passwd entries.
    When I strace the command I have it checking for next libs:

    $ strace id -un 2>&1 | grep libnss
    open("/lib/i686/cmov/libnss_compat.so.2", O_RDONLY) = 3
    open("/lib/i686/cmov/libnss_nis.so.2", O_RDONLY) = 3
    open("/lib/i686/cmov/libnss_files.so.2", O_RDONLY) = 3

    Cheers,

    VL


  8. Re: Can't run whoami(id -un) inside chroot jail using openssh native jail support

    Thank you very much... The problem was I didn't have /lib in the
    jail.. only /usr/lib

    thanks
    dm

    On Tue, Jul 29, 2008 at 3:12 AM, Vladimir Levijev
    wrote:
    > 2008/7/28, D M :
    >
    >> here is a listing of my etc directory inside the jail:
    >> ls -la
    >> total 916
    >> drwxr-xr-x 3 0 0 4096 Jul 28 14:31 .
    >> drwxr-xr-x 18 0 0 4096 Jul 28 14:35 ..
    >>
    >> -rw-r--r-- 1 0 0 11 Jul 22 17:00 group
    >>
    >> -r-------- 1 0 0 555 Jul 28 14:31 gshadow
    >>
    >> -rwxr-xr-x 1 0 0 245 Jul 22 17:00 hosts
    >> -rwxr-xr-x 1 0 0 24120 Jul 22 17:00 ld.so.cache
    >> -rwxr-xr-x 1 0 0 28 Jul 22 17:00 ld.so.conf
    >>
    >> drwxr-xr-x 2 0 0 4096 Jul 22 17:00 ld.so.conf.d
    >> -rw-r--r-- 1 0 0 1696 Jul 22 17:00 nsswitch.conf
    >>
    >> -rw-r--r-- 1 0 0 144 Jul 24 17:04 passwd
    >> -rwxr-xr-x 1 0 0 66 Jul 22 17:00 resolv.conf
    >>
    >> -r-------- 1 0 0 1607 Jul 28 14:30 shadow
    >>
    >> -rw-r--r-- 1 0 0 807103 Jul 22 17:00 termcap
    >>
    >>
    >> As you can see all required files are there and have proper
    >> permissions. I've copied over everything from /usr/lib into the jail
    >> as well. However is still not properly doing the translation of uid to
    >> name or guid to name.

    >
    > What is passwd section set to in nsswitch.conf? On my Debian testing
    > system it's "compat":
    >
    > $ grep passwd /etc/nsswitch.conf
    > passwd: compat
    >
    > Make sure you have the nss libraries available for the passwd entries.
    > When I strace the command I have it checking for next libs:
    >
    > $ strace id -un 2>&1 | grep libnss
    > open("/lib/i686/cmov/libnss_compat.so.2", O_RDONLY) = 3
    > open("/lib/i686/cmov/libnss_nis.so.2", O_RDONLY) = 3
    > open("/lib/i686/cmov/libnss_files.so.2", O_RDONLY) = 3
    >
    > Cheers,
    >
    > VL
    >



+ Reply to Thread