Loco
07-24-2002, 10:38 PM
Taken from the original FAQ.
2.20 - After the chroot(), calls to socket() are failing. Why?
From Andrew Gierth (andrew@erlenstar.demon.co.uk):
On systems where sockets are implemented on top of Streams (e.g. all SysV-based systems, presumably including Solaris), the socket() function will actually be opening certain special files in /dev. You will need to create a /dev directory under your fake root and populate it with the required device nodes (only).
Your system documentation may or may not specify exactly which device nodes are required; I can't help you there (sorry). (Editors note: Adrian Hall (adrian@hottub.org) suggested checking the man page for ftpd, which should list the files you need to copy and devices you need to create in the chroot'd environment.)
A less-obvious issue with chroot() is if you call syslog(), as many daemons do; syslog() opens (depending on the system) either a UDP socket, a FIFO or a Unix-domain socket. So if you use it after a chroot() call, make sure that you call openlog() *before* the chroot.
From: Stanislav Shalunov
On Solaris you need /dev/tcp (and/or /dev/udp) in order for programs linked with -lsocket -lnsl to work. The libraries will also use /etc/netconfig which may or may not need to be copied to chroot jail depending on versions. (In Solaris, /dev/tcp will be a symlink to ../devices/pseudo/...; you need to notice the major and minor numbers of the file /dev/tcp points to and recreate that. The partition must not be mounted nosuid because in Solaris nosuid implies nodev. Ouch, or use BSD.)
From: Stanislav Shalunov
In most version of libc, openlog() itself will not be sufficient to cause the library to actually open the connection. You would have to actually syslog() something. Alternatively, a system-dependent FIFO (like /dev/log might be moved to the chroot jail and a symlink be put in the original location. This will obviously work only if you have a single chroot'ed daemon. Wietse Venema's Postfix MTA has scripts that set up chroot jail for various Unices.)
2.20 - After the chroot(), calls to socket() are failing. Why?
From Andrew Gierth (andrew@erlenstar.demon.co.uk):
On systems where sockets are implemented on top of Streams (e.g. all SysV-based systems, presumably including Solaris), the socket() function will actually be opening certain special files in /dev. You will need to create a /dev directory under your fake root and populate it with the required device nodes (only).
Your system documentation may or may not specify exactly which device nodes are required; I can't help you there (sorry). (Editors note: Adrian Hall (adrian@hottub.org) suggested checking the man page for ftpd, which should list the files you need to copy and devices you need to create in the chroot'd environment.)
A less-obvious issue with chroot() is if you call syslog(), as many daemons do; syslog() opens (depending on the system) either a UDP socket, a FIFO or a Unix-domain socket. So if you use it after a chroot() call, make sure that you call openlog() *before* the chroot.
From: Stanislav Shalunov
On Solaris you need /dev/tcp (and/or /dev/udp) in order for programs linked with -lsocket -lnsl to work. The libraries will also use /etc/netconfig which may or may not need to be copied to chroot jail depending on versions. (In Solaris, /dev/tcp will be a symlink to ../devices/pseudo/...; you need to notice the major and minor numbers of the file /dev/tcp points to and recreate that. The partition must not be mounted nosuid because in Solaris nosuid implies nodev. Ouch, or use BSD.)
From: Stanislav Shalunov
In most version of libc, openlog() itself will not be sufficient to cause the library to actually open the connection. You would have to actually syslog() something. Alternatively, a system-dependent FIFO (like /dev/log might be moved to the chroot jail and a symlink be put in the original location. This will obviously work only if you have a single chroot'ed daemon. Wietse Venema's Postfix MTA has scripts that set up chroot jail for various Unices.)