Eu segui os passos descritos aqui para criar um ambiente sftp chroot. Tudo funciona muito bem EXCETO para o comando ls. Quando eu faço um ls, com qualquer uma das bandeiras, eu me desconecto imediatamente.
Quando eu faço um strace no PID, eu entendo isso (não consegui parecer melhor do que isso.
Alguma ideia? Eu estou no juízo final.
'Process 7071 attached - interrupt to quit
select(5, [3], [], NULL, NULL) = 1 (in [3])
read(3, "'Process 7071 attached - interrupt to quit
select(5, [3], [], NULL, NULL) = 1 (in [3])
read(3, "%pre%%pre%%pre%\n\v%pre%%pre%%pre%%pre%%pre%%pre%/", 16384) = 14
open("/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
select(5, [3], [4], NULL, NULL) = 1 (out [4])
write(4, "%pre%%pre%%pre%\rf%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%", 17) = 17
select(5, [3], [], NULL, NULL) = 1 (in [3])
read(3, "%pre%%pre%%pre%\r\f%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%", 16384) = 17
getdents(5, /* 3 entries */, 32768) = 80
lstat("/.", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
stat("/etc/localtime", 0x7fff44193d90) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
close(4) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
lstat("/..", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
lstat("/attreport", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
getdents(5, /* 0 entries */, 32768) = 0
select(5, [3], [4], NULL, NULL) = -1 EBADF (Bad file descriptor)
sendto(7, "<83>Feb 27 22:02:23 sshd[7071]: "..., 66, MSG_NOSIGNAL, NULL, 0) = -1 EBADF (Bad file descriptor)
close(7) = -1 EBADF (Bad file descriptor)
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
connect(4, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
exit_group(2) = ?
Process 7071 detached
%pre%%pre%\n\v%pre%%pre%%pre%%pre%%pre%%pre%/", 16384) = 14
open("/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
select(5, [3], [4], NULL, NULL) = 1 (out [4])
write(4, "%pre%%pre%%pre%\rf%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%", 17) = 17
select(5, [3], [], NULL, NULL) = 1 (in [3])
read(3, "%pre%%pre%%pre%\r\f%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%%pre%", 16384) = 17
getdents(5, /* 3 entries */, 32768) = 80
lstat("/.", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
stat("/etc/localtime", 0x7fff44193d90) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
close(4) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
lstat("/..", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
lstat("/attreport", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/etc/localtime", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
socket(PF_FILE, SOCK_STREAM, 0) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR) = 0
connect(4, {sa_family=AF_FILE, path="/var/lib/pbis/.lsassd"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
getdents(5, /* 0 entries */, 32768) = 0
select(5, [3], [4], NULL, NULL) = -1 EBADF (Bad file descriptor)
sendto(7, "<83>Feb 27 22:02:23 sshd[7071]: "..., 66, MSG_NOSIGNAL, NULL, 0) = -1 EBADF (Bad file descriptor)
close(7) = -1 EBADF (Bad file descriptor)
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
connect(4, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 ENOENT (No such file or directory)
close(4) = 0
exit_group(2) = ?
Process 7071 detached
'
Isso acabou sendo um problema com o Likewise Open. "ls" foi o único comando que tentou resolver o UID / GID ao fazer o mesmo, e ao fazê-lo, foi também para a resolução e, assim que o fez, caiu.
O /etc/nsswitch.conf foi configurado para usar os arquivos primeiro:
passwd: files lsass
shadow: files
group: files lsass
mas por alguma razão ainda foi para o mesmo. A solução foi adicionar o grupo correto a "RequireMembershipOf", que para RHEL6 estava em /opt/likewise/bin/lwconfig.txt
Tive o mesmo problema, mas em execução no RHEL 5.5.
Openssh-server 5.x usando o chroot interno com a instrução de correspondência e a integração do pbis AD. Encontrou dois work-arounds:
Altere as linhas passwd e group em /etc/nsswitch.conf de:
passwd: files lsass
para se parecer com:
passwd: files [UNAVAILABLE=return] lsass
Crie os arquivos /etc/passwd e /etc/group na raiz do ambiente chrooted. Os arquivos precisam apenas manter a quantidade mínima de registros com base nos proprietários dos arquivos e diretórios subjacentes.
Se você executar sftp , só poderá configurar seu sshd para usar o sftp interno . Esse sftp terá todos os comandos embutidos em uma versão mínima - o chroot só precisa de / dev / null, zero, aleatório, urandom para funcionar. ls também será um comando interno.
Não mexa em manter seus binários e bibliotecas em chroot atualizados mais ...
Para mim, um erro semelhante com sftp ls falhando via chroot e sftp get sucedendo foi resolvido com copiar / etc/group e /etc/passwd para o meu chroot. Nenhum arquivo de /dev parece necessário. Nenhuma mudança em /etc/nsswitch.conf parece necessária, embora eu faça chroot para montar cifs remotos.