Solaris 10 Zones / Chroot / SFTP

Miranda, George George.Miranda at vgames.com
Fri Mar 2 17:03:23 EST 2007


Sun Managers,

I am attempting to set up a chroot'ed SFTP environment within a Solaris
10 Zone.  I am able to make chroot'ed SSH & chroot'ed SFTP work just
fine on Solaris 10 outside of a zone.  Within a Solaris 10 zone,
chroot'ed SSH works.  However, within a Solaris 10 zone, chroot'ed SFTP
fails.  To illustrate the problem, snippets of my session are below.

The zone user "sshtest" is configured to chroot.


root at zone1 # ssh -l sshtest zone1
sshtest at zone1's password:
Last login: Wed Feb 28 11:56:09 2007 from localhost
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
$ cd /
$ ls
bin   dev   home  lib   usr
$ ls -l /dev
total 0
crw-rw-rw-   1 0        0         13,  2 Feb 28 18:53 null
crw-rw-rw-   1 0        0         13, 12 Feb 28 18:53 zero


Clearly, chroot SSH works.  However, when I attempt to SFTP...

root at zone1 # sftp sshtest at zone1
Connecting to zone1...
sshtest at zone1's password:
Connection closed

A manual attempt to start SFTP from within the chroot'ed environment
produces the following clues:

root at zone1 # ssh -l sshtest zone1
sshtest at zone1's password:
Last login: Wed Feb 28 12:10:22 2007 from localhost
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
$ /usr/local/libexec/sftp-server
Couldn't open /dev/null: No such device or address


But as seen in the session above, clearly /dev/null exists in the
chroot'ed environment.

I know that zones require explicit permission to access a raw device.
So I have added access to both the special file "null" within the
chroot/dev/ directory (using the full path to that device file from the
global zone) and to the global zone's own /dev/null (though I believe
this step is redundant).

You can see what I mean from this partial snippet of my zone config.

root at global-zone # zonecfg -z zone1
zonecfg:zone1> info
[...]
device
        match: /zone-exports/zone1/home/sshtest/chroot/dev/null
device
        match: /dev/null


After granting access to these device files, it still doesn't work.  Any
push in the right direction would be appreciated.

For reference:

SSH/SFTP software - OpenSSH 4.5p1
                    w/ chroot patch (http://chrootssh.sourceforge.net)

OS: SunOS 5.10 Generic_118833-33 sun4u sparc SUNW,Sun-Fire-V240

The chroot'ed environment was configured based on the how-to posted at
http://chrootssh.sourceforge.net/docs/chrootedsftp.html


Thanks in advance!

_____________________________
George Miranda
Senior Unix Systems Engineer
Vivendi Games, Los Angeles
http://www.vugames.com
_____________________________



More information about the sunmanagers mailing list