Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Fri Feb 14, 2014 9:50 am 
Offline
Newbie

Joined: Fri Feb 14, 2014 9:40 am
Posts: 2
I think my ssh chrooted user couldn't get a tty, is this a common problem and is there a fix?

When logged in via `ssh mylinode` (this is a chrooted user) and run `tty` I got "not a tty", I think this is the root problem of not being able to start tmux or screen.

I didn't mount /proc but I have /dev/pts mounted.

I have glibc-2.17, gentoo hardened with grsecurity, according to this http://rpmfind.net/linux/RPM/centos/6.5 ... 86_64.html not mounting /proc should be sufficient.

Quote:
The ttyname and ttyname_r functions on Linux now fall back to searching for the tty file descriptor in /dev/pts or /dev if /proc is not available. This allows creation of chroots without the procfs mounted on /proc. (#851470)


I am unsure, but I think I've had problem compiling glibc because /dev/pts was owned by group "adm", as noted here http://forums.gentoo.org/viewtopic-p-7452100.html it should be owned by group "tty", I forgot where that was, I think that was when using xen in my laptop.

What I did was lazy unmount /dev/pts, then mount devpts as group "tty", that way I can continue installing glibc.

This setup worked in my laptop, I can `ssh mylinodedev` then `tmux`. `tty` returned "/dev/pts/0".

I can start `tmux` if I mount /proc to chrooted environment on linode, but I think this is a poor security setup.

I plan on renting my linode node to users, hehe, chroot is a way to not let different users see each other files.
I've just started using grsecurity, maybe I could use grsecurity to provide the same functionality but I haven't learnt that deep.

Edit1:

This is the script that mount devpts to chrooted user:
Code:
homes=(/home/*)
for home in ${homes[@]}
do
    rm -r "$home/tmp/*"

    if [[ -d "$home/dev/pts" ]]
    then
        mount -t devpts -o gid=tty,mode=620 none "$home/dev/pts"
    fi
done


Top
   
PostPosted: Fri Feb 14, 2014 7:06 pm 
Offline
Senior Member
User avatar

Joined: Wed Mar 17, 2004 4:11 pm
Posts: 554
Website: http://www.unixtastic.com
Location: Europe
It should be fine to mount /proc in each chroot, it's not like normal users can write to anything in there anyway. Lots of tools need data from /proc, normal users may want stuff like ps and top.

If you really care about security, and really distrust your users, maybe you want to look into Linux containers? They could be a lot more effort to setup though.


Top
   
PostPosted: Fri Feb 21, 2014 7:59 am 
Offline
Newbie

Joined: Fri Feb 14, 2014 9:40 am
Posts: 2
Found the problem, my rsync from laptop to linode, haha, for the binary files removed this file `/lib/modules/pv-grub_x86_64-5/modules.dep`, just need to exclude this one on the next upload, or reboot the linode when I did :/

/proc is like a pond of unknown entities, that I fear of giving access to the user, and I can't invest time to understand it.

Will look into Linux containers, thanks.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group