Solaris 10 Zones / Chroot / SFTP

Sun Managers,

I am attempting to set up a chroot'ed SFTP environment within a Solaris
10 Zone. I am able to make chroot'ed SSH & chroot'ed SFTP work just
fine on Solaris 10 outside of a zone. Within a Solaris 10 zone,
chroot'ed SSH works. However, within a Solaris 10 zone, chroot'ed SFTP
fails. To illustrate the problem, snippets of my session are below.

The zone user "sshtest" is configured to chroot.


root@zone1 # ssh -l sshtest zone1
sshtest@zone1's password:
Last login: Wed Feb 28 11:56:09 2007 from localhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ cd /
$ ls
bin dev home lib usr
$ ls -l /dev
total 0
crw-rw-rw- 1 0 0 13, 2 Feb 28 18:53 null
crw-rw-rw- 1 0 0 13, 12 Feb 28 18:53 zero


Clearly, chroot SSH works. However, when I attempt to SFTP...

root@zone1 # sftp sshtest@zone1
Connecting to zone1...
sshtest@zone1's password:
Connection closed

A manual attempt to start SFTP from within the chroot'ed environment
produces the following clues:

root@zone1 # ssh -l sshtest zone1
sshtest@zone1's password:
Last login: Wed Feb 28 12:10:22 2007 from localhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ /usr/local/libexec/sftp-server
Couldn't open /dev/null: No such device or address


But as seen in the session above, clearly /dev/null exists in the
chroot'ed environment.

I know that zones require explicit permission to access a raw device.
So I have added access to both the special file "null" within the
chroot/dev/ directory (using the full path to that device file from the
global zone) and to the global zone's own /dev/null (though I believe
this step is redundant).

You can see what I mean from this partial snippet of my zone config.

root@global-zone # zonecfg -z zone1
zonecfg:zone1> info
[...]
device
match: /zone-exports/zone1/home/sshtest/chroot/dev/null
device
match: /dev/null


After granting access to these device files, it still doesn't work. Any
push in the right direction would be appreciated.

For reference:

SSH/SFTP software - OpenSSH 4.5p1
w/ chroot patch (http://chrootssh.sourceforge.net)

OS: SunOS 5.10 Generic_118833-33 sun4u sparc SUNW,Sun-Fire-V240

The chroot'ed environment was configured based on the how-to posted at
http://chrootssh.sourceforge.net/docs/chrootedsftp.html


Thanks in advance!

_____________________________
George Miranda
Senior Unix Systems Engineer
Vivendi Games, Los Angeles
http://www.vugames.com
_____________________________
_______________________________________________
sunmanagers mailing list
sunmanagers@xxxxxxxxxxxxxxx
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

Relevant Pages

  • Solaris 10 zone from flar
    ... The problem was that we use Solaris 9 and Solaris 10 ... It occurred to me that it could come in handy to install a Solaris 10 ... zone from a flar, just like you would install a branded Solaris 9 ... The first replacement defines the name of the brand, ...
    (comp.unix.solaris)
  • Re: Adding ZFS as "fs" to zone fails
    ... dataset to a non-global zone in the Solaris 10 8/07 release. ... see the excerpt from zfs get all: ... Preparing to install zone. ... cannot setup zone <dummy> inherited and configured file systems ...
    (comp.unix.solaris)
  • Re: Networking, Zones, & Firewall Question w/ Solaris 10+
    ... - Solaris 10 or OpenSolaris ... setting up Solaris for internet/LAN connectivity on one box. ... the WAN and that all outgoing traffic from global zone LAN NICs ... opensolaris website on the topic of zones. ...
    (comp.unix.solaris)
  • VPN in a container?
    ... I need ca. 50 Solaris, Linux and Windows clients ... to Solaris zone via encrypted TCP tunnel, ...
    (comp.unix.solaris)
  • Re: Solaris 10 Zones and Linux
    ... I see examples of Solaris Zones running Solaris and BrandZ examples, ... is there a way to install and run a perticular distro of Linux inside a ... So, no, you can't run Linux in a Zolaris 10 Zone. ...
    (comp.unix.solaris)
Loading