SCPonly chroot with Ubuntu Hardy 8.04

March 3, 2009, 8:41 p.m.

This is a quick howto for installing SCPonly on Ubuntu Hardy 64-bit.

  1. Firstly, install scponly through apt.

    sudo aptitude install scponly

    Then, use dpkg-reconfigure to enable the chrooted version, “scponlyc”. Answer yes to the rather ominous sounding security message.

    sudo dpkg-reconfigure -plow scponly

    Then extract and make executable the script to setup the chroot.

    cd /usr/share/doc/scponly/setup_chroot
    sudo gunzip setup_chroot.sh.gz
    sudo chmod +x setup_chroot.sh

    This script is fine for 32-bit users, but broken for us 64-bit types, so you’ll need to change it slightly. Open it up in your text editor, find the line starting LDSO_LIST and modify as follows.

    sudo vim /usr/share/doc/scponly/setup_chroot/setup_chroot.sh
    LDSO_LIST="/lib/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1
    /usr/libexec/ld.so /lib/ld-linux.so.2 /usr/libexec/ld-elf.so.1"

    Add “/lib/ld-2.7.so”, which should result in

    LDSO_LIST="/lib/ld-2.7.so /lib/ld.so /libexec/ld-elf.so /libexec/ld-elf.so.1
    /usr/libexec/ld.so /lib/ld-linux.so.2 /usr/libexec/ld-elf.so.1"

    The script should now run fine. Enter details relevant to you (the defaults are sensible) and change the script to be unexecutable when you’ve finished.

    sudo ./setup_chroot.sh
    sudo chmod -x setup_chroot.sh

    There used to be a bug to do with the chrooted /dev/null, I didn’t find this to be a problem, but in case, you might need to run the following (this assumes you installed your chroot in the default location).

    sudo mknod -m 666 /home/scponly/dev/null c 1 3

    If you’re using a 32-bit system, skip to step 3.

  2. On a 64-bit system, a couple of fixed need to be made.

    The problem is that some library files needed for a chroot on a 64-bit system aren’t included by the setup_chroot.sh script and you’ll get errors in /var/log/auth.log like “failed: /usr/lib/sftp-server with error No such file or directory”.

    You’ll need to copy the following files to remedy this. (This assumes you’re still in your scponly chroot directory!)

    sudo cp -p /lib/libncurses.so.5 lib/
    sudo cp -p /lib/libncurses.so.5 lib/
    sudo cp -p /lib/libdl.so.2 lib/
    sudo cp -p /lib/libc.so.6 lib/
    sudo mkdir lib64
    sudo cp -p /lib64/ld-linux-x86-64.so.2 lib64/

    Just for the sake of security, edit /etc/shells and remove the line “/usr/bin/scponly”, which allows un-chrooted scponly users. Your chroot should now have everything it needs to run correctly, next you need modify/setup scponly users.

  3. To add a user and make their home dir in the chroot.

    sudo useradd -d /home/scponly//exampleuser -m -s /usr/sbin/scponlyc exampleuser

    Note: The double forward slash is meant to be there!

    Then get the users line from /etc/passwd and add it to the chroot passwd file.

    tail -n 1 /etc/passwd
    sudo vim /home/scponly/etc/passwd

    Paste the line in and you should be all set!

Machine Wisdom

You're tearing me apart Lisa!

(Anti) Social