Bare minimum of NSS in a chroot/jail
Some applications are using getpwent (3) to determine the username of the current uid. In order to make getpwent working, one has to make the group and passwd file available to the current chroot, however there are different types of group and passwd files available under FreeBSD today.
We went to the source to find out the options and internal behaviour of the getpwent (3) call.
It turns out, that the /etc/passwd file itself is not used, but /etc/pwd.db or /etc/spwd.db (if the uid is root) are used no matter files or compat is selected in /etc/nsswitch.conf.
The (s)pwd.db files are in binary format and can be converted from a plain text format by pwd_mkdb (8) (source code) from a file named master.passwd (5).
The following is the bare minimum for a correct configuration:
- /etc/nsswitch.conf
- /etc/resolv.conf
- /etc/group
- /etc/pwd.db
- /etc/spwd.db (only needed if a chroot user will have uid=0)
Contents of nsswitch.conf:
group: compat
hosts: files dns
passwd: compat
Probably one will place the master.passwd there aswell and run pwd_mkdb in the chroot itself.
As an unrelated issue, cat will stat/open stdin even if you explicitly added a filename argument. Make sure the user has access to the file (tty) pointed by STDIN_FILENO.
Posted 2009/11/15 18:37 by alex
Nur Majan wristwatch replicas Says:
All the points you have mentioned have to be religiously followed by people offering SEO services in order to achieve sure success. Thanks for a wonderful post.
watches for women Says:
This article is really good, very appealing. Hope I can talk to you, thank you for your articles
Gucci sunglasses Says:
Articles are moving every reader with heart, and full of appeal. Let us have to admire, thank your article!
luxury Louis Vuitton Suede bags Says:
Thank you! I LOVE this. I made one. I use it all the time. I will be posting a picture of mine and providing a link on my blog.