[FreeNX-kNX] chroot nxserver

Mon Mar 17 05:49:22 UTC 2008

I am now crossposting to both the freenx list and the
jailkit list.

--- Olivier Sessink <olivier at bluefish.openoffice.nl>
wrote:

> Hi wrote:
> > I have jk_cp -f -v -j just about everything to do
> with
> > NX server over to the jail but I can't seem to get
> > this daemon running for my users.  I have followed
> the
> > directions given here
> >
>
http://www.nomachine.com/ar/view.php?ar_id=AR09D00419
> 
> that manual seems a little outdated. I think they
> need to use the 
> 'paths_w_owner' option.
> 

Yes the paths are all wrong as to what is currently in
the jail for executables.  That was a given I missed. 
Adjusting the paths to the correct version off the GPL
nxserver I am using (still working on that).  What is
the paths_w_owner option?

> > I do not have an entry for /dev/none though.  I'll
> try
> > changing that via jk_ini file and running init
> again.
> > 
> > Has anyone been able to establish a NX connection
> with
> > chrooted users?
> 
> yes, I know places where they do this. They put both
> user nx and the 

So your saying I should jk_jailuser -j /home/jail nx

> users that need some application in the same jail.

So then after appending proper paths to the jk_ini
files I should also add...
[nx]
comment = NX jail for the nx daemon
user = nx, nobdy  
group = nx, nogroup
executables = #With the proper paths for the software
versions I am running)
directories = /usr/NX (Proper Directories as well)
includesections = uidbasics, netbasics, logbasics,
ssh, basicshell,extendedshell, chown, mount, umount,
xauth, xterm, xclock, which,xfonts, expr, tee, xset,
dirname, hostname, basename
devices = /dev/null (can I add /dev/none here?)

> 
>  >  Here is where it fails:
> > 
> > NX> 105 /usr/libexec/nx/nxserver: line 1190:  7911
> > Terminated              sleep
> $AGENT_STARTUP_TIMEOUT
> > NX> 596 Session startup failed.
> > NX> 1004 Error: NX Agent exited with exit status
> 1.
> > Can't open
> >
>
/var/lib/nxserver/db/running/sessionId{C176A113844A82721597B787BAD39C72}:
> > No such file or directory.
> 
> is there a /var/lib/nxserver/db/running/ inside the
> jail and does it 
> have the proper user/group and permissions?
> 

Well I know it is running outside the jail for sure. 
I copied the folders over using jk_cp and they are in
the directory structure.  So if I set the proper
permissions it may write the new sessionID to the
directory.  When trying to stop and start it I realize
I don't know how to do that to the nxserver because it
is only called as a the user nx though ssh.  I just
now copied the same permission structure to the
/var/lib/nxserver/db/running list and it still
produces the same errors. The file sesssionID{FILE} is
nx:nx and the rest of the directories are owned by
nx:root

> > mv: NX> 1006 Session status: closed
> > cannot stat
> >
>
`/var/lib/nxserver/db/running/sessionId{C176A113844A82721597B787BAD39C72}':
> > No such file or directory
> > NX> 1001 Bye.
> > Killed by signal 15.
> 
> I think there are several files that need to have
> user 'nx' that become 
> user 'root' if you follow their manual.
> 
> try to compare permissions and ownership of the nx
> files in the jail, 
> and see if they differ.
> 
> regards,
> 	Olivier
> 
> 
> _______________________________________________
> Jailkit-users mailing list
> Jailkit-users at nongnu.org
>
http://lists.nongnu.org/mailman/listinfo/jailkit-users
> 
Yes using jk_cp makes the permissions different.  I
have changed them to match what is outside the jail.  
Someone on the freenx list must have done this by now.
 I have scanned all two years worth of the
unsearchable list for chroot with 0 occurances.  A
guide should be made.  For one thing I'm not using no
machine directory structure.
[root at expansion nx]# ./nxserver --Version
NX> 100 NXSERVER - Version 1.5.0-60 OS (GPL)
NX> 500 Error: Function --Version not implemented yet.
NX> 999 Bye

which does work just fine.

      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 