[FreeNX-kNX] [Jailkit-users] chroot nxserver

Hi albert682 at yahoo.com
Mon Mar 17 11:52:21 UTC 2008


--- Olivier Sessink <olivier at bluefish.openoffice.nl>
wrote:

> Hi wrote:
> > I am now crossposting to both the freenx list and
> the
> > jailkit list.
> 
> I can probably only answer on the jailkit list.
> We'll see.
> 
> > Yes the paths are all wrong as to what is
> currently in
> > the jail for executables.  That was a given I
> missed. 
> > Adjusting the paths to the correct version off the
> GPL
> > nxserver I am using (still working on that).  What
> is
> > the paths_w_owner option?
> 
> see `man jk_init`
> those files/directories are copied while retaining
> their ownership. All 
> files/directories that are in 'paths' become owned
> by root:root
> 
> > So your saying I should jk_jailuser -j /home/jail
> nx
> 
> yup.
> 
[root at expansion nx]# jk_jailuser -j /home/jail nx
home directory /var/lib/nxserver/home is not within
/home/jail, move the directory contents?
[Y]/[n]
aborted..
[root at expansion nx]#

I'll answer Y after I clean up the paths and
pathswiths below.

> > So then after appending proper paths to the jk_ini
> > files I should also add...
> > [nx]
> > comment = NX jail for the nx daemon
> > user = nx, nobdy  
> > group = nx, nogroup
> > executables = #With the proper paths for the
> software
> > versions I am running)
> > directories = /usr/NX (Proper Directories as well)
> > includesections = uidbasics, netbasics, logbasics,
> > ssh, basicshell,extendedshell, chown, mount,
> umount,
> > xauth, xterm, xclock, which,xfonts, expr, tee,
> xset,
> > dirname, hostname, basename
> > devices = /dev/null (can I add /dev/none here?)
> 
> `executables` and `directories` are deprecated
> options, see the jk_init 
> manual. You need `paths` and `paths_w_owner`
> 
These are all the directory and executable listings
for the freenx --Version I am running placed in
jk_init format to be added at the end of the
distributed jk_init.ini file.
[nx]
comment = NX
paths_w_owner = /usr/NX/bin/nxclient,
/usr/NX/bin/nxesd, /usr/NX/bin/nxkill,
/usr/NX/bin/nxprint, /usr/NX/bin/nxservice,
/usr/NX/bin/nxssh, /usr/libexec/nx/nxagent,
/usr/libexec/nx/client, /usr/libexec/nx/nxdesktop,
/usr/libexec/nx/nxkeygen,
/usr/libexec/nx/nxloadconfig, /usr/libexec/nx/nxnode,
/usr/libexec/nx/nxnode-login, /usr/libexec/nx/nxprint,
/usr/libexec/nx/nxproxy, /usr/libexec/nx/nxserver,
/usr/libexec/nx/nxserver-helper,
/usr/libexec/nx/nxviewer, /var/lib/nxserver,
/var/lib/nxserver/db, /var/lib/nxserver/db/closed,
/var/lib/nxserver/db/failed,
/var/lib/nxserver/db/running, /var/lib/nxserver/home,
/var/lib/nxserver/home/.ssh, /etc/nxserver,
/usr/libexec/nx, /usr/NX/bin, /usr/NX/lib,
/usr/NX/share, /usr/NX/share/applink,
/usr/NX/share/cups, /usr/NX/share/documents,
/usr/NX/share/icons, /usr/NX/share/images,
/usr/NX/share/keys
includesections = uidbasics, netbasics, logbasics,
ssh, basicshell, extendedshell, chown, mount, umount,
xauth, xterm, xclock, which, xfonts, expr, tee, xset,
dirname, hostname, basename
devices = /dev/null

> > Well I know it is running outside the jail for
> sure. 
> 
> I'm pretty sure that both user nx and the final user
> must be in the same 
> jail because they share some files. Correct me if
> I'm wrong.

[.Pretty tough to say I'm only used to looking at the
files with permissions of nx:root;  I'll go ahead and
change what was specified and get back.]
> 
> > Yes using jk_cp makes the permissions different.
> 
> see `man jk_cp`. use option -o or --owner to retain
> the ownership
Thanks for the clarification.  I'll bet I didn't use
-o at all when I copied things over.
Now I think I need to use jk_cp because I don't see
the var directory in the jail
[root at expansion nx]# jk_jailuser -j /home/jail nx
home directory /var/lib/nxserver/home is not within
/home/jail, move the directory contents?
[Y]/[n]y
ERROR: copying directory and permissions
/var/lib/nxserver/home to
/home/jail/./var/lib/nxserver/home: File exists
Not everything was copied to
/home/jail/./var/lib/nxserver/home, keeping the old
directory /var/lib/nxserver/home

# At which point I physically removed the directory
recursively with Midnight Comander
[root at expansion nx]# jk_jailuser -j /home/jail nx
[root at expansion nx]# jk_jailuser -m -j /home/jail nx
home directory /home/jail/./var/lib/nxserver/home is
already inside the jail
[root at expansion home]# cd jail
[root at expansion jail]# ls
bin  dev  etc  home  lib  proc  tmp  usr

> 
>  >  I
> > have changed them to match what is outside the
> jail.  
> > Someone on the freenx list must have done this by
> now.
> >  I have scanned all two years worth of the
> > unsearchable list for chroot with 0 occurances.  A
> > guide should be made.  For one thing I'm not using
> no
> > machine directory structure.
> > [root at expansion nx]# ./nxserver --Version
> > NX> 100 NXSERVER - Version 1.5.0-60 OS (GPL)
> > NX> 500 Error: Function --Version not implemented
> yet.
> > NX> 999 Bye
> > 
> > which does work just fine.
> 
> now try `chroot <yourjail>` as root and give the
> same command. Does it 
> still work as expected?
>
I'm still working on where my missing var directory
got to and now I dont' get as far in the login with a
client.  I've botched the jk_jail user -j /home/jail
nx command.  I was expecting to see the var directory.
[root at expansion nx]# jk_jailuser -m -j /home/jail nx
home directory /home/jail/./var/lib/nxserver/home is
already inside the jail
[root at expansion jail]# chroot /home/jail
bash-3.1# ls
bin  dev  etc  home  lib  proc  tmp  usr

So where did it go an how can I remove nx user from
jail to try again?


> regards,
> 	Olivier
> 
> 
> _______________________________________________
> Jailkit-users mailing list
> Jailkit-users at nongnu.org
>
http://lists.nongnu.org/mailman/listinfo/jailkit-users
> 



      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs



More information about the FreeNX-kNX mailing list