I have SunPCi II set up on a Solaris 8 system, with a dedicated resticted
user called "pc" that can be used to launch an SunPCi instance. The user
is assigned the restricted Korn shell and has access only to the "ls" and
"sunpci" commands (via symbolic links in the user home directory).
Additionally, most of the user's files are owned by root with permission
600, and ACLs permit the user to read and/or write to them. The result
is a user environment that is accessible only to root and user "pc", but
wherein "pc" is severely restricted.

Problem: When the SunPCi instance is launched, an F: drive permits the
user to browse the file system at will. The restrictions imposed by rksh
are lifted.

Proposed solution: Arrange things so that when the "pc" user runs his
SunPCi instance, it executes in a chroot jail with the user's home
directory as the filesystem root. The chroot jail will contain only the
files that SunPCi II requires to execute properly.

Progress so far: Copied SUNWspci2 from /opt to /home/pc. Created
/home/pc/dev and /home/pc/devices and used mknod to create the same
devices and symlinks that are created when the package is installed.
Created /home/pc/etc and created passwd and shadow files (containing
entries for just root and pc) and a group file and a shells file (with
just /usr/bin/rksh). Created /home/pc/usr/bin with rksh in it. Used ldd
to find all the libraries needed by rksh, and copied them to a mirror
image file structure under /home/pc.

....And it still doesn't work. I get "chroot: No such file or directory"
when I try to start a jailed SunPCi instance. Anybody got any
suggestions?

In comp.sys.sun.admin Limpbar <soft@bar.of.clay> wrote:
[snip]
> ...And it still doesn't work. I get "chroot: No such file or directory"
> when I try to start a jailed SunPCi instance. Anybody got any
> suggestions?

Can you chroot from a shell to poke around the new chroot jail?

I duplicated your error by running "chroot `pwd` /sbin/sh" in an
empty directory. Making an sbin and copying in /sbin/sh resolved
the problem.

Perhaps you need sh installed as well?

--
Stewart Stremler stremler@rohan.sdsu.edu
------------------------------------------------------------------------------
"I don't have much understanding" - Charles Herbig, 1995

In article <cdmg0c$4ic$1@gondor.sdsu.edu>, stremler@rohan.sdsu.edu
says...
> In comp.sys.sun.admin Limpbar <soft@bar.of.clay> wrote:
> [snip]
> > ...And it still doesn't work. I get "chroot: No such file or directory"
> > when I try to start a jailed SunPCi instance. Anybody got any
> > suggestions?
>
> Can you chroot from a shell to poke around the new chroot jail?
>
> I duplicated your error by running "chroot `pwd` /sbin/sh" in an
> empty directory. Making an sbin and copying in /sbin/sh resolved
> the problem.
>
> Perhaps you need sh installed as well?

Ah, yes. I was missing that and (as it turns out) a fairly large number
of other necessary files.

I had to go through all the SUNWspci2 scripts and find all the
binary files that they referenced, plus all the libraries and devices.
Then I had to find all the libraries for the SUNWspci2 binaries. Then I
had to truss a SunPCi instance and scan the output for all the config
files, device files, and any libraries that ldd didn't tell me about.
(Yes, ldd misses a few.) It took me about three hours to find and re-
create everything in the chroot directory. What a pain in the butt! No
wonder chroot isn't used all that often.

But the "pc" user running a SunPCi instance is now 'owned' as they say.
So much for browsing the whole system with the R: drive. (I mistakenly
said it was the F: drive, yesterday. The F: drive is the SUNWspci2
installation directory; the R: drive is the system root directory.)