I am trying to set up a ssh-chroot jail on one of my NAS servers. The system runs on NAS4Free (which is based on nanobsd). The user should be able to run only one command, which is a bash-script that opens ssh to another server and executes one command there.
To setup the chroot I have this in my sshd config.
Match User op
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
The script has this line in it:
ssh -i /.ssh/id_rsa backup@$externalresource -t "/mnt/storage/backup/run_project.sh '$1' '$2'"
I can log in to that chroot using ssh but when I run the script it gives the following error when trying to execute the ssh command in it.
Couldn't open /dev/null: Operation not supported
The same happens, when I try to run ssh plain within the chroot
[I have no name!@nas /]$ ssh
Couldn't open /dev/null: Operation not supported
/dev/null looks as this:
$ ls -la dev/
total 8
drwx--x--x 2 root staff 512 Nov 29 18:16 .
drwxr-xr-x 8 root staff 512 Nov 29 18:06 ..
crw-rw-rw- 1 root staff 0x18 Nov 29 18:16 null
Without the 666 permissions I get a /dev/null permission denied error of course.
I created dev/null using
mknod dev/null c 2 2
I have tried to find an explaination why /dev/null returns operation not permitted but have not found anything that helps.
Could someone please explain how to fix this?
Best Answer
Your knowledge is outdated. Things do not work this way any more, now that NAS4Free is based on the likes of FreeBSD 10 and 11. (Nor are those the device numbers for the null device anyway.) Read the
mknod
manual. You can still runmknod
to create device nodes in an actual disc or RAM filesystem, but the nodes that you create will be pretty much entirely useless. As you can see, the kernel does not let you open devices with them.This is why in jails — actual jails, the ones that come with the operating system, not simple chrooted environments that one can set up with
sshd_config
— one obtains the device files by mounting adevfs
instance within the jail. It is also why jails have knobs to control whetherdevfs
can be mounted and what devfs ruleset applies to it.If you want a
/dev/null
in your changed root environment, you'll have to usemount_nullfs
to make the actual/dev
tree visible within the changed root. If you use a bona fide jail, just configure it to mount a devfs on/dev
.If you do use a bona fide jail, you of course set it up to run
sshd
inside the jail, listening on the jail's IP address and enabled as a service in the jail's/etc/rc.conf
in the normal way.Further reading
mknod
. FreeBSD 11.0 Manual.devfs
. FreeBSD 11.0 Manual.devfs.rules
. FreeBSD 11.0 Manual.