FreeBSD – Fix SSH in Chrooted Jail Due to /dev/null Operation Not Supported

chrootdevicesfreebsdjails

I am trying to set up a ssh-chroot jail on one of my NAS servers. The system runs on NAS4Free (which is based on nanobsd). The user should be able to run only one command, which is a bash-script that opens ssh to another server and executes one command there.

To setup the chroot I have this in my sshd config.

Match User op
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no

The script has this line in it:

ssh -i /.ssh/id_rsa backup@$externalresource -t "/mnt/storage/backup/run_project.sh '$1' '$2'"

I can log in to that chroot using ssh but when I run the script it gives the following error when trying to execute the ssh command in it.

Couldn't open /dev/null: Operation not supported

The same happens, when I try to run ssh plain within the chroot

[I have no name!@nas /]$ ssh
Couldn't open /dev/null: Operation not supported

/dev/null looks as this:

$ ls -la dev/
total 8
drwx--x--x  2 root  staff    512 Nov 29 18:16 .
drwxr-xr-x  8 root  staff    512 Nov 29 18:06 ..
crw-rw-rw-  1 root  staff   0x18 Nov 29 18:16 null

Without the 666 permissions I get a /dev/null permission denied error of course.

I created dev/null using

mknod dev/null c 2 2

I have tried to find an explaination why /dev/null returns operation not permitted but have not found anything that helps.

Could someone please explain how to fix this?

Best Answer

I created dev/null using
mknod dev/null c 2 2

Your knowledge is outdated. Things do not work this way any more, now that NAS4Free is based on the likes of FreeBSD 10 and 11. (Nor are those the device numbers for the null device anyway.) Read the mknod manual. You can still run mknod to create device nodes in an actual disc or RAM filesystem, but the nodes that you create will be pretty much entirely useless. As you can see, the kernel does not let you open devices with them.

This is why in jails — actual jails, the ones that come with the operating system, not simple chrooted environments that one can set up with sshd_config — one obtains the device files by mounting a devfs instance within the jail. It is also why jails have knobs to control whether devfs can be mounted and what devfs ruleset applies to it.

If you want a /dev/null in your changed root environment, you'll have to use mount_nullfs to make the actual /dev tree visible within the changed root. If you use a bona fide jail, just configure it to mount a devfs on /dev.

If you do use a bona fide jail, you of course set it up to run sshd inside the jail, listening on the jail's IP address and enabled as a service in the jail's /etc/rc.conf in the normal way.

Best Answer

Further reading

Related Solutions

Linux – Why doesn’t `head -c 2 /dev/hwrng` work