Subscribe to the RSS Feed


Bare minimum of NSS in a chroot/jail

Some applications are using getpwent (3) to determine the username of the current uid. In order to make getpwent working, one has to make the group and passwd file available to the current chroot, however there are different types of group and passwd files available under FreeBSD today.

We went to the source to find out the options and internal behaviour of the getpwent (3) call.

It turns out, that the /etc/passwd file itself is not used, but /etc/pwd.db or /etc/spwd.db (if the uid is root) are used no matter files or compat is selected in /etc/nsswitch.conf.

The (s)pwd.db files are in binary format and can be converted from a plain text format by pwd_mkdb (8) (source code) from a file named master.passwd (5).

The following is the bare minimum for a correct configuration:

Contents of nsswitch.conf:
group: compat
hosts: files dns
passwd: compat

Probably one will place the master.passwd there aswell and run pwd_mkdb in the chroot itself.

As an unrelated issue, cat will stat/open stdin even if you explicitly added a filename argument. Make sure the user has access to the file (tty) pointed by STDIN_FILENO.

Posted 2009/11/15 18:37 by alex


Leave a Comment

Add your comment. Preview then Submit.


Textile Help