[Avcheck] FreeBSD $chroot/dev/null

Michael Kubecka mkubecka@swansystems.com
Tue, 20 Nov 2001 12:48:42 -0800


>>
Your FreeBSD instructions don't include the creation of devices 
$chroot/dev/null and $chroot/dev/console.
<<

I did include that.  I indicated:

# cd <into your chroot'd AVP directory>
  . . .
# cp -pR /dev/null /dev/console dev/

Although mknod would work as well.

You can then confirm that the device that you created with the cp -pR
worked by doing ls -lo on /dev/{null, console} and comparing it against
the ones in your $chroot/dev.

>>
It would be great if you two could get together on the instructions, so 
Kub's instructions follow Kop's instructions exactly, except where 
divergence for FreeBSD is required, eg, the chroot dir and case:

Kub:

/var/chroot/AVP

Kop:

/var/spool/avp

This would avoid us lamers from having to cross-check Kub's against Kop's 
to make sure all is done and "correctly".
<<

I viewed it as a stylistic issue.  I choose to put chrooted applications
in an obvious, custom-created place -- /var/chroot -- since I am
sometimes absent-minded.

The directions could probably be changed to set a shell variable
$chroot at the beginning of the document to, say, /var/chroot/AVP or
/var/spool/avp and thereafter refer to paths using the $chroot variable.

Also, Ralf and Michael Tokarev aren't trying to cater to a FreeBSD
audience necessary, and I was.

On the FreeBSD side, you have to do a pkg_add to install AVP, and 
the pkg_add wants to install it in a directory with "AVP" in the path,
so that already conflicts with the Linux installation's use of
/var/spool/avp, hence another reason why I decided in favor of
my own path.

>>
It is interesting
to see what files it has opened (using e.g. lsof or maybe even strace).
I thought about yet another device file that *may* be needed too --
this is /dev/zero.  At least on Solaris, dynamic linker uses /dev/zero
to mmap dynamic libraries to an anonimous space (or was that malloc?).
<<

Could be.  Although I've been running AVP chrooted on FreeBSD and
Postfix for a few weeks now with only dev/console and dev/null.
I haven't noticed any problems, and I've detected 3 viruses so far.

I'm also running AVP chrooted on another FreeBSD box with qmail
(though I haven't gotten it to integrate with qmail yet), and no
problems so far.  When I manually feed it test files, it
detects viruses when present.

Incidentally, on FreeBSD, /dev/null and /dev/console look like this:

$ ls -lo /dev/console /dev/null
crw-------  1 root  wheel  -   0,   0 Nov 20 08:21 /dev/console
crw-rw-rw-  1 root  wheel  -   2,   2 Nov 20 12:00 /dev/null

>>
Are the device numbers consistent [in FreeBSD]
from system to system?  Or are them assigned dynamically (like devfs)?
<<

They are consistent.

>>
Now, looking on how you created your dev/null, I suspect it is again
not what we want.  Try

 ls -al /dev | fgrep ' 13,' | fgrep ' 2 '

to find what real device you created instead of dev/null.
<<

On my system, 13, 2 are all raw devices, which would jive with
the problem Len has been having.

>>
Folks, how to set up chroot jail on (Free)BSD properly?  And why it
is only Len who actually has troubles with this?  How this was done
by others?
<<

I think cp -pR /dev/null /dev/console dev/ is safer and more portable
than explicitly using mknod, especially if the device numbers change
in some later version of FreeBSD.

The use of cp is also what Ralf's and/or Michael Tokarev's
instructions indicate (although the argument to cp is different in 
Linux than for BSD.  -pR is what you want for BSD).