I'm trying to build a chroot jail for ssh for a user (called update), using /usr/sbin/compartment. The /etc/passwd entry for user "update" looks like this: update:x:5000:65534:Update User:/home/update:/bin/compart.jail /bin/compart.jail reads: #!/bin/bash strace -v -s 250 -ff -F -qix -o problem /usr/sbin/compartment --chroot /home/update.jail /bin/bash (That strace call is just there for debugging, of course...) * `su update` (the user) fails with the error "Error chrooting to /home/update.jail" * Any non-root user running `/usr/sbin/compartment --chroot /home/update.jail /bin/bash` fails with the same error. * Root _can_ run this file, and ends up in jail. Looking at the file "problem" that strace creates tells me that: <snip> [400e10cd] chroot("/home/update.jail") = -1 EPERM (Operation not permitted) [400e0702] brk(0x804f000) = 0x804f000 [400dae34] write(2, "Error chrooting to /home/update.jail\n", 37) = 37 [400e0702] brk(0x8052000) = 0x8052000 [400ace5d] time([1074677991]) = 1074677991 <snip> (The rest of the file can be given, of course) Okay, now if the user tries to simply `chroot /home/update.jail`, he gets the error: "chroot: cannot change root directory to /home/update.jail: Operation not permitted" The permissions on the directory /home/update.jail look like this: 0 drwxrwxrwx 7 update nogroup 224 2004-01-21 09:38 . 0 drwxr-xr-x 9 root root 216 2004-01-20 16:19 .. 4 -rw------- 1 update nogroup 45 2004-01-21 09:39 .bash_history 0 drwxr-xr-x 2 update nogroup 240 2004-01-21 08:54 bin 0 drwxr-xr-x 2 update nogroup 96 2004-01-20 16:00 dev 0 drwxr-xr-x 2 update nogroup 128 2004-01-21 09:08 etc 1 drwxr-xr-x 3 update nogroup 568 2004-01-21 09:20 lib 112 -rw-r--r-- 1 update nogroup 113188 2004-01-21 09:39 problem 0 drwxr-xr-x 4 update nogroup 96 2004-01-20 15:02 usr I don't think the update user's home direstory of /home/update makes a difference, I've changed it without any effect. I think I could probably use sudo to give update the ability to use chroot, but then I have a chroot user with slightly higher privs than is ideal. Any ideas on how to solve this? Tom. --------------- Tom Knight System Administration Officer Arts & Humanities Data Service Web: http://www.ahds.ac.uk Email: tom.knight@ahds.ac.uk Tel: (0)20 7928 7371