0

I'm trying to eradicate FTP from our web publishing routines and have installed Mercurial on our server. I've been pushing to the live repositories for some time to various user accounts on the server, but I would like to also lock the individual server user accounts to a chrooted environment.

The problem is, when I lock an account down using chroot, the account no longer has access to the hg binary and can't perform updates.

I've copied the hg binary and various python files to directories within the chroot by referring to this article: https://www.mercurial-scm.org/wiki/OpenBsdWebDirSetup

but that's not specific to CentOS and some of the layout is a little different. I was able to fix a python error by adding a line to the user's .profile as found in this answer: Python executable not finding libpython shared library

and now at least I'm getting a response from hg, but that response is this:

Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
'import site' failed; use -v for traceback
Traceback (most recent call last):
  File "/bin/hg", line 10, in <module>
    import os
ImportError: No module named os

If the libraries are in the wrong place is there anything I can put in .profile to correct it or do I have to move the files?

All the files I've got in /lib and /lib64 were created by Plesk when I switched the account the chrooted status, but I checked that all the files from the above tutorial were all present and matched my output from ldd.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
ThisLeeNoble
  • 150
  • 9

1 Answers1

0

Here's a tutorial for building chroots from yum http://geek.co.il/2010/03/14/how-to-build-a-chroot-jail-environment-for-centos. Install everything you need, including a new python into the chroot using yum, move the the chroot and then use easy_install/pip/distribute to pull in extra python modules. Its a lot easier than trying to guess which files should be copied where.

Make a copy of the chroot (e.g., zip or tar) before using it so that you always have a clean copy you can unpack and use later.

tdelaney
  • 73,364
  • 6
  • 83
  • 116
  • Thanks, I'll take a closer look at this over the weekend or something. But for now I seem to have solved my issue by copying the lib64 directory from root/usr/ to chroot/usr and chowning all the file in chroot/usr I hadn't realised there was another lib64 directory there as well at at the root level. I'm not certain that's solved everything as I haven't played with mercurial properly now it's working under the chroot account. Now I need to remember what I've done and add it to the chroot skeleton so I never have to do it again! – ThisLeeNoble May 10 '13 at 16:26
  • Sadly the URL above seems broken as of Feb 2015, but I found a possible replica at http://zhaoqiang.blog.com/2011/11/15/how-to-build-a-chroot-jail-environment-for-centos/ – David Ramirez Feb 17 '15 at 23:58