Knowledge Base
All KB
Documents DT Documents
Articles & FAQs AR Articles
Trouble Reports TR Trouble Reports
Software Updates SU Software Updates
Searching in : Article
ID: AR03N00881
Applies to: NoMachine Software
Added on: 2016-03-04
Last Update: 2016-03-04

How to run NoMachine 4 or later in a a basic chroot environment

The following instructions apply to NoMachine 4 or later to run a NoMachine session in a chroot environment.

Example below has been set-up on CentOS 6 using the Jailkit set of utilities, built from source.

This example can be adapted to make NoMachine run in Jail on any other distributions or use the Jailkit precompiled binaries.

IMPORTANT

i) Before proceeding with the creation of the chroot environment you need to install the NoMachine server.

ii) Ensure that xterm is installed on the system. To install it on CentOS run from a console:

# yum install -y xterm
 

Download, compile and install Jailkit

'Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands'.
(http://olivier.sessink.nl/jailkit/)

1) Download the Jailkit source code at:

http://olivier.sessink.nl/jailkit/
  

2) Compile Jailkit:

# tar zxvf jailkit-2.19.tar.gz
# ./configure
# make
# make install

3) Add the following entries at the end of the /etc/jailkit/jk_init.ini file:

[nx]
comment = NX
executables = /usr/NX/bin/nxserver, /usr/NX/bin/nxclient, /usr/NX/bin/nxesd, /usr/NX/bin/nxprint, /usr/NX/bin/nxssh, /usr/NX/bin/nxagent, /usr/NX/bin/nxnode, /usr/NX/bin/nxspool directories = /usr/NX
includesections = uidbasics, netbasics, logbasics, ssh, basicshell, extendedshell, chown, mount, umount, xauth, xterm, xclock, which, xfonts, expr, tee, xset, dirname, hostname, basename
devices = /dev/null

[chown]
comment = chown
executables = /bin/chown

[mount]
comment = mount
executables = /bin/mount

[umount]
comment = umount
executables = /bin/umount

[expr]
comment = expr
executables = /usr/bin/expr

[tee]
comment = tee
executables = /usr/bin/tee

[xauth]
comment = getting X authentication to work
executables = /usr/bin/xauth
regularfiles = /usr/share/X11/rgb.txt, /etc/ld.so.conf

[xset]
comment = xset
executables = /usr/bin/xset

[hostname]
comment = hostname
executables = /bin/hostname

[basename]
comment = basename
executables = /bin/basename

[dirname]
comment = dirname
executables = /usr/bin/dirname

[xterm]
comment = xterm
executables = /usr/bin/xterm
directories = /usr/share/terminfo
devices = /dev/ptmx
regularfiles = /etc/termcap

[which]
comment = which
executables = /usr/bin/which

[xfonts]
comment = xfonts
directories = /usr/share/X11/fonts

4) Prepare the chroot environment

Run:
# jk_init -v /home/chrootusers nx
 
Add a user to /etc/passwd, for example 'john':
john:x:1002:100::/home/chrootusers/./home/john:/bin/bash

Add the user to '/etc/shadow':
john:*:13405:0:99999:7:::

Set password for the user:
passwd john

Add the user to '/home/chrootusers/etc/passwd':
john:x:1002:100::/home/john:/bin/bash

Add the 'users' group to '/home/chrootusers/etc/group':
users:x:100:

Create the home directory for the user:
# mkdir /home/chrootusers/home/john
# chown john:users /home/chrootusers/home/john

Create a bash init file to overdrive SHELL variable:
# echo "SHELL=/bin/bash" >> /home/chrootusers/home/john/.bashrc
# chown john:users /home/chrootusers/home/john/.bashrc

Change environment to your new chroot environment:
# chroot /home/chrootusers

Create the tmp directory:
# mkdir /tmp
# chmod ugo+rwx /tmp/

Mount the proc filesystem:
# mkdir /proc
# mount -t proc none /proc

Mount the devpts filesystem:
# mkdir /dev/pts/
# mount -t devpts none /dev/pts

Make the nxnode process run as user process able to run chroot by executing:
# setcap cap_sys_chroot+ep /usr/sbin/chroot

5) Create the script to run NoMachine sessions in the chroot environment. Script is named chroot_script.sh.

Place this script for example in the /usr/NX/scripts/ directory or in any other directory accessible by the chrooted user (john in our example).
 
#!/bin/bash

#
# Administrators should set CHROOTDIR and APPLICATION to specify
# path to chrooted directory and which application should be run
#

 CHROOTDIR="/home/chrootusers/"
 APPLICATION="/usr/bin/xterm"

 exec >> /usr/NX/var/log/nxserver.log 2>&1

 CATPATH=`which cat`
 SEDPATH=`which sed`
 CPPATH=`which cp`
 CHROOTPATH=`which chroot`
 GREPPATH=`which grep`

 USERCHROOTHOME=`$CATPATH $CHROOTDIR/etc/passwd | $GREPPATH $USER | $SEDPATH 's@[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\).*@\1@'`

 if [ ! $XAUTHORITY -ef $CHROOTDIR/$USERCHROOTHOME/.Xauthority ]
 then
   $CPPATH $XAUTHORITY $CHROOTDIR/$USERCHROOTHOME/.Xauthority
 fi
 
 export XAUTHORITY=$USERCHROOTHOME/.Xauthority

 echo "$CHROOTPATH $CHROOTDIR $APPLICATION"

 $CHROOTPATH $CHROOTDIR $APPLICATION

 exit 0

6) Edit the node configuration file (/usr/NX/etc/node.cfg) and set path to the chroot script (see 5.) in the DefaultDesktopCommand key.

For example:

DefaultDesktopCommand  "/usr/NX/scripts/chroot_script.sh"

NOTES:
the chroot_script.sh is suitable for both these configurations:
i) the chrooted user (John in the example above), has the same home directory on both the system and the chroot environment.
ii) the chrooted user has two different home directories, one for the system and one for the chroot environment.