LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 01-19-2003, 02:15 AM   #1
Agento-
LQ Newbie
 
Registered: Jan 2003
Location: Montana
Distribution: Redhat 7.3
Posts: 10

Rep: Reputation: 0
Execute bash through a symlink?


Hey, I'm trying to setup a chrooted enviroment. I am using "Jail Chroot Project 1.9". I made a basic chroot enviroment that i have added software too (including bash).

When i add a new user, I create a new /home/username directory and also add that as a new chroot enviroment.

What i want to do is to link my main enviroments folders like bin, lib, usr, var to each users home directory, so one change will be effective for all chrooted users. I have tried to do this by making hardlinks and I get permission denied(main enviroment and individual enviroments are on the same partition). If i do it with symlinks it appears to work fine but when i go to login as a user, it says "Jail: can't canonize path "/bin/bash". Bad path?"

Yet if i cd to /home/test/bin, the bash executable is in the listing.

Anyone have any ideas.

Agento-
 
Old 01-19-2003, 03:08 AM   #2
jdc2048
Member
 
Registered: Jul 2002
Location: Ohio, USA
Distribution: Redhat, Gentoo, Solaris, HP-UX, etc...
Posts: 391

Rep: Reputation: 30
I believe that would be correct. If you could still access the main executables under "/bin" then it wouldn't be a true "jail". It would be more like one of those minimum security prisons where they have spa's and personal chefs.

You will need to make a script that copies the necessary executables/libraries to the users directory structure.
 
Old 01-19-2003, 03:30 AM   #3
Agento-
LQ Newbie
 
Registered: Jan 2003
Location: Montana
Distribution: Redhat 7.3
Posts: 10

Original Poster
Rep: Reputation: 0
Ok, I'm not sure if i made clear what i did or not... I make a base jailed enviroment that had a very minimal set of binarys in it.. along with required libraries and such. I wanted to link this up so that it appeared that every user on the system that is "jailed" has the same folders (bin, var, usr, lib) so if i need to add an application/library or something i would only have to do such in one place.

Does that make sence?

I have it all working but the only way I could figure out to do it is with a single mount for each user.

I had to mount --bin /var/jail /home/username/.jail

then i was able to symlink bin -> .jail/bin and so on.

I tried to symlink straight to /var/jail/bin and so on... but it said that it could not canonize /bin/bash or soemthing. I dont know if you have to symlink from the same level in the directlry structure or something like that to get it to work. But doing this seems to fix the problem.

I also tried to hardlink from /home/jail/whatever to the users home but that didn't work, said operation not permitted.



So doing this with a single mount per user is fine i guess... but my only concern is that there are goign to be tons of mounts active? is this a problem aside from having to put them in a system init file to mount on startup?

Thanks for you help in figuring this out!

Agento-
 
Old 01-19-2003, 07:14 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,165
Blog Entries: 54

Rep: Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807Reputation: 2807
(...) Does that make sence?
No. You will have to think again what your goal is to provide a chrooted jail for every user. If you still want every user to be chrooted you'll have to bear the consequences. To make it easier, there are shells out there like Ash and Sash that are static binaries, and there is BusyBox which can provide you with a static binary that will do the work of the GNU "usual suspects". Remember to remove the chroot, mknod, mount and other symlinks.

If you *have* to mount stuff mount it "-o ro" and make sure you're covered using the Grsecurity patches. This will break some stuff if you don't RTF(ine)M, but makes chroots more secure. IIRC jail doesn't provide you to mount /proc automatically and unless you've got everything covered, this is fine. Also make sure you audit which binaries you're going to provide, permissions, setuid etc, etc.

If you want to know more about chrooting, search/post in the security forum, we've got some good threads w info there.
 
Old 01-19-2003, 02:09 PM   #5
Agento-
LQ Newbie
 
Registered: Jan 2003
Location: Montana
Distribution: Redhat 7.3
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks man. Yeah i have it setup and running with a single mount (which is -o ro). It seems to be working fine. I am giving them a VERY restricted set of binaries and libraries. No worries there. The main thing I am worrying about is the number of mounts that will be required. I have only one per user but this could add up quickly. Is this goign to cause a problem?

One other problem I ran into is with bash in the chroot. When I login with a chrooted user... it doesn't loca the bash_profile or bashrc. Both dot files are there... any reason this would happen? they are both 644.

Thanks for your help

Agento-
 
Old 01-19-2003, 02:23 PM   #6
Agento-
LQ Newbie
 
Registered: Jan 2003
Location: Montana
Distribution: Redhat 7.3
Posts: 10

Original Poster
Rep: Reputation: 0
Sorry I forgot to include this in the last post. I do have this system setup and running like i specified. I have also set it up with everyone having their own chroot enviroment and copying the binaries/libraries to their directory.

I'm just not sure which one to stick with. I am trying to setup this system as a shared webhosting server. And I want to be able to offer as much as possible to the users while still restticting them. Does this seem like I should go with sharing a defined set of binaries/libraries for each user, or should I just say screw them and just give them them the BARE minimums. (bash, and navigational and file editing binaries, along with their required libraries)...

Any suggesitions would be much appreciated.

Thanks everyone!

Agento-
 
Old 12-06-2003, 03:02 AM   #7
twantrd
Senior Member
 
Registered: Nov 2002
Location: CA
Distribution: redhat 7.3
Posts: 1,438

Rep: Reputation: 52
Hi,

I have the same problem as you Agento-. I would like to chroot a user that logs in via ssh. I have read the tutorial on http://www.linuxorbit.com/modules.ph...age&artid=538. Whenever I try to switch to that user (named the user 'jail') it spits out this error.

twantrd@localhost:~$ su - jail
Password:
jail: can't canonize path "/bin/bash". Bad path?

I can't quite follow what you did with all the symlinks to resolve this error. Could you please show me step by step how you solved this problem? The user has the name 'jail' while the directory of his jail is '/var/chroot/home/jail'. Thank you..

-twantrd
 
Old 12-18-2003, 11:50 PM   #8
Agento-
LQ Newbie
 
Registered: Jan 2003
Location: Montana
Distribution: Redhat 7.3
Posts: 10

Original Poster
Rep: Reputation: 0
Sorry for the slow reply. This account was signed up under my hotmail email (which gets checked about once a month).

Heres the lowdown. What i wanted to do was create a jailed environment for all hosting users on the server. For the jail chroot project to work correctly you need to:

1. create a jail environment
2. add required software to the chroot environment
ie. bash, ls, cp, mv, ... (and the required shared libraries)
3. Add users to this jail

if you are not worried about locking the chrooted users out of each others areas then this is easy. You just create one environment and add everyone to it.

Well on my system i wanted to completely lock users out of system stuff, limit what they could see do, and also kill all possibility of them seeing, viewing, messing with eachothers stuff.

The most straight forward way of doing this would be to create a jail enviroment and add the software/libraries to it for each user. However, I was aiming to provide an extensive set of command line tools to the users so this would have amounted to around 500mb-1gb per user. That was too much disk space... and imagine maintaining that.

What i did to solve this problem was as follows:

1. Setup one jailed environment (/var/jail)
2. Added all required software to the environment (addjailsw i think... but sometimes this failed and i was forced to manually copy executables and required libraries to the appropriate locations)

now here where it got tricky...
3. Create a jail environment for each user on the system
4. hard linked the jailed environment to a hidden folder in each of the users home directories ("/home/joeschmoe/.jail") with mount -ro (read only)
5. created a file called rc.jails that contains these mounts
6. call this file from rc.local so it will load and remount everything on boot

now we have the basic structure setup.. lets give them transparent access to these files.

7. symlink all folders to their proper filesystem names for each user. like /home/joeschmoe/var --> /home/joeschmoe/.jail/var and so on for each of the required file system folders (/var, /usr, /local, /lib,...)

Now, assuming that you have all the required libraries in place and a copy of bash at /bin/bash for each user (/home/joeschmoe/.jail/bin/bash and the /bin symlink) you should be able to login without a problem.

Thats the jist of it. Hopefully that works for you.

If you have any questions post a reply and i'll remember to check my hotmail




Agento-
 
Old 02-09-2004, 01:30 AM   #9
snocked
Member
 
Registered: Dec 2002
Location: St. Louis, MO
Distribution: Slackware 9.1
Posts: 482

Rep: Reputation: 30
Quote:
Originally posted by twantrd
Hi,

I have the same problem as you Agento-. I would like to chroot a user that logs in via ssh. I have read the tutorial on http://www.linuxorbit.com/modules.ph...age&artid=538. Whenever I try to switch to that user (named the user 'jail') it spits out this error.

twantrd@localhost:~$ su - jail
Password:
jail: can't canonize path "/bin/bash". Bad path?

I can't quite follow what you did with all the symlinks to resolve this error. Could you please show me step by step how you solved this problem? The user has the name 'jail' while the directory of his jail is '/var/chroot/home/jail'. Thank you..

-twantrd
Same error here. So I copied /bin/bash to chroot environment so the shell for the chroot environment for the user was /bin/bash to eliminate the error. I didn't get the error when I tried sshing now, instead the connection just closes and no error message.

I then tried just using the bourne shell in the chrooted /etc/passwd for my user because it was installed during addjailsw. I can't even login because my password is wrong now. So I removed the home and shell sources from the real /etc/passwd so my users could get in.

Last edited by snocked; 02-09-2004 at 01:59 AM.
 
Old 04-17-2005, 10:41 PM   #10
metobln
LQ Newbie
 
Registered: Apr 2005
Location: Berlin, Germany
Distribution: Debian 2.6.10
Posts: 6

Rep: Reputation: 0
Hello,
have to dig out this old thread.

I think I followed Agento's guide exactly, but I still get that "can't canonize path" error.

Here is what I have done: (it's a script so $1 is the username)
Code:
#create user
adduser $1

#set shell to jail
usermod -s /usr/local/bin/jail $1

#make homedir to jail environment
/usr/local/bin/mkjailenv /home/$1

#add new user to the jail
/usr/local/bin/addjailuser /home/$1 /home/$1 /bin/bash $1

#create mountpoint
mkdir /home/$1/.jb

#mount the jail_base
mount -o ro --bin /var/jail_base/ /home/$1/.jb

#create all symlinks for the new user
ln -s /home/$1/.jb/bin /home/$1/bin
ln -s /home/$1/.jb/lib /home/$1/lib
ln -s /home/$1/.jb/root /home/$1/root
ln -s /home/$1/.jb/tmp /home/$1/tmp
ln -s /home/$1/.jb/usr /home/$1/usr
ln -s /home/$1/.jb/var /home/$1/var
Before calling this script I created the jail_base:
Code:
/usr/local/bin/mkjailenv /var/jail_base
/usr/local/bin/addjailsw /var/jail_base
/usr/local/bin/addjailsw /var/jail_base -P awk
/usr/local/bin/addjailsw /var/jail_base -P ssh --version
/usr/local/bin/addjailsw /var/jail_base -P scp --version
/usr/local/bin/addjailsw /var/jail_base -P bash
Is there something I did wrong or is it just not working on my system with this trick? I'm using an old Debian 2.4.21-rc1.

Any help would be greatly appreciated. Many Thanks in advance!

Regards,
Daniel
 
Old 04-18-2005, 01:51 PM   #11
metobln
LQ Newbie
 
Registered: Apr 2005
Location: Berlin, Germany
Distribution: Debian 2.6.10
Posts: 6

Rep: Reputation: 0
I solved the problem. I just have been blind in the last morning.

The symlinks have been wrong. Inside the chrooted shell they had no target because they had an absolute reference.

They all should look like this:

ln -s /.jb/bin /home/$1/bin

Thanks to you, Agento-, for that great idea!

Daniel
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to execute bash scripts from C????? :( cho Programming 2 06-19-2005 07:15 PM
fastest way to execute another bash script ?? michael_util Programming 3 08-23-2004 10:04 AM
bash, ls how to get rid of the '@' added to symlink keefaz Programming 4 07-21-2004 04:36 AM
Bash command $? failed to execute. Linh Programming 7 05-14-2004 11:11 AM
execute bash scripts vapor Programming 9 07-14-2003 02:54 PM


All times are GMT -5. The time now is 09:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration