LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 04-18-2011, 08:02 AM   #1
Soji Antony
Member
 
Registered: Jul 2010
Posts: 54

Rep: Reputation: 1
chroot error "cannot change root directory to /jail: Operation not permitted"


Hi

I am trying to create a jailed shell for a user Don($UID '500') using my own method(I don't want to use any ready-made "jailkit"). The user don should get a home directory /jail/don instead of /home/don when he login via SSH (So that he will not able to see any other files/directories on the system)

This is what I have done.

Quote:
1. Created a directory /jail & copied don's home,/lib & /bash directoris to /jail.
After doing this I am able to chroot to /jail as a root user.
ie: #chroot /jail

2. Modified /etc/profile file, & added following entries at the bottom of the file.

Code:
if [ $UID -eq 500 ]
then 
cd /jail/$USER
fi
It works without any issue ....Home directory changes to /jail/don when I ssh to the system as user don.
ie: #ssh don@192.168.0.66
Then I added a chroot command to this code.
Code:
if [ $UID -eq 500 ]
then 
cd /jail/$USER
chroot /jail/$USER
fi
Unfortunately , now I am getting an error message saying that "chroot: cannot change root directory to /jail: Operation not permitted" .. I am not sure how to rectify this error ...Please help ... Is my approach correct to get a jailed shell using /etc/profile file ?

Last edited by Soji Antony; 04-18-2011 at 09:34 AM.
 
Old 04-18-2011, 08:20 AM   #2
stevenz
LQ Newbie
 
Registered: Feb 2011
Posts: 5

Rep: Reputation: 0
Only superuser can "chroot".
Why did you want to add "chroot /jail" to a user profile, what do you intend to do with that command?
 
Old 04-18-2011, 08:26 AM   #3
shawley
LQ Newbie
 
Registered: Oct 2009
Posts: 12

Rep: Reputation: 0
chroot only works if you are root. When you log in as don he is now the user and the chroot will fail. I would sugest you look at rssh (restricted shell).
Off the top of my head, but there are probably better ways. Depending on how resticted you need him to be and what you want him to be able to do, and how good of a linux person he is. You could remove all the paths from PATH and alias only the command you want him to use. Example grep" would be alias to /usr/bin/grep or something like that. That might be what you want? I don't really like this idea and it requires a lot of maintanence on your part. But, too each their own. I still recommend you look into rsh. Just some thougts....
 
Old 04-18-2011, 08:41 AM   #4
Soji Antony
Member
 
Registered: Jul 2010
Posts: 54

Original Poster
Rep: Reputation: 1
Hi stevenz,

I have added that command in /etc/profile file so that it will executed each time he login & will get a jailed shell.

Hi shawley

Quote:
You could remove all the paths from PATH and alias only the command you want him to use.
Is it possible to set a special path for a particular user, without affecting any other user?. I thought, it will affect all users in the system ...

Thanks ...
 
Old 04-19-2011, 06:53 AM   #5
shawley
LQ Newbie
 
Registered: Oct 2009
Posts: 12

Rep: Reputation: 0
Yes, change the PATH in the users .bash_profile in their home directory only, not in /etc.
This give control for a user to modify their own environment. However if you change the path and such they will not be able to get to it to change it back effectively locking them into whatever environment you set up.
 
Old 04-19-2011, 10:56 AM   #6
Soji Antony
Member
 
Registered: Jul 2010
Posts: 54

Original Poster
Rep: Reputation: 1
Hi

I have one more doubt regarding /etc/profile file.

Code:
#getfacl /etc/profile
 getfacl: Removing leading '/' from absolute path names
 # file: etc/profile
 # owner: root
 # group: root
 user::rw-
 group::r--
 other::r--
The above results shows that root is the owner & he has the permission to execute /etc/profile file commands. So, when a user logs in and access the command line, does /etc/profile file commands gets executed as root or as the user????

Plz help ....
 
Old 05-20-2011, 09:25 PM   #7
Soji Antony
Member
 
Registered: Jul 2010
Posts: 54

Original Poster
Rep: Reputation: 1
Thank you all for posting ......

Finally it worked ... I wrote a bash script to execute chroot command & called that from a c program( With SUID bit set ).
Code:
#tail -5 /etc/profile
if [ $UID -eq 500 ]
then
/tmp/call-script
fi
#cat call-script.c
Code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
   setuid( 0 );
   system( "/root/chrt.sh" );

   return 0;
}
Code:
make call-script call-script.c
chmod +x call-script
chmod u+s call-script
cat chrt.sh
Code:
#!/bin/bash
chroot /jail/don

Last edited by Soji Antony; 05-20-2011 at 09:40 PM.
 
Old 05-21-2011, 12:26 AM   #8
vkvs
LQ Newbie
 
Registered: May 2011
Posts: 23

Rep: Reputation: 2
I fail to see how it would work, since my own replication had "Permission denied".

If this works for you, it means the user got a root access within jail. He can now easily "escape" jail, and get to the real files.
 
Old 05-23-2011, 08:29 PM   #9
Soji Antony
Member
 
Registered: Jul 2010
Posts: 54

Original Poster
Rep: Reputation: 1
Hi

It should work. You need to give execute permission to /root/chrt.sh
Code:
chmod +x /root/chrt.sh
I forgot to add that step in my last post. Also you need to copy /lib & /bash directoris to /jail/don before executing chroot command [depending on the command you want him to use].

>If this works for you, it means the user got a root access within jail. >He can now easily "escape" jail, and get to the real files.

As far as I know the user will get root permission only when he execute chroot command.

Last edited by Soji Antony; 05-23-2011 at 08:31 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] insmod error "operation not permitted" as root Philmac Linux - Software 10 10-11-2010 10:36 PM
Logged in as "root"/Fedora 8 but get "Operation not permitted" when using "chmod etc gosunlee Linux - Newbie 7 02-10-2008 05:56 AM
bash# "chvt N" as non-root says 'Operation not permitted' GrapefruiTgirl Linux - Desktop 4 09-16-2007 04:44 PM
"capset: Operation not permitted" error when I run valgrind. rsravi74 Linux - Newbie 1 09-02-2007 05:30 PM
"Operation not permitted" error logging in to Ubuntu Dapper Drake paulBottomley Linux - Newbie 7 08-10-2006 11:13 AM


All times are GMT -5. The time now is 08:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration