LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   chroot jail etc. (http://www.linuxquestions.org/questions/linux-security-4/chroot-jail-etc-105320/)

f1uke 10-17-2003 06:05 PM

chroot jail etc.
 
I found the chrootjail project off sourceforge and began playing with it, Ive created a jail, and it works to well I might say. The users in the jail were unable to change their own passwords and were unable to make any sort of connection out side the box ie unable to use BitchX etc. With th passwd command not working I ldd'd it and added the needed libs that it read back to me. But when the user logged in and tried to use it they got a error like this,

-jail-2.05b$ passwd
passwd: Cannot determine your user name.
-jail-2.05b$

I was told that the problem more likely applied to the passwd, and shadow files. but they seemed to check out fine? Please help
-jason

f1uke 10-17-2003 06:06 PM

I also had another question, I currently have chrootkit and aid installed on the box. Are there any other recommended programs for detection?

unSpawn 10-19-2003 06:14 PM

passwd: Cannot determine your user name.
Stupid question, but is the user in the chrooted passwd file?
Did you add *all* the necessary PAM configs and libraries?
What are the permissions on the passwd/shadow/group files?
If perms are OK, could you run a strace on passwd in the jail?
(Please keep the strace output as reference and post only errors)

BTW, I'd like to point out that running any setuid root application in a chroot should be avoided as much as possible, and that running a Grsecurity-patched kernel has additional security benefits to curb risks, auditing and logging.

f1uke 10-19-2003 11:52 PM

Yea the passwd entry's them selves appear correct in side the jail. As far as adding all necessary pam configs and libs, Im not to sure. I cp -R the whole /etc dir and /lib hoping that that would ensure i didnt miss anything. Permissions for passwd etc are
-rw-r--r-- 1 root root 1140 Oct 19 18:00 passwd
-rw-r----- 1 root root 689 Oct 18 14:03 shadow
-rw-r--r-- 1 root root 481 Oct 18 14:03 group

ran a strace on passwd, and came up with alot of unreadable data to me, didnt seem to find any out standing error msg's.

unSpawn 10-20-2003 08:13 AM

ran a strace on passwd, and came up with alot of unreadable data to me, didnt seem to find any out standing error msg's.
grep <strace.log> -e "=.-1", stuff like EACCESS and any ENO.*

obituary 08-24-2005 03:12 AM

Re: chroot jail etc.
 
Quote:

Originally posted by f1uke
The users in the jail were unable to change their own passwords and were unable to make any sort of connection out side the box ie unable to use BitchX etc. With th passwd command not working I ldd'd it and added the needed libs that it read back to me.
check out Jailkit, it has many handy tools to setup a chroot shell, and also to test it if it is safe (not unimportant!). It has a utility that automatically copies all the required libraries to a chroot jail, and also a utility that can for example copy all files required for basic networking.

It overlaps quite a bit with the chrootjail project (it has comparable utilities), but IMHO jailkit ismuch nicer.


All times are GMT -5. The time now is 07:36 AM.