Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey,
I would like to jail my users and found this(seemingly) great tutorial: http://www.technicalarticles.org/ind..._a_Chroot_Jail
I created a test server to install and get it down so I can do it quickly on my production server. The server is a minimum install from a CentOS 4.4 ServerCD. I have followed the following commands:
Code:
tar -xvf openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --without-zlib-version-check
yum install gcc
./configure --without-zlib-version-check
cd /root
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
make test
make install
cd /root/openssh-4.2p1-chroot
./configure --without-zlib-version-check
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm
yum update openssl
each time I try to configure I get more and more dependencies I'm missing. First GCC then zlib and now libcrypto. I have the newest version of openssl and I have the following files in /lib: libcrypt.so.1
libcrypt-2.3.4.so
libcrypto.so.0.9.7a
libcrypto.so.4(link file to ... nowhere?)
I cant find a way to install this file and I'm sure that even if i can get it installed that there will be more that I will have problems with. Is there a better tutorial that I just cant seem to find? Is there a better way to install the openssh chroot(rpm dl or in a repo somewhere?)?
I don't need anything fancy because I only have a few users, but I'de just like to be able to jail these few users to their home dir and still allow them to login through sftp(i have them all using winSCP)
Thanks,
Adam
p.s. Ive tried jailkit and had a lot of problems with it. I couldnt find any centos/rhel specific install instructions and their website seems outdated with what the commands actually do.
I had exactly the same problem you are encountering, so I devised a method that doesn't require libraries and all that. Users are jailed, and can only use SFTP:
It seems promising to me. I am in a drama production and currently we are in the portion called "hell week"( the week before the show) and I'm running sound board so I am very busy but sometime this week or next, I will post with my results.
Thanks!
I got it to work perfectly. The tutorial you gave was a great help, but still not quite enough. I eventually found solutions to all of my problems. Seeing how hard it was for me, I will write a small article on my website with what I did. Basically it will be a tutorial based off of all the tutorials I followed.
I will post a link here for any that have my same problems.
Well this version is using a SFTP only shell which does not allow for an interactive login or command line access.
I just tested this...
First of all you have to use a program that supports SFTP. Login is denied to anything but the SFTP protocol. So in winscp, I created a bash file(tired perl too) and then tried to execute it. (the user doesn't have the ability to run the c compiler). After trying to execute it(right click ->Custom commands->Execute) I got the following error
"Server send command exit status 2" with the description of "Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended)."
As it turns out, you get this error when trying to execute any file(including html files and text files). You get to this error before it even checks if the file is of an executable type.
At the beginning of the page you sent it listed many commands the user would need access to. Using these tutorials, the user doesn't need access to anything other then the sftp shell
It seems to me that it cannot be broken using this method. I'm no expert though.
It seems to me that it cannot be broken using this method. I'm no expert though.
-Adam
I would tend to agree with Adam on this - the 'sftpsh' shell *should* prevent use of anything other than legitimate SFTP commands. If somebody does find a way to break out of the chroot'd SFTP system I put together, I'd very much like to hear about it so I can find a way to prevent it!
Your tutorial has helped me immensely but I have a few questions for you... You set the usershell to /bin/false. Why is this or can I use another shell?
Also, I seem to be getting the error:
"fatal: bad ownership or modes for chroot directory component "/""
You chown directories to root:root but that is not possible on my system (Mac OS 10.4.11). The best I can do is root:admin.
Your tutorial has helped me immensely but I have a few questions for you... You set the usershell to /bin/false. Why is this or can I use another shell?
Also, I seem to be getting the error:
"fatal: bad ownership or modes for chroot directory component "/""
You chown directories to root:root but that is not possible on my system (Mac OS 10.4.11). The best I can do is root:admin.
Shell can be anything, really, as the user shouldn't be able to gain a shell, but /bin/false means they can't do anything if they manage to. As for the directory ownership, root:admin should do the job - it's the root ownership that's most important.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.