LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-17-2006, 04:54 PM   #1
rob_xx17
Member
 
Registered: Jan 2004
Location: USA
Distribution: SuSE
Posts: 54

Rep: Reputation: 15
chroot jail with rssh / restricting users to individual directories


I'm running SuSE 9.3. I have successfully set up chrooted jail (/jail) for 'sftp' using 'rssh' shell. The jail works great. But every user logging in to the account bound to the jail, even tough cannot go outside of the jail, can freely roam around the jail filesystem(say, /jail/bin, or /jail/lib/ or /jail/etc). I need the user, within the jail, to be bound ONLY to his home directory (/jail/user01) and nothing else. I tried to modify the 'rssh.conf' file for individual users but, when I do something like 'user = user01:011:00010:/jail/user01' then I get the 'connection closed' message. I think it's because all the chrooted files need to be within that directory (/jail/user01).

Does anybody have an idea of any solution? I tried to set the 'scponly' shell but I get an error message when I'm running the 'make' command. Thanks for any help.
 
Old 01-20-2006, 06:53 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
I need the user, within the jail, to be bound ONLY to his home directory (/jail/user01) and nothing else.
I don't know if those dirs can be made invisible to the user since they contain files they need access to for the chroot to function. If your filesystem uses extended attributes then you could chattr =i -R those dirs. Then at least they would not be able to modify them. Any particular security-enhancing reason why you need this?


I tried to set the 'scponly' shell but I get an error message when I'm running the 'make' command.
Posting the actual errors could help.
 
Old 01-20-2006, 08:29 AM   #3
rob_xx17
Member
 
Registered: Jan 2004
Location: USA
Distribution: SuSE
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks for your reply. I looked around alot and it seems that not only all the files required by binaries need to be in the jail but also all of them are accessible to the user (as the user logs in using, say, sftp client, all the files need to be accessible to the client, say sftp, so the user will have access to them). The reason for wanting users to be bound ONLY to their home directories is that my users are freelancers/contractors and I don't want them to know about each other. It's a company policy thing. What I ended up doing is building separate jails for every user. I know it's a waste of resources but I have no other alternative. The other solution I'm looking into is to have the ssh restrict the 'cd' command. If you have any suggestions I'd greatly appreciate them.

As for the 'chattr', it's a great idea. Thanks. I'm going to make all the files immutable.

The following is the error message that I receive when I'm trying to 'make' scponly. Also, I need the root privileges when I'm configuring scponly. It's a little odd, I guess. Sorry for not posting this earlier.

linux:/home/tei/Desktop/xxx/temp/scponly-4.3 # make
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly scponly.o helper.o
helper.o(.text+0x8e5): In function `check_dangerous_args':
/home/tei/Desktop/xxx/temp/scponly-4.3/helper.c:163: undefined reference to `optreset'
collect2: ld returned 1 exit status
make: *** [scponly] Error 1
 
Old 01-23-2006, 04:28 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
What I ended up doing is building separate jails for every user. I know it's a waste of resources but I have no other alternative. The other solution I'm looking into is to have the ssh restrict the 'cd' command.
If you're wasting resources on /bin binaries have a look at Busybox. While it doesn't handle esoteric flags it's good for daily use. For restrictions (haven't tried it myself) either Grsecurity's RBAC or something in the LSM should be able to restrict access: after all it's just a dir listing. Another (lame) way could be to hand out accountnames which can't be traced back to a name (date|sha1sum|cut -c 1-12|tr [a-z] [A-Z])?.


Also, I need the root privileges when I'm configuring scponly.
Hmm. Haven't noticed anything odd, and I build my packages as unprivved user.


scponly-4.3/helper.c:163: undefined reference to `optreset'
Getopt. See http://bugs.gentoo.org/show_bug.cgi?id=116526 for a patch.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rssh/sftp chroot problem julz_51 Linux - Security 1 11-01-2005 04:50 PM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 04:12 AM
restricting individual user download speed bishal Linux - Software 0 07-17-2004 07:47 AM
setting up VSFTP for individual users and directories filch Linux - Software 0 05-13-2004 12:35 AM
chroot jail sftp users f1uke Linux - Security 1 07-28-2003 11:29 AM


All times are GMT -5. The time now is 11:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration