chroot jail with rssh / restricting users to individual directories
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
chroot jail with rssh / restricting users to individual directories
I'm running SuSE 9.3. I have successfully set up chrooted jail (/jail) for 'sftp' using 'rssh' shell. The jail works great. But every user logging in to the account bound to the jail, even tough cannot go outside of the jail, can freely roam around the jail filesystem(say, /jail/bin, or /jail/lib/ or /jail/etc). I need the user, within the jail, to be bound ONLY to his home directory (/jail/user01) and nothing else. I tried to modify the 'rssh.conf' file for individual users but, when I do something like 'user = user01:011:00010:/jail/user01' then I get the 'connection closed' message. I think it's because all the chrooted files need to be within that directory (/jail/user01).
Does anybody have an idea of any solution? I tried to set the 'scponly' shell but I get an error message when I'm running the 'make' command. Thanks for any help.
I need the user, within the jail, to be bound ONLY to his home directory (/jail/user01) and nothing else.
I don't know if those dirs can be made invisible to the user since they contain files they need access to for the chroot to function. If your filesystem uses extended attributes then you could chattr =i -R those dirs. Then at least they would not be able to modify them. Any particular security-enhancing reason why you need this?
I tried to set the 'scponly' shell but I get an error message when I'm running the 'make' command.
Posting the actual errors could help.
Thanks for your reply. I looked around alot and it seems that not only all the files required by binaries need to be in the jail but also all of them are accessible to the user (as the user logs in using, say, sftp client, all the files need to be accessible to the client, say sftp, so the user will have access to them). The reason for wanting users to be bound ONLY to their home directories is that my users are freelancers/contractors and I don't want them to know about each other. It's a company policy thing. What I ended up doing is building separate jails for every user. I know it's a waste of resources but I have no other alternative. The other solution I'm looking into is to have the ssh restrict the 'cd' command. If you have any suggestions I'd greatly appreciate them.
As for the 'chattr', it's a great idea. Thanks. I'm going to make all the files immutable.
The following is the error message that I receive when I'm trying to 'make' scponly. Also, I need the root privileges when I'm configuring scponly. It's a little odd, I guess. Sorry for not posting this earlier.
linux:/home/tei/Desktop/xxx/temp/scponly-4.3 # make
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly scponly.o helper.o
helper.o(.text+0x8e5): In function `check_dangerous_args':
/home/tei/Desktop/xxx/temp/scponly-4.3/helper.c:163: undefined reference to `optreset'
collect2: ld returned 1 exit status
make: *** [scponly] Error 1
What I ended up doing is building separate jails for every user. I know it's a waste of resources but I have no other alternative. The other solution I'm looking into is to have the ssh restrict the 'cd' command.
If you're wasting resources on /bin binaries have a look at Busybox. While it doesn't handle esoteric flags it's good for daily use. For restrictions (haven't tried it myself) either Grsecurity's RBAC or something in the LSM should be able to restrict access: after all it's just a dir listing. Another (lame) way could be to hand out accountnames which can't be traced back to a name (date|sha1sum|cut -c 1-12|tr [a-z] [A-Z])?.
Also, I need the root privileges when I'm configuring scponly.
Hmm. Haven't noticed anything odd, and I build my packages as unprivved user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.