LinuxQuestions.org - jail user to /home/user directory

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - jail user to /home/user directory (https://www.linuxquestions.org/questions/linux-security-4/jail-user-to-home-user-directory-415231/)

jail user to /home/user directory

i have an ssh user that i dont want to be able to navigate outside of his home directory - dont want him snooping around in /etc and so on.

Does anyone know how i can stop him doing this?

much appreciated
condused_user

I just read this the other day. I haven't tested it yet.

http://www.howtoforge.com/book/print/929

thanks for your replies guys.

after days of strugling with chroot ssh jails i have abandoned it and moved onto ssl instead - which is extremely simple to set up and just as secure.

if you want my adivce - unless you are the author of the ssh protocol, do not attempt to use chroot with sshd, its almost impossible to set up as the documentation available is pathetic.

many thanks for your help.

confused user.

It is not very documented but I haven't came across special problems. I'll post my method , I have not tested the security (although the jail shows) and not tried with PAM , so call it introduction to chroot sshd. Some parts are specific to debian, refer to your distro for these.

(Everything has to be done as root)

Get the sshd server:

Code:

apt-get source openssh-server

Patch it, in my case I have 4.2p1:

Code:

wget http://chrootssh.sourceforge.net/download/osshChroot-4.2p1.diff

Apply patch:

Code:

patch -p1 osshChroot-4.2p1.diff

See the result:

Code:

debian:~/chroot_ssh# more openssh-4.2p1/version.h

/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */



#define SSH_VERSION    "OpenSSH_4.2-chrootssh"

Compile/Build:

Code:

apt-get build-dep openssh-server

cd openssh-4.2p1

CFLAGS="-O4 -march=i686" debian/rules binary-openssh-server

Install:

Code:

cd ..

dpkg -i openssh-server_4.2p1-6_i386.deb

Now set up the jail for new user bush, be sure to put the leading . (to tell openssh to put bush in jail)

Code:

adduser bush -d /home/bush/./

Set the comfortable jail:

Code:

mkdir /home/bush/bin

mkdir /home/bush/etc

mkdir /home/bush/lib

Copy bash to the jail

Code:

cp /bin/bash /home/bush/bin

Look at dependencies of bash

Code:

ldd /home/bush/bin/bash

Gives me this:

Quote:

linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7e94000)
libdl.so.2 => /lib/tls/libdl.so.2 (0xb7e90000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7d58000)
/lib/ld-linux.so.2 (0xb7eef000)

Copy them in the jail

Code:

cd /lib

cp ld-linux.so.2 libc.so.6 libdl.so.2 libncurses.so.5 /home/bush/lib

Transfer /etc/passwd line for new user to the jail

Code:

grep bush /etc/passwd > /home/bush/etc/passwd

Try!!

Code:

/etc/init/ssh restart

ssh bush@localhost

Quote:

Last login: Wed Feb 22 13:50:27 2006 from localhost.localdomain
-bash-3.1$pwd
/
-bash-3.1$

well thats more like it, i'll follow your notes and let you know how i get on, but for anyone else lookign to do this in the meantime, vsftpd has ssl support built in now and is its like a 10 minute job to set it up.

thanks for the help!

Yes, try it, at least for fun. I'm sure it won't take you longer than 10minutes :) This post is for ssh, for sftp (part of ssh) there are a few other things to do I think, I could post it if I try it.
Cheers

yes i will try it and post my results - i havnt had a chance yet...

i should probably restate my aims.

i have a client that is insisting on a secure file tranfer solution. Being a lazy person i opted for somthing that i thought would be easiest - sshd - being present on almost every standard linux distro.

i had originally wanted to use RSSH to limit what the ssh user could do, ie: not issue commands like "useradd" "chown" "chmod" and thigns like that. I only want him to be able to do a "get" "put" "mkdir" "rm" and "ls".

This is all pretty easy to do. So when it came to hardening the server i realised that i was able to navigate to the true root of the file system and was able to browse (read only) to /etc and everywhere else. In theory it would be possible to look at the shadow hashes and brute force them among other things.

so i want to put the user in a chroot jail in his home directory (or somwhere else). so the problem is moving the bin's like "ls" and "get" into his chroot jail and their associated libs.

your notes above have helped me understand how to go about doing this - i didnt know about the ldd command :)

if you have an SFTP version of the above notes i would love to read them!!

a thousand thanks
Confused_user

Then better use the chroot configuration of vfstpd rather than hacking into the code of ssh , even if it is possible but maybe less tested.

can you more explain to me, or have you some link who's can help me

You want to chroot ssh? What don't you understand?

The first thing is to get the ssh server source. You need this because you have to recompile it because the standard one, as far as I know doesn't have this feature.

Then you patch it.

Did you do this first?

no, i havn't do just download the last version and set up it, i think that's all what i had do.
have you some guide.
if you can firstly explain me how to set up the jail on local machine, where some user chrooted to jile.
thank you

The only guide I have is this one :)

There are some on the net. I have just looked on google (keywords: chroot ssh) they are all a little bit more complex.

For setting up the jail you need to look after step:
"Now set up the jail for new user bush"

To set up a jail in his home, you need to put everything needed by his shell(bash) in his home, as if /home/bush was /

By doing ldd I ask what bash depends on.
/lib ,..
so you have to create first the place for bash:
mkdir /home/bush/bin
cp /bin/bash /home/bush/bin

then the libs
mkdir /home/bush/lib
cp <all the libs> /home/bush/lib

then the file passwd is needed so
mkdir /home/bush/etc

and so on..