|
Jailed Home Dir
What would be the proper way to configure a user to be "jailed" in his home directory without having access to any other area of the filesystem? If anyone can point me in the direction of an article or simply explain the process i'd appreciate it, THANKS!
|
Once a user logs in, he is in his home directory. Change permissions to the /home directory according to the ones you need. I don't know if taking away the read and execute rights on the /home directory would still allow a user to be in his home directory. It would not allow him to go out of his directory for certain. So some other oppinions are welcome here.
|
If the user has shell access, ie logs in locally or remotely using SSH and etc, then you'd have to set a miniture environment for them inside the jail, complete with every program that you want them to have access to. That includes everything from the basic linux utilities like "ls" on up, as well as the shell (/bin/bash and etc) itself. Afterall, if they can not access /usr/bin and etc, then they can not possibly run a program that's within it. And a shell that provides nothing to the user is of no use that I can see. There are alot of projects around that simplify this for you, here's a couple:
http://www.jmcresearch.com/projects/jail/ http://olivier.sessink.nl/jailkit/ Also changing the permissions on their home directory will not accomplish this. They still have access to / and everything else where the permissions permit them access. Anyway, at the end of the day you should ask yourself 1 simple question. Do I trust this person with shell access to my box? If the answer is no, then the best policy is to not give them access in the first place. :) That said, so long as you take measures to secure the box, taking into account that other people will have access to it, and you monitor their activity on it, then giving a freind access is not that big of deal in my opinion. For instance, my ISP still gives every single customer of theirs, from dialup customers on up, shell access on a high speed Red Hat machine. |
I created a script to create chroot jails for a user which i have used on many redhat systems, maybe you can use it:
#!/bin/bash USER="$2" JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin" APPS="/bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/id /bin/cat /usr/bin/mysql /bin/chmod /bin/vi /usr/bin/less /usr/bin/scp" createjail(){ # make common jail for everybody if inexistent if [ ! -d "/home/$USER" ] then mkdir -p "/home/$USER" echo "Creating /home/$USER" else echo -e "Creating jail failed!\n/home/$USER already exists" sleep 1 exit 1 fi cd /home/$USER # Create /bin/chroot-shell (Shell for jailed accounts) if [ ! -x "/bin/chroot-$USER" ] then echo "Creating /bin/chroot-$USER" ################################ echo -e "#!/bin/sh if [ \"\$1\" = \"-c\" ] then sudo `which chroot` /home/\$USER /bin/su - \$USER -c /bin/bash \"\$@\" else sudo `which chroot` /home/\$USER /bin/su - \$USER fi exit 0" > /bin/chroot-$USER ################################ chmod 755 /bin/chroot-$USER fi # Create Directories in jail that do not exist yet for directory in $JAILDIRS ; do if [ ! -d "/home/$USER/$directory" ] ; then mkdir "/home/$USER/$directory" echo "Creating /home/$USER/$directory" fi done # Copy the apps and the related libs echo "Copying necessary library-files to jail (may take some time)" for app in $APPS do cp -a $app .$app # get list of necessary libraries ldd $app > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $app | awk '{ print $3 }'` for lib in $LIBS do mkdir -p .`dirname $lib` > /dev/null 2>&1 cp $lib .$lib done fi done # xterm is needed for the "less" command mkdir -p /home/$USER/usr/share/terminfo/x cp /usr/share/terminfo/x/xterm /home/$USER/usr/share/terminfo/x cp -r /etc/pam.d/* ./etc/pam.d/ cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/ cp -r /lib/security ./lib echo "" > /home/$USER/usr/bin/clear chmod 555 /home/$USER/usr/bin/clear mknod /home/$USER/dev/urandom c 1 9 mknod /home/$USER/dev/tty c 5 0 mknod /home/$USER/dev/zero c 1 5 mknod /home/$USER/dev/null c 1 3 #needed for traceroute cp /etc/protocols /home/$USER/etc/ cp /etc/services /home/$USER/etc/ } addjailuser(){ cd /home/$USER # Get accountname to create HOMEDIR="/home/$USER/home/$USER" echo if [ ! -d "/home/$USER" ] then echo -e "Adding new user failed!\n/home/$USER does not exists" exit 1 fi # Exit if User exists id $USER > /dev/null 2>&1 && { echo "User already exists."; sleep 1; exit 1; } echo "Modifying /etc/sudoers" echo "$USER ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - $USER" >> /etc/sudoers echo "Adding User \"$USER\" to system" useradd -d "$HOMEDIR" -s "/bin/chroot-$USER" $USER chmod 700 "$HOMEDIR" # Enter password for new account passwd $USER # Create /usr/bin/groups in the jail if [ ! -x "usr/bin/groups" ] then echo "#!/bin/bash" > usr/bin/groups echo "id -Gn" >> usr/bin/groups chmod 755 usr/bin/groups fi # Add users to etc/passwd # # check if file exists (ie we are not called for the first time) # if yes skip root's entry and do not overwrite the file if [ ! -f etc/passwd ] then grep /etc/passwd -e "^root" > etc/passwd fi if [ ! -f etc/group ] then grep /etc/group -e "^root" > etc/group fi # grep the Username, which was given to us, from /etc/passwd and add it # to ./etc/passwd replacing the $HOME with the directory as it will then # appear in the jail echo "Adding User $USER to jail" grep /etc/passwd -e "^$USER" | \ sed -e s/\\/home\\/$USER\\/home\\//\\/home\\// \ -e s/\\/bin\\/chroot-$USER/\\/bin\\/bash/ >> etc/passwd # if the systems uses the one account/one group system we write the # account`s group to etc/group grep /etc/group -e "^$USER:" >> etc/group # write the User's line from /etc/shadow to /home/jail/etc/shadow grep /etc/shadow -e "^$USER:" >> etc/shadow chmod 400 /home/$USER/etc/shadow } addprogram(){ cd /home/$USER if [ ! -d "/home/$USER" ] then echo -e "Adding new program failed!\n/home/$USER does not exists" exit 1 fi if [ -e ".$app" ] then echo -e "Program already exists in /home/$USER$app" sleep 1 exit 1 fi echo "Copying necessary library-files to jail (may take some time)" mkdir -p .`dirname $app` cp -a $app .$app # get list of necessary libraries ldd $app > /dev/null if [ "$?" = 0 ] then LIBS=`ldd $app | awk '{ print $3 }'` for lib in $LIBS do if [ -e "/home/$USER$lib" ] then echo "/home/$USER$lib already exists" else echo "Copying $lib" mkdir -p .`dirname $lib` > /dev/null 2>&1 cp $lib .$lib fi done fi } case "$1" in -[uU]) createjail addjailuser ;; -[pP]) app="$3" addprogram ;; *) echo "Error: Parameter missing" echo echo " Creating new chrooted account:" echo " Usage: $0 -u username" echo echo " Copy program to jail environment" echo " Usage: $0 -p username /full/path/to/program" echo echo " To uninstall: # userdel \$USER" echo " # rm -rf /home/jail" echo " delete the User's line from /etc/sudoers" ;; esac exit 0 #p |
i used your script, no errors while it ran, but when i do su test i get:
/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory /home/test/bin: -rwsr-xr-x 1 root root 52770 Oct 5 17:50 su /etc/passwd: test:x:502:502::/home/test/home/test:/bin/chroot-test /home/test/etc/passwd: test:x:502:502::/home/test:/bin/bash |
I think your "su" is not in the /bin directory.
Type "which su", if su is in a different directory then you will have to adjust /bin/chroot-test |
[root@server map]# which su
/bin/su [root@server map]# :/ |
Does su work with other users? What is the output of "ls -al /bin/su"?
And can you try to login as root with "/bin/su - test" |
[root@server ~]# ls -al /bin/su
-rwsr-xr-x 1 root root 52770 Oct 5 17:50 /bin/su [root@server ~]# /bin/su - test /usr/sbin/chroot: cannot run command `/bin/su': No such file or directory |
The command says:
Code:
chroot-shell |
frenchn00b, please don't resurrect dead threads.
Help us keep LQSEC as zombie-free as possible. Thread closed. |
| All times are GMT -5. The time now is 07:10 PM. |