LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 02-02-2005, 01:27 AM   #1
tdkratboy
LQ Newbie
 
Registered: Feb 2005
Distribution: RedHat 9
Posts: 2

Rep: Reputation: 0
Exclamation Jailed Home Dir


What would be the proper way to configure a user to be "jailed" in his home directory without having access to any other area of the filesystem? If anyone can point me in the direction of an article or simply explain the process i'd appreciate it, THANKS!
 
Old 02-02-2005, 03:21 AM   #2
marghorp
Senior Member
 
Registered: Jan 2004
Location: Slovenia
Distribution: Slackware 10.1, SLAX to the MAX :)
Posts: 1,040

Rep: Reputation: 45
Once a user logs in, he is in his home directory. Change permissions to the /home directory according to the ones you need. I don't know if taking away the read and execute rights on the /home directory would still allow a user to be in his home directory. It would not allow him to go out of his directory for certain. So some other oppinions are welcome here.
 
Old 02-03-2005, 01:05 AM   #3
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
If the user has shell access, ie logs in locally or remotely using SSH and etc, then you'd have to set a miniture environment for them inside the jail, complete with every program that you want them to have access to. That includes everything from the basic linux utilities like "ls" on up, as well as the shell (/bin/bash and etc) itself. Afterall, if they can not access /usr/bin and etc, then they can not possibly run a program that's within it. And a shell that provides nothing to the user is of no use that I can see. There are alot of projects around that simplify this for you, here's a couple:
http://www.jmcresearch.com/projects/jail/
http://olivier.sessink.nl/jailkit/

Also changing the permissions on their home directory will not accomplish this. They still have access to / and everything else where the permissions permit them access.

Anyway, at the end of the day you should ask yourself 1 simple question. Do I trust this person with shell access to my box? If the answer is no, then the best policy is to not give them access in the first place. That said, so long as you take measures to secure the box, taking into account that other people will have access to it, and you monitor their activity on it, then giving a freind access is not that big of deal in my opinion. For instance, my ISP still gives every single customer of theirs, from dialup customers on up, shell access on a high speed Red Hat machine.
 
Old 02-04-2005, 09:28 AM   #4
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
I created a script to create chroot jails for a user which i have used on many redhat systems, maybe you can use it:



#!/bin/bash

USER="$2"

JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin"
APPS="/bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/id /bin/cat /usr/bin/mysql /bin/chmod /bin/vi /usr/bin/less /usr/bin/scp"



createjail(){
# make common jail for everybody if inexistent
if [ ! -d "/home/$USER" ]
then
mkdir -p "/home/$USER"
echo "Creating /home/$USER"
else
echo -e "Creating jail failed!\n/home/$USER already exists"
sleep 1
exit 1
fi

cd /home/$USER

# Create /bin/chroot-shell (Shell for jailed accounts)
if [ ! -x "/bin/chroot-$USER" ]
then
echo "Creating /bin/chroot-$USER"
################################
echo -e "#!/bin/sh

if [ \"\$1\" = \"-c\" ]
then
sudo `which chroot` /home/\$USER /bin/su - \$USER -c /bin/bash \"\$@\"
else
sudo `which chroot` /home/\$USER /bin/su - \$USER
fi

exit 0" > /bin/chroot-$USER
################################
chmod 755 /bin/chroot-$USER
fi

# Create Directories in jail that do not exist yet
for directory in $JAILDIRS ; do
if [ ! -d "/home/$USER/$directory" ] ; then
mkdir "/home/$USER/$directory"
echo "Creating /home/$USER/$directory"
fi
done

# Copy the apps and the related libs
echo "Copying necessary library-files to jail (may take some time)"
for app in $APPS
do
cp -a $app .$app

# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
done
fi
done

# xterm is needed for the "less" command
mkdir -p /home/$USER/usr/share/terminfo/x
cp /usr/share/terminfo/x/xterm /home/$USER/usr/share/terminfo/x

cp -r /etc/pam.d/* ./etc/pam.d/
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
cp -r /lib/security ./lib
echo "" > /home/$USER/usr/bin/clear
chmod 555 /home/$USER/usr/bin/clear

mknod /home/$USER/dev/urandom c 1 9
mknod /home/$USER/dev/tty c 5 0
mknod /home/$USER/dev/zero c 1 5
mknod /home/$USER/dev/null c 1 3

#needed for traceroute
cp /etc/protocols /home/$USER/etc/
cp /etc/services /home/$USER/etc/
}

addjailuser(){
cd /home/$USER
# Get accountname to create
HOMEDIR="/home/$USER/home/$USER"

echo

if [ ! -d "/home/$USER" ]
then
echo -e "Adding new user failed!\n/home/$USER does not exists"
exit 1
fi

# Exit if User exists
id $USER > /dev/null 2>&1 && { echo "User already exists."; sleep 1; exit 1; }

echo "Modifying /etc/sudoers"
echo "$USER ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - $USER" >> /etc/sudoers


echo "Adding User \"$USER\" to system"
useradd -d "$HOMEDIR" -s "/bin/chroot-$USER" $USER
chmod 700 "$HOMEDIR"

# Enter password for new account
passwd $USER

# Create /usr/bin/groups in the jail
if [ ! -x "usr/bin/groups" ]
then
echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
chmod 755 usr/bin/groups
fi

# Add users to etc/passwd
#
# check if file exists (ie we are not called for the first time)
# if yes skip root's entry and do not overwrite the file
if [ ! -f etc/passwd ]
then
grep /etc/passwd -e "^root" > etc/passwd
fi
if [ ! -f etc/group ]
then
grep /etc/group -e "^root" > etc/group
fi


# grep the Username, which was given to us, from /etc/passwd and add it
# to ./etc/passwd replacing the $HOME with the directory as it will then # appear in the jail
echo "Adding User $USER to jail"
grep /etc/passwd -e "^$USER" | \
sed -e s/\\/home\\/$USER\\/home\\//\\/home\\// \
-e s/\\/bin\\/chroot-$USER/\\/bin\\/bash/ >> etc/passwd

# if the systems uses the one account/one group system we write the
# account`s group to etc/group
grep /etc/group -e "^$USER:" >> etc/group

# write the User's line from /etc/shadow to /home/jail/etc/shadow
grep /etc/shadow -e "^$USER:" >> etc/shadow
chmod 400 /home/$USER/etc/shadow
}


addprogram(){
cd /home/$USER

if [ ! -d "/home/$USER" ]
then
echo -e "Adding new program failed!\n/home/$USER does not exists"
exit 1
fi

if [ -e ".$app" ]
then
echo -e "Program already exists in /home/$USER$app"
sleep 1
exit 1
fi

echo "Copying necessary library-files to jail (may take some time)"
mkdir -p .`dirname $app`
cp -a $app .$app

# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ]
then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
if [ -e "/home/$USER$lib" ]
then
echo "/home/$USER$lib already exists"
else
echo "Copying $lib"
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
fi
done
fi
}


case "$1" in
-[uU])
createjail
addjailuser
;;
-[pP])
app="$3"
addprogram
;;
*)
echo "Error: Parameter missing"
echo
echo " Creating new chrooted account:"
echo " Usage: $0 -u username"
echo
echo " Copy program to jail environment"
echo " Usage: $0 -p username /full/path/to/program"
echo
echo " To uninstall: # userdel \$USER"
echo " # rm -rf /home/jail"
echo " delete the User's line from /etc/sudoers"
;;
esac


exit 0

#p
 
Old 02-13-2005, 07:26 PM   #5
Gregster
LQ Newbie
 
Registered: Jan 2005
Location: Belgium
Posts: 5

Rep: Reputation: 0
i used your script, no errors while it ran, but when i do su test i get:

/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory

/home/test/bin:
-rwsr-xr-x 1 root root 52770 Oct 5 17:50 su

/etc/passwd:
test:x:502:502::/home/test/home/test:/bin/chroot-test

/home/test/etc/passwd:
test:x:502:502::/home/test:/bin/bash
 
Old 02-14-2005, 07:13 AM   #6
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
I think your "su" is not in the /bin directory.
Type "which su", if su is in a different directory then you will have to adjust /bin/chroot-test
 
Old 02-14-2005, 08:26 AM   #7
Gregster
LQ Newbie
 
Registered: Jan 2005
Location: Belgium
Posts: 5

Rep: Reputation: 0
[root@server map]# which su
/bin/su
[root@server map]#

:/
 
Old 02-14-2005, 09:34 AM   #8
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
Does su work with other users? What is the output of "ls -al /bin/su"?
And can you try to login as root with "/bin/su - test"
 
Old 02-14-2005, 09:47 AM   #9
Gregster
LQ Newbie
 
Registered: Jan 2005
Location: Belgium
Posts: 5

Rep: Reputation: 0
[root@server ~]# ls -al /bin/su
-rwsr-xr-x 1 root root 52770 Oct 5 17:50 /bin/su

[root@server ~]# /bin/su - test
/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory
 
Old 06-19-2010, 07:34 AM   #10
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Rep: Reputation: 51
The command says:

Code:
chroot-shell 
/usr/sbin/chroot: failed to run command `/bin/su': No such file or directory
 
Old 06-19-2010, 08:51 AM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
frenchn00b, please don't resurrect dead threads.

Help us keep LQSEC as zombie-free as possible. Thread closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't write to home dir. Mirari Linux - General 5 05-22-2005 03:42 PM
Can't write to my home dir Seiken Linux - Newbie 5 02-16-2005 09:42 AM
howto make a dir shared that is not in my home dir Schmurff Linux - Newbie 2 06-19-2004 08:54 PM
Apache Home Dir Nige General 1 02-24-2004 05:10 PM
home dir vsftpd ilengna Linux - Networking 7 10-14-2003 08:58 PM


All times are GMT -5. The time now is 01:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration