LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Chroot jail (http://www.linuxquestions.org/questions/linux-software-2/chroot-jail-38272/)

Gimpy 12-13-2002 04:36 PM

Chroot jail
 
Hi there!

I'm trying to set up a shell server to host eggdrop. I want it to be secure for me :P so that nobody can access all the files in my computer. I found out that I could do this with "chroot jail" but I can't manage to create one :( Here's what I did and the error it gave me:

bash-> chroot /home/test/

chroot: cannot execute /bin/bash: No such file or directory :confused:

Can someone here help me...I tried the 2 progs JailTool (http://www.westfalen.de/~gb/) and Jail Chroot Project (http://www.gsyc.inf.uc3m.es/~assman/jail/)

Thanks

dazk 12-13-2002 05:00 PM

do you have an executable file at that location?

/home/test/bin/bash

Gimpy 12-13-2002 10:24 PM

Well I have the executable in my real /bin/bash

I tried to make a "ln -s /bin" in /home/test/ didn't work it says:

chroot: cannot execute /bin/bash:: Too many levels of symbolic links

I then tried to "cp /bin/bash /home/test/bin" didn't work :(
chroot: cannot execute /bin/bash: No such file or directory

markus1982 12-14-2002 02:50 AM

Well what about the libraries for /bin/bash? Did you copy them also? To find out what libraries you need:

ldd /bin/bash

dazk 12-14-2002 03:48 AM

Links will never work if they point outside the chroot jail.

If you chroot to /home/test and /home/test/bin is a symlink to /bin in the real filesystem you'll end up having a loop since within the chroot /bin is /home/test/bin in your fs. The point of chroot is to set / at a different level, in your case /home/test. The point is to not be able to reach out of /home/test, being / in the chroot, at all.
So below /home/test you have to have all the binaries you want to execute and all the libraries they need to do so. Additionally you need the configfiles for the apps you want to use there.

As Markus said, ldd is your friend to figure out which libraries are needed.

Gimpy 12-14-2002 11:47 AM

What you said worked perfectly I can now set up chroot jail

The thing is I'd like to be able to use the chroot jail when someone login to my ssh server

I tried this http://tjw.org/chroot-login-HOWTO/ but it doesn't work...it gives me an error when I login with the user that uses the chrooted jail (in this case the user peon)

It does the command sudo .... but the result is a simple:

Sorry

Thansk for helping me out here

Gimpy 12-15-2002 05:52 PM

I can't get the chrooted environnement to work when I ssh to my server :(

I also tried this http://chrootssh.sourceforge.net/ but still no result

Does someone have an idea?

hunter3740 05-03-2010 10:59 AM

copy files so as to mirror essential files inside chroot (and avoid outside links)
 
Better late than never (because I was searching for help on this and I like this forum; i.e. want to share knowledge because I'm looking for it too). I would agree with dazk about the symbolic links: *copy* essential files over so as to mirror where they would relatively be, like for lenny, a simple start would be:

sudo apt-get install libpam-chroot
sudo pico /etc/security/chroot.conf
(then add a line like "username /home/chroot", ctrl "x", "y", enter)
sudo pico /etc/pam.d/common-session
(then add "session required pam_chroot.so")
sudo mkdir /home/chroot
sudo mkdir /home/chroot/{home,bin,dev,lib}
sudo cp /bin/bash /home/chroot/bin/
sudo cp -a /bin/sh /media/schwartzlab/bin/
sudo mknod -m 660 /home/chroot/dev/zero c 1 5
sudo mknod -m 660 /home/chroot/dev/null c 1 3
sudo cp -a /lib/{libncurses.so.5,libdl.so.2,libc.so.6,ld-linux.so.2} /home/chroot/lib/
sudo cp /lib/{libncurses.so.5.7,libdl-2.7.so,libc-2.7.so,ld-2.7.so} /home/chroot/lib/

note: if you want more commands, use "ldd command" (e.g. ldd /bin/bash) to know which libraries to copy over, and of course, if anything is updated, you'll need to update the chroot copies. Also, use "ls -la" to see if the command you want is a link (i.e. use "cp -a" so as to preserve that relative link and not have it link back to the original file; and of course, copy the file it links to), and also note if it has special permissions (e.g. /dev are 660).

hunter3740 05-03-2010 11:37 AM

chroot ssh
 
Quote:

Originally Posted by Gimpy (Post 185139)
I can't get the chrooted environnement to work when I ssh to my server

right: mine works for local login, but not ssh. I'm reading /usr/share/doc/libpam-chroot/README.Debian.gz...

...for sure, had to supplement the above:
sudo mkdir /home/chroot/dev/pts
sudo mkdir /home/chroot/proc
sudo pico /etc/fstab
(add "none /home/chroot/dev/pts devpts defaults 0 0")
(add "proc /home/chroot/proc proc defaults 0 0")
sudo mount -a
sudo mknod -m 666 /home/chroot/dev/ptmx c 5 2

but then I just get kicked out after logging in. So, I'm with you Gimpy on hoping someone will post a clue for chroot and ssh (and not just some link to a script)...

vikas027 05-03-2010 03:55 PM

To jail users, I used these links.

https://sourceforge.net/projects/lshell/files/
http://michael-prokop.at/chroot/

See if these links help you out.

hunter3740 05-07-2010 02:30 PM

chrootdirectory in /etc/ssh/sshd_config
 
OK, so totally undid all my chroot (i.e. reverted everything to before my chroot adventure began), and simply did the following (as newer openSSH has conf file directives "chrootdirectory directory" and "forcecommand internal-sftp" built-in, and my people will never log in locally via the console):

sudo pico /etc/ssh/sshd_config
(replace "Subsystem sftp /usr/lib/openssh/sftp-server" with "subsystem sftp internal-sftp"; also, add the following (to the very bottom)):
match group groupname
chrootdirectory %u
forcecommand internal-sftp)
sudo /etc/init.d/ssh restart
sudo groupadd groupname
sudo usermod -aG groupname -d /home/ username
sudo chown root.root /home/username

Yet I'm no better off than before: when I connect to the machine (with a member of groupname), I just get "connection to [my.host] closed". At least someone can read this and know that you don't have to do all that chroot stuff (anymore) if all your people are going to do is sftp…


RESULTS (just tail/not full output):
ssh -v username@my.host:
...
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
Read from remote host my.host: Connection reset by peer
Connection to my.host closed.
Transferred: sent 1632, received 1800 bytes, in 0.0 seconds
Bytes per second: sent 331161.3, received 365251.4
debug1: Exit status -1

sftp -v username@my.host:
...
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Read from remote host db1.neurobio.pitt.edu: Connection reset by peer
Transferred: sent 1632, received 1800 bytes, in 0.0 seconds
Bytes per second: sent 261283.5, received 288180.3
debug1: Exit status -1
Connection closed


All times are GMT -5. The time now is 01:46 AM.