LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 12-13-2002, 03:36 PM   #1
Gimpy
LQ Newbie
 
Registered: Oct 2002
Location: Montreal, Quebec, Canada
Distribution: Slackware 8.1
Posts: 8

Rep: Reputation: 0
Question Chroot jail


Hi there!

I'm trying to set up a shell server to host eggdrop. I want it to be secure for me :P so that nobody can access all the files in my computer. I found out that I could do this with "chroot jail" but I can't manage to create one Here's what I did and the error it gave me:

bash-> chroot /home/test/

chroot: cannot execute /bin/bash: No such file or directory

Can someone here help me...I tried the 2 progs JailTool (http://www.westfalen.de/~gb/) and Jail Chroot Project (http://www.gsyc.inf.uc3m.es/~assman/jail/)

Thanks
 
Old 12-13-2002, 04:00 PM   #2
dazk
Member
 
Registered: Dec 2002
Location: Germany
Distribution: Gentoo Linux 1.4
Posts: 43

Rep: Reputation: 15
do you have an executable file at that location?

/home/test/bin/bash
 
Old 12-13-2002, 09:24 PM   #3
Gimpy
LQ Newbie
 
Registered: Oct 2002
Location: Montreal, Quebec, Canada
Distribution: Slackware 8.1
Posts: 8

Original Poster
Rep: Reputation: 0
Well I have the executable in my real /bin/bash

I tried to make a "ln -s /bin" in /home/test/ didn't work it says:

chroot: cannot execute /bin/bash:: Too many levels of symbolic links

I then tried to "cp /bin/bash /home/test/bin" didn't work
chroot: cannot execute /bin/bash: No such file or directory
 
Old 12-14-2002, 01:50 AM   #4
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Well what about the libraries for /bin/bash? Did you copy them also? To find out what libraries you need:

ldd /bin/bash
 
Old 12-14-2002, 02:48 AM   #5
dazk
Member
 
Registered: Dec 2002
Location: Germany
Distribution: Gentoo Linux 1.4
Posts: 43

Rep: Reputation: 15
Links will never work if they point outside the chroot jail.

If you chroot to /home/test and /home/test/bin is a symlink to /bin in the real filesystem you'll end up having a loop since within the chroot /bin is /home/test/bin in your fs. The point of chroot is to set / at a different level, in your case /home/test. The point is to not be able to reach out of /home/test, being / in the chroot, at all.
So below /home/test you have to have all the binaries you want to execute and all the libraries they need to do so. Additionally you need the configfiles for the apps you want to use there.

As Markus said, ldd is your friend to figure out which libraries are needed.
 
Old 12-14-2002, 10:47 AM   #6
Gimpy
LQ Newbie
 
Registered: Oct 2002
Location: Montreal, Quebec, Canada
Distribution: Slackware 8.1
Posts: 8

Original Poster
Rep: Reputation: 0
What you said worked perfectly I can now set up chroot jail

The thing is I'd like to be able to use the chroot jail when someone login to my ssh server

I tried this http://tjw.org/chroot-login-HOWTO/ but it doesn't work...it gives me an error when I login with the user that uses the chrooted jail (in this case the user peon)

It does the command sudo .... but the result is a simple:

Sorry

Thansk for helping me out here
 
Old 12-15-2002, 04:52 PM   #7
Gimpy
LQ Newbie
 
Registered: Oct 2002
Location: Montreal, Quebec, Canada
Distribution: Slackware 8.1
Posts: 8

Original Poster
Rep: Reputation: 0
I can't get the chrooted environnement to work when I ssh to my server

I also tried this http://chrootssh.sourceforge.net/ but still no result

Does someone have an idea?
 
Old 05-03-2010, 09:59 AM   #8
hunter3740
LQ Newbie
 
Registered: Mar 2010
Location: Pittsburgh
Distribution: Debian 6
Posts: 27

Rep: Reputation: 16
copy files so as to mirror essential files inside chroot (and avoid outside links)

Better late than never (because I was searching for help on this and I like this forum; i.e. want to share knowledge because I'm looking for it too). I would agree with dazk about the symbolic links: *copy* essential files over so as to mirror where they would relatively be, like for lenny, a simple start would be:

sudo apt-get install libpam-chroot
sudo pico /etc/security/chroot.conf
(then add a line like "username /home/chroot", ctrl "x", "y", enter)
sudo pico /etc/pam.d/common-session
(then add "session required pam_chroot.so")
sudo mkdir /home/chroot
sudo mkdir /home/chroot/{home,bin,dev,lib}
sudo cp /bin/bash /home/chroot/bin/
sudo cp -a /bin/sh /media/schwartzlab/bin/
sudo mknod -m 660 /home/chroot/dev/zero c 1 5
sudo mknod -m 660 /home/chroot/dev/null c 1 3
sudo cp -a /lib/{libncurses.so.5,libdl.so.2,libc.so.6,ld-linux.so.2} /home/chroot/lib/
sudo cp /lib/{libncurses.so.5.7,libdl-2.7.so,libc-2.7.so,ld-2.7.so} /home/chroot/lib/

note: if you want more commands, use "ldd command" (e.g. ldd /bin/bash) to know which libraries to copy over, and of course, if anything is updated, you'll need to update the chroot copies. Also, use "ls -la" to see if the command you want is a link (i.e. use "cp -a" so as to preserve that relative link and not have it link back to the original file; and of course, copy the file it links to), and also note if it has special permissions (e.g. /dev are 660).

Last edited by hunter3740; 05-05-2010 at 12:52 PM.
 
Old 05-03-2010, 10:37 AM   #9
hunter3740
LQ Newbie
 
Registered: Mar 2010
Location: Pittsburgh
Distribution: Debian 6
Posts: 27

Rep: Reputation: 16
chroot ssh

Quote:
Originally Posted by Gimpy View Post
I can't get the chrooted environnement to work when I ssh to my server
right: mine works for local login, but not ssh. I'm reading /usr/share/doc/libpam-chroot/README.Debian.gz...

...for sure, had to supplement the above:
sudo mkdir /home/chroot/dev/pts
sudo mkdir /home/chroot/proc
sudo pico /etc/fstab
(add "none /home/chroot/dev/pts devpts defaults 0 0")
(add "proc /home/chroot/proc proc defaults 0 0")
sudo mount -a
sudo mknod -m 666 /home/chroot/dev/ptmx c 5 2

but then I just get kicked out after logging in. So, I'm with you Gimpy on hoping someone will post a clue for chroot and ssh (and not just some link to a script)...

Last edited by hunter3740; 05-05-2010 at 12:38 PM.
 
Old 05-03-2010, 02:55 PM   #10
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Debian, OS X
Posts: 1,267

Rep: Reputation: 99
Thumbs up

To jail users, I used these links.

https://sourceforge.net/projects/lshell/files/
http://michael-prokop.at/chroot/

See if these links help you out.
 
Old 05-07-2010, 01:30 PM   #11
hunter3740
LQ Newbie
 
Registered: Mar 2010
Location: Pittsburgh
Distribution: Debian 6
Posts: 27

Rep: Reputation: 16
chrootdirectory in /etc/ssh/sshd_config

OK, so totally undid all my chroot (i.e. reverted everything to before my chroot adventure began), and simply did the following (as newer openSSH has conf file directives "chrootdirectory directory" and "forcecommand internal-sftp" built-in, and my people will never log in locally via the console):

sudo pico /etc/ssh/sshd_config
(replace "Subsystem sftp /usr/lib/openssh/sftp-server" with "subsystem sftp internal-sftp"; also, add the following (to the very bottom)):
match group groupname
chrootdirectory %u
forcecommand internal-sftp)
sudo /etc/init.d/ssh restart
sudo groupadd groupname
sudo usermod -aG groupname -d /home/ username
sudo chown root.root /home/username

Yet I'm no better off than before: when I connect to the machine (with a member of groupname), I just get "connection to [my.host] closed". At least someone can read this and know that you don't have to do all that chroot stuff (anymore) if all your people are going to do is sftp…


RESULTS (just tail/not full output):
ssh -v username@my.host:
...
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
Read from remote host my.host: Connection reset by peer
Connection to my.host closed.
Transferred: sent 1632, received 1800 bytes, in 0.0 seconds
Bytes per second: sent 331161.3, received 365251.4
debug1: Exit status -1

sftp -v username@my.host:
...
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Read from remote host db1.neurobio.pitt.edu: Connection reset by peer
Transferred: sent 1632, received 1800 bytes, in 0.0 seconds
Bytes per second: sent 261283.5, received 288180.3
debug1: Exit status -1
Connection closed

Last edited by hunter3740; 05-07-2010 at 01:47 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM
Setting up a chroot jail jayanth Linux - Security 1 05-06-2005 12:31 AM
chroot jail simon Linux - Security 3 08-05-2001 08:21 PM


All times are GMT -5. The time now is 07:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration