Execute bash through a symlink?
 

Hey, I'm trying to setup a chrooted enviroment. I am using "Jail Chroot Project 1.9". I made a basic chroot enviroment that i have added software too (including bash).

When i add a new user, I create a new /home/username directory and also add that as a new chroot enviroment.

What i want to do is to link my main enviroments folders like bin, lib, usr, var to each users home directory, so one change will be effective for all chrooted users. I have tried to do this by making hardlinks and I get permission denied(main enviroment and individual enviroments are on the same partition). If i do it with symlinks it appears to work fine but when i go to login as a user, it says "Jail: can't canonize path "/bin/bash". Bad path?"

Yet if i cd to /home/test/bin, the bash executable is in the listing.

Anyone have any ideas.

Agento-

I believe that would be correct. If you could still access the main executables under "/bin" then it wouldn't be a true "jail". It would be more like one of those minimum security prisons where they have spa's and personal chefs.

You will need to make a script that copies the necessary executables/libraries to the users directory structure.

Ok, I'm not sure if i made clear what i did or not... I make a base jailed enviroment that had a very minimal set of binarys in it.. along with required libraries and such. I wanted to link this up so that it appeared that every user on the system that is "jailed" has the same folders (bin, var, usr, lib) so if i need to add an application/library or something i would only have to do such in one place.

Does that make sence?

I have it all working but the only way I could figure out to do it is with a single mount for each user.

I had to mount --bin /var/jail /home/username/.jail

then i was able to symlink bin -> .jail/bin and so on.

I tried to symlink straight to /var/jail/bin and so on... but it said that it could not canonize /bin/bash or soemthing. I dont know if you have to symlink from the same level in the directlry structure or something like that to get it to work. But doing this seems to fix the problem.

I also tried to hardlink from /home/jail/whatever to the users home but that didn't work, said operation not permitted.



So doing this with a single mount per user is fine i guess... but my only concern is that there are goign to be tons of mounts active? is this a problem aside from having to put them in a system init file to mount on startup?

Thanks for you help in figuring this out!

Agento-

(...) Does that make sence?
No. You will have to think again what your goal is to provide a chrooted jail for every user. If you still want every user to be chrooted you'll have to bear the consequences. To make it easier, there are shells out there like Ash and Sash that are static binaries, and there is BusyBox which can provide you with a static binary that will do the work of the GNU "usual suspects". Remember to remove the chroot, mknod, mount and other symlinks.

If you *have* to mount stuff mount it "-o ro" and make sure you're covered using the Grsecurity patches. This will break some stuff if you don't RTF(ine)M, but makes chroots more secure. IIRC jail doesn't provide you to mount /proc automatically and unless you've got everything covered, this is fine. Also make sure you audit which binaries you're going to provide, permissions, setuid etc, etc.

If you want to know more about chrooting, search/post in the security forum, we've got some good threads w info there.

Thanks man. Yeah i have it setup and running with a single mount (which is -o ro). It seems to be working fine. I am giving them a VERY restricted set of binaries and libraries. No worries there. The main thing I am worrying about is the number of mounts that will be required. I have only one per user but this could add up quickly. Is this goign to cause a problem?

One other problem I ran into is with bash in the chroot. When I login with a chrooted user... it doesn't loca the bash_profile or bashrc. Both dot files are there... any reason this would happen? they are both 644.

Thanks for your help

Agento-

Sorry I forgot to include this in the last post. I do have this system setup and running like i specified. I have also set it up with everyone having their own chroot enviroment and copying the binaries/libraries to their directory.

I'm just not sure which one to stick with. I am trying to setup this system as a shared webhosting server. And I want to be able to offer as much as possible to the users while still restticting them. Does this seem like I should go with sharing a defined set of binaries/libraries for each user, or should I just say screw them and just give them them the BARE minimums. (bash, and navigational and file editing binaries, along with their required libraries)...

Any suggesitions would be much appreciated.

Thanks everyone!

Agento-

Hi,

I have the same problem as you Agento-. I would like to chroot a user that logs in via ssh. I have read the tutorial on http://www.linuxorbit.com/modules.ph...age&artid=538. Whenever I try to switch to that user (named the user 'jail') it spits out this error.

twantrd@localhost:~$ su - jail
Password:
jail: can't canonize path "/bin/bash". Bad path?

I can't quite follow what you did with all the symlinks to resolve this error. Could you please show me step by step how you solved this problem? The user has the name 'jail' while the directory of his jail is '/var/chroot/home/jail'. Thank you..

-twantrd

Sorry for the slow reply. This account was signed up under my hotmail email (which gets checked about once a month).

Heres the lowdown. What i wanted to do was create a jailed environment for all hosting users on the server. For the jail chroot project to work correctly you need to:

1. create a jail environment
2. add required software to the chroot environment
ie. bash, ls, cp, mv, ... (and the required shared libraries)
3. Add users to this jail

if you are not worried about locking the chrooted users out of each others areas then this is easy. You just create one environment and add everyone to it.

Well on my system i wanted to completely lock users out of system stuff, limit what they could see do, and also kill all possibility of them seeing, viewing, messing with eachothers stuff.

The most straight forward way of doing this would be to create a jail enviroment and add the software/libraries to it for each user. However, I was aiming to provide an extensive set of command line tools to the users so this would have amounted to around 500mb-1gb per user. That was too much disk space... and imagine maintaining that.

What i did to solve this problem was as follows:

1. Setup one jailed environment (/var/jail)
2. Added all required software to the environment (addjailsw i think... but sometimes this failed and i was forced to manually copy executables and required libraries to the appropriate locations)

now here where it got tricky...
3. Create a jail environment for each user on the system
4. hard linked the jailed environment to a hidden folder in each of the users home directories ("/home/joeschmoe/.jail") with mount -ro (read only)
5. created a file called rc.jails that contains these mounts
6. call this file from rc.local so it will load and remount everything on boot

now we have the basic structure setup.. lets give them transparent access to these files.

7. symlink all folders to their proper filesystem names for each user. like /home/joeschmoe/var --> /home/joeschmoe/.jail/var and so on for each of the required file system folders (/var, /usr, /local, /lib,...)

Now, assuming that you have all the required libraries in place and a copy of bash at /bin/bash for each user (/home/joeschmoe/.jail/bin/bash and the /bin symlink) you should be able to login without a problem.

Thats the jist of it. Hopefully that works for you.

If you have any questions post a reply and i'll remember to check my hotmail

:)


Agento-

Same error here. So I copied /bin/bash to chroot environment so the shell for the chroot environment for the user was /bin/bash to eliminate the error. I didn't get the error when I tried sshing now, instead the connection just closes and no error message. :confused:

I then tried just using the bourne shell in the chrooted /etc/passwd for my user because it was installed during addjailsw. I can't even login because my password is wrong now. So I removed the home and shell sources from the real /etc/passwd so my users could get in.

Hello,
have to dig out this old thread. ;)

I think I followed Agento's guide exactly, but I still get that "can't canonize path" error.

Here is what I have done: (it's a script so $1 is the username)
Before calling this script I created the jail_base:Is there something I did wrong or is it just not working on my system with this trick? I'm using an old Debian 2.4.21-rc1.

Any help would be greatly appreciated. Many Thanks in advance!

Regards,
Daniel

I solved the problem. I just have been blind in the last morning.

The symlinks have been wrong. Inside the chrooted shell they had no target because they had an absolute reference.

They all should look like this:

ln -s /.jb/bin /home/$1/bin

Thanks to you, Agento-, for that great idea! :)

Daniel