[SOLVED] chroot error "cannot change root directory to /jail: Operation not permitted"

Soji Antony · 04-18-2011, 08:02 AM

Hi

I am trying to create a jailed shell for a user Don($UID '500') using my own method(I don't want to use any ready-made "jailkit"). The user don should get a home directory /jail/don instead of /home/don when he login via SSH (So that he will not able to see any other files/directories on the system)

This is what I have done.

Quote:

1. Created a directory /jail & copied don's home,/lib & /bash directoris to /jail.
After doing this I am able to chroot to /jail as a root user.
ie: #chroot /jail

2. Modified /etc/profile file, & added following entries at the bottom of the file.

Code:

if [ $UID -eq 500 ]
then 
cd /jail/$USER
fi

It works without any issue ....Home directory changes to /jail/don when I ssh to the system as user don.
ie: #ssh don@192.168.0.66

Then I added a chroot command to this code.

Code:

if [ $UID -eq 500 ]
then 
cd /jail/$USER
chroot /jail/$USER
fi

Unfortunately , now I am getting an error message saying that "chroot: cannot change root directory to /jail: Operation not permitted" .. I am not sure how to rectify this error ...Please help ... Is my approach correct to get a jailed shell using /etc/profile file ?

stevenz · 04-18-2011, 08:20 AM

Only superuser can "chroot".
Why did you want to add "chroot /jail" to a user profile, what do you intend to do with that command?

shawley · 04-18-2011, 08:26 AM

chroot only works if you are root. When you log in as don he is now the user and the chroot will fail. I would sugest you look at rssh (restricted shell).
Off the top of my head, but there are probably better ways. Depending on how resticted you need him to be and what you want him to be able to do, and how good of a linux person he is. You could remove all the paths from PATH and alias only the command you want him to use. Example grep" would be alias to /usr/bin/grep or something like that. That might be what you want? I don't really like this idea and it requires a lot of maintanence on your part. But, too each their own. I still recommend you look into rsh. Just some thougts....

Soji Antony · 04-18-2011, 08:41 AM

Hi stevenz,

I have added that command in /etc/profile file so that it will executed each time he login & will get a jailed shell.

Hi shawley

Quote:

You could remove all the paths from PATH and alias only the command you want him to use.

Is it possible to set a special path for a particular user, without affecting any other user?. I thought, it will affect all users in the system ...

Thanks ...

shawley · 04-19-2011, 06:53 AM

Yes, change the PATH in the users .bash_profile in their home directory only, not in /etc.
This give control for a user to modify their own environment. However if you change the path and such they will not be able to get to it to change it back effectively locking them into whatever environment you set up.

Soji Antony · 04-19-2011, 10:56 AM

Hi

I have one more doubt regarding /etc/profile file.

Code:

#getfacl /etc/profile
 getfacl: Removing leading '/' from absolute path names
 # file: etc/profile
 # owner: root
 # group: root
 user::rw-
 group::r--
 other::r--

The above results shows that root is the owner & he has the permission to execute /etc/profile file commands. So, when a user logs in and access the command line, does /etc/profile file commands gets executed as root or as the user????

Plz help ....

Soji Antony · 05-20-2011, 09:25 PM

Thank you all for posting ......

Finally it worked ... I wrote a bash script to execute chroot command & called that from a c program( With SUID bit set ).

Code:

#tail -5 /etc/profile
if [ $UID -eq 500 ]
then
/tmp/call-script
fi

#cat call-script.c

Code:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
   setuid( 0 );
   system( "/root/chrt.sh" );

   return 0;
}

Code:

make call-script call-script.c
chmod +x call-script
chmod u+s call-script

cat chrt.sh

Code:

#!/bin/bash
chroot /jail/don

vkvs · 05-21-2011, 12:26 AM

I fail to see how it would work, since my own replication had "Permission denied".

If this works for you, it means the user got a root access within jail. He can now easily "escape" jail, and get to the real files.

Soji Antony · 05-23-2011, 08:29 PM

Hi

It should work. You need to give execute permission to /root/chrt.sh

Code:

chmod +x /root/chrt.sh

I forgot to add that step in my last post. Also you need to copy /lib & /bash directoris to /jail/don before executing chroot command [depending on the command you want him to use].

>If this works for you, it means the user got a root access within jail. >He can now easily "escape" jail, and get to the real files.

As far as I know the user will get root permission only when he execute chroot command.