LinuxQuestions.org - Sending a user to jail!

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Sending a user to jail! (https://www.linuxquestions.org/questions/linux-newbie-8/sending-a-user-to-jail-4175611374/)

Sending a user to jail!

I would like to allow someone to access my server via ssh and directly access the MySQL command line, but limit other access. Using jailkit on Centos7, it mostly works, but I have a few questions. Below are the steps I have taken (maybe a couple were done in slightly different order):

1a. Compile the software

Code:

yum group install "Development Tools"

wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz

tar xvfz jailkit-2.19.tar.gz

cd jailkit-2.19

./configure

make

sudo make install

cd ..

rm -rf jailkit-2.19*

2a. The jailkit configuration file is set up for some applications, but not MariaDB, so I used rpm -ql MariaDB-client to identify the the required paths to be added to /etc/jailkit/jk_init.ini.
Do I really need to add all those paths?

Code:

cat <<EOF | sudo tee /etc/jailkit/jk_init.ini

[mariadb]

comment = MariaDB-client bla bla bla

paths = /etc/my.cnf.d,/etc/my.cnf.d/mysql-clients.cnf,/usr/bin/msql2mysql,/usr/bin/mysql,/usr/bin/mysql_embedded,/usr/bin/mysql_find_rows,/usr/bin/mysql_plugin,/usr/bin/mysql_waitpid,/usr/bin/mysqlaccess,/usr/bin/mysqladmin,/usr/bin/mysqlbinlog,/usr/bin/mysqlcheck,/usr/bin/mysqldump,/usr/bin/mysqlimport,/usr/bin/mysqlshow,/usr/bin/mysqlslap,/usr/share/man/man1/msql2mysql.1.gz,/usr/share/man/man1/mysql.1.gz,/usr/share/man/man1/mysql_find_rows.1.gz,/usr/share/man/man1/mysql_plugin.1.gz,/usr/share/man/man1/mysql_waitpid.1.gz,/usr/share/man/man1/mysqlaccess.1.gz,/usr/share/man/man1/mysqladmin.1.gz,/usr/share/man/man1/mysqlbinlog.1.gz,/usr/share/man/man1/mysqlcheck.1.gz,/usr/share/man/man1/mysqldump.1.gz,/usr/share/man/man1/mysqlimport.1.gz,/usr/share/man/man1/mysqlshow.1.gz,/usr/share/man/man1/mysqlslap.1.gz

EOF

2b. Allow programs to run in jail. Is the use of hard links (-k) a good idea? Originally, I didn't include jk_lsh below and received errors and adding jk_lsh "fixed it", but I don't know why. Why is jk_lsh used?

Code:

sudo jk_init -v -k -j /home/jail basicshell editors extendedshell netutils ssh sftp scp jk_lsh mariadb

2c. Allow all users to have access to tmp as described by https://olivier.sessink.nl/jailkit/h...oot_shell.html. Doesn't seem that jailed user has access to tmp. Why?

Code:

sudo mkdir /home/jail/tmp

sudo chmod a+rwx /home/jail/tmp

2d. Copy files including permissions and libraries into a jail. What is this doing?

Code:

jk_cp -v -f /home/jail /bin/bash

3a. Create user and add to jail

Code:

sudo useradd testuser

sudo passwd testuser

sudo jk_jailuser -m -j /home/jail testuser

3b. Edit /home/jail/etc/passwd

Code:

root:x:0:0:root:/root:/bin/bash

#testuser:x:1003:1003::/home/testuser:/usr/sbin/jk_lsh

testuser:x:1003:1003::/home/testuser:/bin/bash

So, now I log ssh as the jailed user, but get the following:

Code:

bash: /usr/bin/id: No such file or directory

In testuser's root directory, .bashrc includes:

Code:

if [ -f /etc/bashrc ]; then

        . /etc/bashrc

fi

Then in /home/jail/etc/bashrc:

Code:

    # By default, we want umask to get set. This sets it for non-login shell.

    # Current threshold for system reserved uid/gids is 200

    # You could check uidgid reservation validity in

    # /usr/share/doc/setup-*/uidgid file

    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then

      umask 002

    else

      umask 022

    fi

Looks like this is the issue, but now sure how to deal with it.

Also, I also tried the following, but get the following errors. What is causing them.

Code:

jk_update -j /home/jail -d

ERROR:  while scannign dir /home/jail/lib/: No such file or directory

ERROR:  while scannign dir /home/jail/opt/: No such file or directory

Lastly, can I just delete the users and /home/jail, and then start over?

Here are the rpms for centos 7. I'd use one of those: http://dries.eu/rpms/jailkit/jailkit

Thanks but would like to figure why I am getting the /usr/bin/id warning. I've since started over and did again in the exact order I showed, and everything works great but i still get the warning.

The /usr/bin/id warning is because the id program is not in the relative jail path. This can probably be avoided by installing from a centos specific rmp, as the install script is customized for centos.

The install script for a source package must work for any distro, and therefore might require much more manual customization.

Maybe not warranted, but I try to limit the source I get software from. Also nice to get latest revs sometimes. Is it possible to tell from the rpms how it was compiled?

Thanks chrism01. Looks like the rpm needs to be installed before checking OPTFLAGS.

AwesomeMachine's recommended link also has a build spec. Is this like a shell script to compile? It uses 2.15 where I used 2.19. There is also some logs. https://jenkins.driesrpms.eu/job/jai...-x86_64%20el7/.

Code:

[michael@devserver ~]$  rpm -q --queryformat="%{NAME}: %{OPTFLAGS}\n" jailkit-2.15-1.el7.rf.x86_64.rpm

package jailkit-2.15-1.el7.rf.x86_64.rpm is not installed

[michael@devserver ~]$

Code:

# $Id$

# Authority: dag



Summary: Utilities to limit user accounts to specific files using chroot()

Name: jailkit

Version: 2.15

Release: 1%{?dist}

License: Open Source

Group: System Environment/Base

URL: http://olivier.sessink.nl/jailkit/



Source: http://olivier.sessink.nl/jailkit/jailkit-%{version}.tar.bz2

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root

BuildRequires: binutils, gcc, make

BuildRequires: glibc-devel

BuildRequires: python



%description

Jailkit is a set of utilities to limit user accounts to specific files

using chroot() and or specific commands. Setting up a chroot shell,

a shell limited to some specific command, or a daemon inside a chroot

jail is a lot easier using these utilities.



Jailkit has been in use for a while on CVS servers (in a chroot and

limited to cvs), sftp/scp servers (both in a chroot and limited to

sftp/scp as well as not in a chroot but only limited to sftp/scp),

and also on general servers with accounts where the shell accounts

are in a chroot.



%prep

%setup



# apparently not needed anymore

### Disable broken Makefile :(

#%{__perl} -pi.orig -e 's|>>||g' Makefile.in



%build

export LIBS="-pthread"

%configure

%{__make} %{?_smp_mflags}



%install

%{__rm} -rf %{buildroot}

%{__make} install DESTDIR="%{buildroot}"



%{__install} -Dp -m0755 extra/jailkit %{buildroot}%{_initrddir}/jailkit



#%post

#cat /etc/shells | grep -v jk_chrootsh >/etc/shells

#echo "/usr/bin/jk_chrootsh" >> /etc/shells

#/sbin/chkconfig --add jailkit



#%postun

#cat /etc/shells | grep -v jk_chrootsh >/etc/shells



%clean

%{__rm} -rf %{buildroot}



%files

%defattr(-, root, root, 0755)

%doc %{_mandir}/man?/*

%config(noreplace) %{_sysconfdir}/jailkit/

%config %{_initrddir}/jailkit

%{_sbindir}/jk_*

%{_bindir}/jk_uchroot

%{_datadir}/jailkit/



%changelog

* Wed Apr 17 2013 David Hrbáč <david@hrbac.cz> - 2.15-1

- new upstream release



* Wed Jun 02 2010 Steve Huff <shuff@vecna.org> - 2.11-1

- Updated to release 2.11.



* Thu May 15 2008 Dries Verachtert <dries@ulyssis.org> - 2.5-1

- Updated to release 2.5.



* Tue Sep 12 2006 Dag Wieers <dag@wieers.com> - 2.1-1

- Updated to release 2.1.



* Sun Mar 19 2006 Dag Wieers <dag@wieers.com> - 2.0-1

- Updated to release 2.0.



* Fri May 20 2005 Dag Wieers <dag@wieers.com> - 1.3-1

- Initial package. (using DAR)