Sending a user to jail!

NotionCommotion · 08-05-2017, 12:09 PM

I would like to allow someone to access my server via ssh and directly access the MySQL command line, but limit other access. Using jailkit on Centos7, it mostly works, but I have a few questions. Below are the steps I have taken (maybe a couple were done in slightly different order):

1a. Compile the software

Code:

yum group install "Development Tools"
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
./configure
make
sudo make install
cd ..
rm -rf jailkit-2.19*

2a. The jailkit configuration file is set up for some applications, but not MariaDB, so I used rpm -ql MariaDB-client to identify the the required paths to be added to /etc/jailkit/jk_init.ini.
Do I really need to add all those paths?

Code:

cat <<EOF | sudo tee /etc/jailkit/jk_init.ini
[mariadb]
comment = MariaDB-client bla bla bla
paths = /etc/my.cnf.d,/etc/my.cnf.d/mysql-clients.cnf,/usr/bin/msql2mysql,/usr/bin/mysql,/usr/bin/mysql_embedded,/usr/bin/mysql_find_rows,/usr/bin/mysql_plugin,/usr/bin/mysql_waitpid,/usr/bin/mysqlaccess,/usr/bin/mysqladmin,/usr/bin/mysqlbinlog,/usr/bin/mysqlcheck,/usr/bin/mysqldump,/usr/bin/mysqlimport,/usr/bin/mysqlshow,/usr/bin/mysqlslap,/usr/share/man/man1/msql2mysql.1.gz,/usr/share/man/man1/mysql.1.gz,/usr/share/man/man1/mysql_find_rows.1.gz,/usr/share/man/man1/mysql_plugin.1.gz,/usr/share/man/man1/mysql_waitpid.1.gz,/usr/share/man/man1/mysqlaccess.1.gz,/usr/share/man/man1/mysqladmin.1.gz,/usr/share/man/man1/mysqlbinlog.1.gz,/usr/share/man/man1/mysqlcheck.1.gz,/usr/share/man/man1/mysqldump.1.gz,/usr/share/man/man1/mysqlimport.1.gz,/usr/share/man/man1/mysqlshow.1.gz,/usr/share/man/man1/mysqlslap.1.gz
EOF

2b. Allow programs to run in jail. Is the use of hard links (-k) a good idea? Originally, I didn't include jk_lsh below and received errors and adding jk_lsh "fixed it", but I don't know why. Why is jk_lsh used?

Code:

sudo jk_init -v -k -j /home/jail basicshell editors extendedshell netutils ssh sftp scp jk_lsh mariadb

2c. Allow all users to have access to tmp as described by https://olivier.sessink.nl/jailkit/h...oot_shell.html. Doesn't seem that jailed user has access to tmp. Why?

Code:

sudo mkdir /home/jail/tmp
sudo chmod a+rwx /home/jail/tmp

2d. Copy files including permissions and libraries into a jail. What is this doing?

Code:

jk_cp -v -f /home/jail /bin/bash

3a. Create user and add to jail

Code:

sudo useradd testuser
sudo passwd testuser
sudo jk_jailuser -m -j /home/jail testuser

3b. Edit /home/jail/etc/passwd

Code:

root:x:0:0:root:/root:/bin/bash
#testuser:x:1003:1003::/home/testuser:/usr/sbin/jk_lsh
testuser:x:1003:1003::/home/testuser:/bin/bash

So, now I log ssh as the jailed user, but get the following:

Code:

bash: /usr/bin/id: No such file or directory

In testuser's root directory, .bashrc includes:

Code:

if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi

Then in /home/jail/etc/bashrc:

Code:

    # By default, we want umask to get set. This sets it for non-login shell.
    # Current threshold for system reserved uid/gids is 200
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
       umask 002
    else
       umask 022
    fi

Looks like this is the issue, but now sure how to deal with it.

Also, I also tried the following, but get the following errors. What is causing them.

Code:

jk_update -j /home/jail -d
ERROR:  while scannign dir /home/jail/lib/: No such file or directory
ERROR:  while scannign dir /home/jail/opt/: No such file or directory

Lastly, can I just delete the users and /home/jail, and then start over?

AwesomeMachine · 08-05-2017, 04:39 PM

Here are the rpms for centos 7. I'd use one of those: http://dries.eu/rpms/jailkit/jailkit

NotionCommotion · 08-07-2017, 07:10 PM

Thanks but would like to figure why I am getting the /usr/bin/id warning. I've since started over and did again in the exact order I showed, and everything works great but i still get the warning.

AwesomeMachine · 08-07-2017, 09:02 PM

The /usr/bin/id warning is because the id program is not in the relative jail path. This can probably be avoided by installing from a centos specific rmp, as the install script is customized for centos.

The install script for a source package must work for any distro, and therefore might require much more manual customization.

NotionCommotion · 08-07-2017, 10:33 PM

Maybe not warranted, but I try to limit the source I get software from. Also nice to get latest revs sometimes. Is it possible to tell from the rpms how it was compiled?

chrism01 · 08-08-2017, 01:56 AM

Try OPTFLAGS example here https://unix.stackexchange.com/quest...-is-built-with

NotionCommotion · 08-08-2017, 11:46 AM

Thanks chrism01. Looks like the rpm needs to be installed before checking OPTFLAGS.

AwesomeMachine's recommended link also has a build spec. Is this like a shell script to compile? It uses 2.15 where I used 2.19. There is also some logs. https://jenkins.driesrpms.eu/job/jai...-x86_64%20el7/.

Code:

[michael@devserver ~]$  rpm -q --queryformat="%{NAME}: %{OPTFLAGS}\n" jailkit-2.15-1.el7.rf.x86_64.rpm
package jailkit-2.15-1.el7.rf.x86_64.rpm is not installed
[michael@devserver ~]$

Code:

# $Id$
# Authority: dag

Summary: Utilities to limit user accounts to specific files using chroot()
Name: jailkit
Version: 2.15
Release: 1%{?dist}
License: Open Source
Group: System Environment/Base
URL: http://olivier.sessink.nl/jailkit/

Source: http://olivier.sessink.nl/jailkit/jailkit-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: binutils, gcc, make
BuildRequires: glibc-devel
BuildRequires: python

%description
Jailkit is a set of utilities to limit user accounts to specific files
using chroot() and or specific commands. Setting up a chroot shell,
a shell limited to some specific command, or a daemon inside a chroot
jail is a lot easier using these utilities.

Jailkit has been in use for a while on CVS servers (in a chroot and
limited to cvs), sftp/scp servers (both in a chroot and limited to
sftp/scp as well as not in a chroot but only limited to sftp/scp),
and also on general servers with accounts where the shell accounts
are in a chroot.

%prep
%setup

# apparently not needed anymore
### Disable broken Makefile :(
#%{__perl} -pi.orig -e 's|>>||g' Makefile.in

%build
export LIBS="-pthread"
%configure
%{__make} %{?_smp_mflags}

%install
%{__rm} -rf %{buildroot}
%{__make} install DESTDIR="%{buildroot}"

%{__install} -Dp -m0755 extra/jailkit %{buildroot}%{_initrddir}/jailkit

#%post
#cat /etc/shells | grep -v jk_chrootsh >/etc/shells
#echo "/usr/bin/jk_chrootsh" >> /etc/shells
#/sbin/chkconfig --add jailkit

#%postun
#cat /etc/shells | grep -v jk_chrootsh >/etc/shells

%clean
%{__rm} -rf %{buildroot}

%files
%defattr(-, root, root, 0755)
%doc %{_mandir}/man?/*
%config(noreplace) %{_sysconfdir}/jailkit/
%config %{_initrddir}/jailkit
%{_sbindir}/jk_*
%{_bindir}/jk_uchroot
%{_datadir}/jailkit/

%changelog
* Wed Apr 17 2013 David Hrbáč <david@hrbac.cz> - 2.15-1
- new upstream release

* Wed Jun 02 2010 Steve Huff <shuff@vecna.org> - 2.11-1
- Updated to release 2.11.

* Thu May 15 2008 Dries Verachtert <dries@ulyssis.org> - 2.5-1
- Updated to release 2.5.

* Tue Sep 12 2006 Dag Wieers <dag@wieers.com> - 2.1-1
- Updated to release 2.1.

* Sun Mar 19 2006 Dag Wieers <dag@wieers.com> - 2.0-1
- Updated to release 2.0.

* Fri May 20 2005 Dag Wieers <dag@wieers.com> - 1.3-1
- Initial package. (using DAR)