LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-05-2017, 11:09 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 770

Rep: Reputation: Disabled
Sending a user to jail!


I would like to allow someone to access my server via ssh and directly access the MySQL command line, but limit other access. Using jailkit on Centos7, it mostly works, but I have a few questions. Below are the steps I have taken (maybe a couple were done in slightly different order):

1a. Compile the software
Code:
yum group install "Development Tools"
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
./configure
make
sudo make install
cd ..
rm -rf jailkit-2.19*
2a. The jailkit configuration file is set up for some applications, but not MariaDB, so I used rpm -ql MariaDB-client to identify the the required paths to be added to /etc/jailkit/jk_init.ini.
Do I really need to add all those paths?
Code:
cat <<EOF | sudo tee /etc/jailkit/jk_init.ini
[mariadb]
comment = MariaDB-client bla bla bla
paths = /etc/my.cnf.d,/etc/my.cnf.d/mysql-clients.cnf,/usr/bin/msql2mysql,/usr/bin/mysql,/usr/bin/mysql_embedded,/usr/bin/mysql_find_rows,/usr/bin/mysql_plugin,/usr/bin/mysql_waitpid,/usr/bin/mysqlaccess,/usr/bin/mysqladmin,/usr/bin/mysqlbinlog,/usr/bin/mysqlcheck,/usr/bin/mysqldump,/usr/bin/mysqlimport,/usr/bin/mysqlshow,/usr/bin/mysqlslap,/usr/share/man/man1/msql2mysql.1.gz,/usr/share/man/man1/mysql.1.gz,/usr/share/man/man1/mysql_find_rows.1.gz,/usr/share/man/man1/mysql_plugin.1.gz,/usr/share/man/man1/mysql_waitpid.1.gz,/usr/share/man/man1/mysqlaccess.1.gz,/usr/share/man/man1/mysqladmin.1.gz,/usr/share/man/man1/mysqlbinlog.1.gz,/usr/share/man/man1/mysqlcheck.1.gz,/usr/share/man/man1/mysqldump.1.gz,/usr/share/man/man1/mysqlimport.1.gz,/usr/share/man/man1/mysqlshow.1.gz,/usr/share/man/man1/mysqlslap.1.gz
EOF
2b. Allow programs to run in jail. Is the use of hard links (-k) a good idea? Originally, I didn't include jk_lsh below and received errors and adding jk_lsh "fixed it", but I don't know why. Why is jk_lsh used?
Code:
sudo jk_init -v -k -j /home/jail basicshell editors extendedshell netutils ssh sftp scp jk_lsh mariadb
2c. Allow all users to have access to tmp as described by https://olivier.sessink.nl/jailkit/h...oot_shell.html. Doesn't seem that jailed user has access to tmp. Why?
Code:
sudo mkdir /home/jail/tmp
sudo chmod a+rwx /home/jail/tmp
2d. Copy files including permissions and libraries into a jail. What is this doing?
Code:
jk_cp -v -f /home/jail /bin/bash
3a. Create user and add to jail
Code:
sudo useradd testuser
sudo passwd testuser
sudo jk_jailuser -m -j /home/jail testuser
3b. Edit /home/jail/etc/passwd
Code:
root:x:0:0:root:/root:/bin/bash
#testuser:x:1003:1003::/home/testuser:/usr/sbin/jk_lsh
testuser:x:1003:1003::/home/testuser:/bin/bash
So, now I log ssh as the jailed user, but get the following:

Code:
bash: /usr/bin/id: No such file or directory

In testuser's root directory, .bashrc includes:
Code:
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
Then in /home/jail/etc/bashrc:
Code:
    # By default, we want umask to get set. This sets it for non-login shell.
    # Current threshold for system reserved uid/gids is 200
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
       umask 002
    else
       umask 022
    fi
Looks like this is the issue, but now sure how to deal with it.


Also, I also tried the following, but get the following errors. What is causing them.
Code:
jk_update -j /home/jail -d
ERROR:  while scannign dir /home/jail/lib/: No such file or directory
ERROR:  while scannign dir /home/jail/opt/: No such file or directory

Lastly, can I just delete the users and /home/jail, and then start over?
 
Old 08-05-2017, 03:39 PM   #2
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010
Here are the rpms for centos 7. I'd use one of those: http://dries.eu/rpms/jailkit/jailkit
 
Old 08-07-2017, 06:10 PM   #3
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 770

Original Poster
Rep: Reputation: Disabled
Thanks but would like to figure why I am getting the /usr/bin/id warning. I've since started over and did again in the exact order I showed, and everything works great but i still get the warning.
 
Old 08-07-2017, 08:02 PM   #4
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010Reputation: 1010
The /usr/bin/id warning is because the id program is not in the relative jail path. This can probably be avoided by installing from a centos specific rmp, as the install script is customized for centos.

The install script for a source package must work for any distro, and therefore might require much more manual customization.
 
Old 08-07-2017, 09:33 PM   #5
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 770

Original Poster
Rep: Reputation: Disabled
Maybe not warranted, but I try to limit the source I get software from. Also nice to get latest revs sometimes. Is it possible to tell from the rpms how it was compiled?
 
Old 08-08-2017, 12:56 AM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,873

Rep: Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600Reputation: 2600
Try OPTFLAGS example here https://unix.stackexchange.com/quest...-is-built-with
 
Old 08-08-2017, 10:46 AM   #7
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 770

Original Poster
Rep: Reputation: Disabled
Thanks chrism01. Looks like the rpm needs to be installed before checking OPTFLAGS.

AwesomeMachine's recommended link also has a build spec. Is this like a shell script to compile? It uses 2.15 where I used 2.19. There is also some logs. https://jenkins.driesrpms.eu/job/jai...-x86_64%20el7/.

Code:
[michael@devserver ~]$  rpm -q --queryformat="%{NAME}: %{OPTFLAGS}\n" jailkit-2.15-1.el7.rf.x86_64.rpm
package jailkit-2.15-1.el7.rf.x86_64.rpm is not installed
[michael@devserver ~]$


Code:
# $Id$
# Authority: dag

Summary: Utilities to limit user accounts to specific files using chroot()
Name: jailkit
Version: 2.15
Release: 1%{?dist}
License: Open Source
Group: System Environment/Base
URL: http://olivier.sessink.nl/jailkit/

Source: http://olivier.sessink.nl/jailkit/jailkit-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: binutils, gcc, make
BuildRequires: glibc-devel
BuildRequires: python

%description
Jailkit is a set of utilities to limit user accounts to specific files
using chroot() and or specific commands. Setting up a chroot shell,
a shell limited to some specific command, or a daemon inside a chroot
jail is a lot easier using these utilities.

Jailkit has been in use for a while on CVS servers (in a chroot and
limited to cvs), sftp/scp servers (both in a chroot and limited to
sftp/scp as well as not in a chroot but only limited to sftp/scp),
and also on general servers with accounts where the shell accounts
are in a chroot.

%prep
%setup

# apparently not needed anymore
### Disable broken Makefile :(
#%{__perl} -pi.orig -e 's|>>||g' Makefile.in

%build
export LIBS="-pthread"
%configure
%{__make} %{?_smp_mflags}

%install
%{__rm} -rf %{buildroot}
%{__make} install DESTDIR="%{buildroot}"

%{__install} -Dp -m0755 extra/jailkit %{buildroot}%{_initrddir}/jailkit

#%post
#cat /etc/shells | grep -v jk_chrootsh >/etc/shells
#echo "/usr/bin/jk_chrootsh" >> /etc/shells
#/sbin/chkconfig --add jailkit

#%postun
#cat /etc/shells | grep -v jk_chrootsh >/etc/shells

%clean
%{__rm} -rf %{buildroot}

%files
%defattr(-, root, root, 0755)
%doc %{_mandir}/man?/*
%config(noreplace) %{_sysconfdir}/jailkit/
%config %{_initrddir}/jailkit
%{_sbindir}/jk_*
%{_bindir}/jk_uchroot
%{_datadir}/jailkit/

%changelog
* Wed Apr 17 2013 David Hrbáč <david@hrbac.cz> - 2.15-1
- new upstream release

* Wed Jun 02 2010 Steve Huff <shuff@vecna.org> - 2.11-1
- Updated to release 2.11.

* Thu May 15 2008 Dries Verachtert <dries@ulyssis.org> - 2.5-1
- Updated to release 2.5.

* Tue Sep 12 2006 Dag Wieers <dag@wieers.com> - 2.1-1
- Updated to release 2.1.

* Sun Mar 19 2006 Dag Wieers <dag@wieers.com> - 2.0-1
- Updated to release 2.0.

* Fri May 20 2005 Dag Wieers <dag@wieers.com> - 1.3-1
- Initial package. (using DAR)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
user in jail ( vsftpd ) abd_bela Linux - Server 3 03-18-2016 04:28 AM
User Creationg : ssh/sftp user jail to $HOME only routers Solaris / OpenSolaris 2 10-29-2007 11:28 PM
jail user to /home/user directory confused_user Linux - Security 12 03-15-2006 09:56 AM
vsftpd will not jail remote user kipthomas Linux - Software 3 09-09-2005 11:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration