chroot jail with rssh / restricting users to individual directories
 

I'm running SuSE 9.3. I have successfully set up chrooted jail (/jail) for 'sftp' using 'rssh' shell. The jail works great. But every user logging in to the account bound to the jail, even tough cannot go outside of the jail, can freely roam around the jail filesystem(say, /jail/bin, or /jail/lib/ or /jail/etc). I need the user, within the jail, to be bound ONLY to his home directory (/jail/user01) and nothing else. I tried to modify the 'rssh.conf' file for individual users but, when I do something like 'user = user01:011:00010:/jail/user01' then I get the 'connection closed' message. I think it's because all the chrooted files need to be within that directory (/jail/user01).

Does anybody have an idea of any solution? I tried to set the 'scponly' shell but I get an error message when I'm running the 'make' command. Thanks for any help.

I need the user, within the jail, to be bound ONLY to his home directory (/jail/user01) and nothing else.
I don't know if those dirs can be made invisible to the user since they contain files they need access to for the chroot to function. If your filesystem uses extended attributes then you could chattr =i -R those dirs. Then at least they would not be able to modify them. Any particular security-enhancing reason why you need this?


I tried to set the 'scponly' shell but I get an error message when I'm running the 'make' command.
Posting the actual errors could help.

Thanks for your reply. I looked around alot and it seems that not only all the files required by binaries need to be in the jail but also all of them are accessible to the user (as the user logs in using, say, sftp client, all the files need to be accessible to the client, say sftp, so the user will have access to them). The reason for wanting users to be bound ONLY to their home directories is that my users are freelancers/contractors and I don't want them to know about each other. It's a company policy thing. What I ended up doing is building separate jails for every user. I know it's a waste of resources but I have no other alternative. The other solution I'm looking into is to have the ssh restrict the 'cd' command. If you have any suggestions I'd greatly appreciate them.

As for the 'chattr', it's a great idea. Thanks. I'm going to make all the files immutable.

The following is the error message that I receive when I'm trying to 'make' scponly. Also, I need the root privileges when I'm configuring scponly. It's a little odd, I guess. Sorry for not posting this earlier.

linux:/home/tei/Desktop/xxx/temp/scponly-4.3 # make
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly scponly.o helper.o
helper.o(.text+0x8e5): In function `check_dangerous_args':
/home/tei/Desktop/xxx/temp/scponly-4.3/helper.c:163: undefined reference to `optreset'
collect2: ld returned 1 exit status
make: *** [scponly] Error 1

What I ended up doing is building separate jails for every user. I know it's a waste of resources but I have no other alternative. The other solution I'm looking into is to have the ssh restrict the 'cd' command.
If you're wasting resources on /bin binaries have a look at Busybox. While it doesn't handle esoteric flags it's good for daily use. For restrictions (haven't tried it myself) either Grsecurity's RBAC or something in the LSM should be able to restrict access: after all it's just a dir listing. Another (lame) way could be to hand out accountnames which can't be traced back to a name (date|sha1sum|cut -c 1-12|tr [a-z] [A-Z])?.


Also, I need the root privileges when I'm configuring scponly.
Hmm. Haven't noticed anything odd, and I build my packages as unprivved user.


scponly-4.3/helper.c:163: undefined reference to `optreset'
Getopt. See http://bugs.gentoo.org/show_bug.cgi?id=116526 for a patch.