Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-02-2005, 12:27 AM
|
#1
|
LQ Newbie
Registered: Feb 2005
Distribution: RedHat 9
Posts: 2
Rep:
|
Jailed Home Dir
What would be the proper way to configure a user to be "jailed" in his home directory without having access to any other area of the filesystem? If anyone can point me in the direction of an article or simply explain the process i'd appreciate it, THANKS!
|
|
|
02-02-2005, 02:21 AM
|
#2
|
Senior Member
Registered: Jan 2004
Location: Slovenia
Distribution: Slackware 10.1, SLAX to the MAX :)
Posts: 1,040
Rep:
|
Once a user logs in, he is in his home directory. Change permissions to the /home directory according to the ones you need. I don't know if taking away the read and execute rights on the /home directory would still allow a user to be in his home directory. It would not allow him to go out of his directory for certain. So some other oppinions are welcome here.
|
|
|
02-03-2005, 12:05 AM
|
#3
|
Member
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561
Rep:
|
If the user has shell access, ie logs in locally or remotely using SSH and etc, then you'd have to set a miniture environment for them inside the jail, complete with every program that you want them to have access to. That includes everything from the basic linux utilities like "ls" on up, as well as the shell (/bin/bash and etc) itself. Afterall, if they can not access /usr/bin and etc, then they can not possibly run a program that's within it. And a shell that provides nothing to the user is of no use that I can see. There are alot of projects around that simplify this for you, here's a couple:
http://www.jmcresearch.com/projects/jail/
http://olivier.sessink.nl/jailkit/
Also changing the permissions on their home directory will not accomplish this. They still have access to / and everything else where the permissions permit them access.
Anyway, at the end of the day you should ask yourself 1 simple question. Do I trust this person with shell access to my box? If the answer is no, then the best policy is to not give them access in the first place. That said, so long as you take measures to secure the box, taking into account that other people will have access to it, and you monitor their activity on it, then giving a freind access is not that big of deal in my opinion. For instance, my ISP still gives every single customer of theirs, from dialup customers on up, shell access on a high speed Red Hat machine.
|
|
|
02-04-2005, 08:28 AM
|
#4
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
I created a script to create chroot jails for a user which i have used on many redhat systems, maybe you can use it:
#!/bin/bash
USER="$2"
JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin"
APPS="/bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/id /bin/cat /usr/bin/mysql /bin/chmod /bin/vi /usr/bin/less /usr/bin/scp"
createjail(){
# make common jail for everybody if inexistent
if [ ! -d "/home/$USER" ]
then
mkdir -p "/home/$USER"
echo "Creating /home/$USER"
else
echo -e "Creating jail failed!\n/home/$USER already exists"
sleep 1
exit 1
fi
cd /home/$USER
# Create /bin/chroot-shell (Shell for jailed accounts)
if [ ! -x "/bin/chroot-$USER" ]
then
echo "Creating /bin/chroot-$USER"
################################
echo -e "#!/bin/sh
if [ \"\$1\" = \"-c\" ]
then
sudo `which chroot` /home/\$USER /bin/su - \$USER -c /bin/bash \"\$@\"
else
sudo `which chroot` /home/\$USER /bin/su - \$USER
fi
exit 0" > /bin/chroot-$USER
################################
chmod 755 /bin/chroot-$USER
fi
# Create Directories in jail that do not exist yet
for directory in $JAILDIRS ; do
if [ ! -d "/home/$USER/$directory" ] ; then
mkdir "/home/$USER/$directory"
echo "Creating /home/$USER/$directory"
fi
done
# Copy the apps and the related libs
echo "Copying necessary library-files to jail (may take some time)"
for app in $APPS
do
cp -a $app .$app
# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
done
fi
done
# xterm is needed for the "less" command
mkdir -p /home/$USER/usr/share/terminfo/x
cp /usr/share/terminfo/x/xterm /home/$USER/usr/share/terminfo/x
cp -r /etc/pam.d/* ./etc/pam.d/
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
cp -r /lib/security ./lib
echo "" > /home/$USER/usr/bin/clear
chmod 555 /home/$USER/usr/bin/clear
mknod /home/$USER/dev/urandom c 1 9
mknod /home/$USER/dev/tty c 5 0
mknod /home/$USER/dev/zero c 1 5
mknod /home/$USER/dev/null c 1 3
#needed for traceroute
cp /etc/protocols /home/$USER/etc/
cp /etc/services /home/$USER/etc/
}
addjailuser(){
cd /home/$USER
# Get accountname to create
HOMEDIR="/home/$USER/home/$USER"
echo
if [ ! -d "/home/$USER" ]
then
echo -e "Adding new user failed!\n/home/$USER does not exists"
exit 1
fi
# Exit if User exists
id $USER > /dev/null 2>&1 && { echo "User already exists."; sleep 1; exit 1; }
echo "Modifying /etc/sudoers"
echo "$USER ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - $USER" >> /etc/sudoers
echo "Adding User \"$USER\" to system"
useradd -d "$HOMEDIR" -s "/bin/chroot-$USER" $USER
chmod 700 "$HOMEDIR"
# Enter password for new account
passwd $USER
# Create /usr/bin/groups in the jail
if [ ! -x "usr/bin/groups" ]
then
echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
chmod 755 usr/bin/groups
fi
# Add users to etc/passwd
#
# check if file exists (ie we are not called for the first time)
# if yes skip root's entry and do not overwrite the file
if [ ! -f etc/passwd ]
then
grep /etc/passwd -e "^root" > etc/passwd
fi
if [ ! -f etc/group ]
then
grep /etc/group -e "^root" > etc/group
fi
# grep the Username, which was given to us, from /etc/passwd and add it
# to ./etc/passwd replacing the $HOME with the directory as it will then # appear in the jail
echo "Adding User $USER to jail"
grep /etc/passwd -e "^$USER" | \
sed -e s/\\/home\\/$USER\\/home\\//\\/home\\// \
-e s/\\/bin\\/chroot-$USER/\\/bin\\/bash/ >> etc/passwd
# if the systems uses the one account/one group system we write the
# account`s group to etc/group
grep /etc/group -e "^$USER:" >> etc/group
# write the User's line from /etc/shadow to /home/jail/etc/shadow
grep /etc/shadow -e "^$USER:" >> etc/shadow
chmod 400 /home/$USER/etc/shadow
}
addprogram(){
cd /home/$USER
if [ ! -d "/home/$USER" ]
then
echo -e "Adding new program failed!\n/home/$USER does not exists"
exit 1
fi
if [ -e ".$app" ]
then
echo -e "Program already exists in /home/$USER$app"
sleep 1
exit 1
fi
echo "Copying necessary library-files to jail (may take some time)"
mkdir -p .`dirname $app`
cp -a $app .$app
# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ]
then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
if [ -e "/home/$USER$lib" ]
then
echo "/home/$USER$lib already exists"
else
echo "Copying $lib"
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
fi
done
fi
}
case "$1" in
-[uU])
createjail
addjailuser
;;
-[pP])
app="$3"
addprogram
;;
*)
echo "Error: Parameter missing"
echo
echo " Creating new chrooted account:"
echo " Usage: $0 -u username"
echo
echo " Copy program to jail environment"
echo " Usage: $0 -p username /full/path/to/program"
echo
echo " To uninstall: # userdel \$USER"
echo " # rm -rf /home/jail"
echo " delete the User's line from /etc/sudoers"
;;
esac
exit 0
#p
|
|
|
02-13-2005, 06:26 PM
|
#5
|
LQ Newbie
Registered: Jan 2005
Location: Belgium
Posts: 5
Rep:
|
i used your script, no errors while it ran, but when i do su test i get:
/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory
/home/test/bin:
-rwsr-xr-x 1 root root 52770 Oct 5 17:50 su
/etc/passwd:
test:x:502:502::/home/test/home/test:/bin/chroot-test
/home/test/etc/passwd:
test:x:502:502::/home/test:/bin/bash
|
|
|
02-14-2005, 06:13 AM
|
#6
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
I think your "su" is not in the /bin directory.
Type "which su", if su is in a different directory then you will have to adjust /bin/chroot-test
|
|
|
02-14-2005, 07:26 AM
|
#7
|
LQ Newbie
Registered: Jan 2005
Location: Belgium
Posts: 5
Rep:
|
[root@server map]# which su
/bin/su
[root@server map]#
:/
|
|
|
02-14-2005, 08:34 AM
|
#8
|
Member
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549
Rep:
|
Does su work with other users? What is the output of "ls -al /bin/su"?
And can you try to login as root with "/bin/su - test"
|
|
|
02-14-2005, 08:47 AM
|
#9
|
LQ Newbie
Registered: Jan 2005
Location: Belgium
Posts: 5
Rep:
|
[root@server ~]# ls -al /bin/su
-rwsr-xr-x 1 root root 52770 Oct 5 17:50 /bin/su
[root@server ~]# /bin/su - test
/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory
|
|
|
06-19-2010, 06:34 AM
|
#10
|
Senior Member
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,561
Rep:
|
The command says:
Code:
chroot-shell
/usr/sbin/chroot: failed to run command `/bin/su': No such file or directory
|
|
|
06-19-2010, 07:51 AM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
frenchn00b, please don't resurrect dead threads.
Help us keep LQSEC as zombie-free as possible. Thread closed.
|
|
|
All times are GMT -5. The time now is 11:27 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|