What would be the proper way to configure a user to be "jailed" in his home directory without having access to any other area of the filesystem? If anyone can point me in the direction of an article or simply explain the process i'd appreciate it, THANKS!

Once a user logs in, he is in his home directory. Change permissions to the /home directory according to the ones you need. I don't know if taking away the read and execute rights on the /home directory would still allow a user to be in his home directory. It would not allow him to go out of his directory for certain. So some other oppinions are welcome here.

If the user has shell access, ie logs in locally or remotely using SSH and etc, then you'd have to set a miniture environment for them inside the jail, complete with every program that you want them to have access to. That includes everything from the basic linux utilities like "ls" on up, as well as the shell (/bin/bash and etc) itself. Afterall, if they can not access /usr/bin and etc, then they can not possibly run a program that's within it. And a shell that provides nothing to the user is of no use that I can see. There are alot of projects around that simplify this for you, here's a couple:
http://www.jmcresearch.com/projects/jail/
http://olivier.sessink.nl/jailkit/

Also changing the permissions on their home directory will not accomplish this. They still have access to / and everything else where the permissions permit them access.

Anyway, at the end of the day you should ask yourself 1 simple question. Do I trust this person with shell access to my box? If the answer is no, then the best policy is to not give them access in the first place. That said, so long as you take measures to secure the box, taking into account that other people will have access to it, and you monitor their activity on it, then giving a freind access is not that big of deal in my opinion. For instance, my ISP still gives every single customer of theirs, from dialup customers on up, shell access on a high speed Red Hat machine.

I created a script to create chroot jails for a user which i have used on many redhat systems, maybe you can use it:



#!/bin/bash

USER="$2"

JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin"
APPS="/bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/id /bin/cat /usr/bin/mysql /bin/chmod /bin/vi /usr/bin/less /usr/bin/scp"



createjail(){
# make common jail for everybody if inexistent
if [ ! -d "/home/$USER" ]
then
mkdir -p "/home/$USER"
echo "Creating /home/$USER"
else
echo -e "Creating jail failed!\n/home/$USER already exists"
sleep 1
exit 1
fi

cd /home/$USER

# Create /bin/chroot-shell (Shell for jailed accounts)
if [ ! -x "/bin/chroot-$USER" ]
then
echo "Creating /bin/chroot-$USER"
################################
echo -e "#!/bin/sh

if [ \"\$1\" = \"-c\" ]
then
sudo `which chroot` /home/\$USER /bin/su - \$USER -c /bin/bash \"\$@\"
else
sudo `which chroot` /home/\$USER /bin/su - \$USER
fi

exit 0" > /bin/chroot-$USER
################################
chmod 755 /bin/chroot-$USER
fi

# Create Directories in jail that do not exist yet
for directory in $JAILDIRS ; do
if [ ! -d "/home/$USER/$directory" ] ; then
mkdir "/home/$USER/$directory"
echo "Creating /home/$USER/$directory"
fi
done

# Copy the apps and the related libs
echo "Copying necessary library-files to jail (may take some time)"
for app in $APPS
do
cp -a $app .$app

# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
done
fi
done

# xterm is needed for the "less" command
mkdir -p /home/$USER/usr/share/terminfo/x
cp /usr/share/terminfo/x/xterm /home/$USER/usr/share/terminfo/x

cp -r /etc/pam.d/* ./etc/pam.d/
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
cp -r /lib/security ./lib
echo "" > /home/$USER/usr/bin/clear
chmod 555 /home/$USER/usr/bin/clear

mknod /home/$USER/dev/urandom c 1 9
mknod /home/$USER/dev/tty c 5 0
mknod /home/$USER/dev/zero c 1 5
mknod /home/$USER/dev/null c 1 3

#needed for traceroute
cp /etc/protocols /home/$USER/etc/
cp /etc/services /home/$USER/etc/
}

addjailuser(){
cd /home/$USER
# Get accountname to create
HOMEDIR="/home/$USER/home/$USER"

echo

if [ ! -d "/home/$USER" ]
then
echo -e "Adding new user failed!\n/home/$USER does not exists"
exit 1
fi

# Exit if User exists
id $USER > /dev/null 2>&1 && { echo "User already exists."; sleep 1; exit 1; }

echo "Modifying /etc/sudoers"
echo "$USER ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - $USER" >> /etc/sudoers


echo "Adding User \"$USER\" to system"
useradd -d "$HOMEDIR" -s "/bin/chroot-$USER" $USER
chmod 700 "$HOMEDIR"

# Enter password for new account
passwd $USER

# Create /usr/bin/groups in the jail
if [ ! -x "usr/bin/groups" ]
then
echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
chmod 755 usr/bin/groups
fi

# Add users to etc/passwd
#
# check if file exists (ie we are not called for the first time)
# if yes skip root's entry and do not overwrite the file
if [ ! -f etc/passwd ]
then
grep /etc/passwd -e "^root" > etc/passwd
fi
if [ ! -f etc/group ]
then
grep /etc/group -e "^root" > etc/group
fi


# grep the Username, which was given to us, from /etc/passwd and add it
# to ./etc/passwd replacing the $HOME with the directory as it will then # appear in the jail
echo "Adding User $USER to jail"
grep /etc/passwd -e "^$USER" | \
sed -e s/\\/home\\/$USER\\/home\\//\\/home\\// \
-e s/\\/bin\\/chroot-$USER/\\/bin\\/bash/ >> etc/passwd

# if the systems uses the one account/one group system we write the
# account`s group to etc/group
grep /etc/group -e "^$USER:" >> etc/group

# write the User's line from /etc/shadow to /home/jail/etc/shadow
grep /etc/shadow -e "^$USER:" >> etc/shadow
chmod 400 /home/$USER/etc/shadow
}


addprogram(){
cd /home/$USER

if [ ! -d "/home/$USER" ]
then
echo -e "Adding new program failed!\n/home/$USER does not exists"
exit 1
fi

if [ -e ".$app" ]
then
echo -e "Program already exists in /home/$USER$app"
sleep 1
exit 1
fi

echo "Copying necessary library-files to jail (may take some time)"
mkdir -p .`dirname $app`
cp -a $app .$app

# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ]
then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
if [ -e "/home/$USER$lib" ]
then
echo "/home/$USER$lib already exists"
else
echo "Copying $lib"
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
fi
done
fi
}


case "$1" in
-[uU])
createjail
addjailuser
;;
-[pP])
app="$3"
addprogram
;;
*)
echo "Error: Parameter missing"
echo
echo " Creating new chrooted account:"
echo " Usage: $0 -u username"
echo
echo " Copy program to jail environment"
echo " Usage: $0 -p username /full/path/to/program"
echo
echo " To uninstall: # userdel \$USER"
echo " # rm -rf /home/jail"
echo " delete the User's line from /etc/sudoers"
;;
esac


exit 0

#p

i used your script, no errors while it ran, but when i do su test i get:

/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory

/home/test/bin:
-rwsr-xr-x 1 root root 52770 Oct 5 17:50 su

/etc/passwd:
test:x:502:502::/home/test/home/test:/bin/chroot-test

/home/test/etc/passwd:
test:x:502:502::/home/test:/bin/bash

I think your "su" is not in the /bin directory.
Type "which su", if su is in a different directory then you will have to adjust /bin/chroot-test

[root@server map]# which su
/bin/su
[root@server map]#

:/

Does su work with other users? What is the output of "ls -al /bin/su"?
And can you try to login as root with "/bin/su - test"

[root@server ~]# ls -al /bin/su
-rwsr-xr-x 1 root root 52770 Oct 5 17:50 /bin/su

[root@server ~]# /bin/su - test
/usr/sbin/chroot: cannot run command `/bin/su': No such file or directory

The command says:

frenchn00b, please don't resurrect dead threads.

Help us keep LQSEC as zombie-free as possible. Thread closed.