Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What would be the proper way to configure a user to be "jailed" in his home directory without having access to any other area of the filesystem? If anyone can point me in the direction of an article or simply explain the process i'd appreciate it, THANKS!
Once a user logs in, he is in his home directory. Change permissions to the /home directory according to the ones you need. I don't know if taking away the read and execute rights on the /home directory would still allow a user to be in his home directory. It would not allow him to go out of his directory for certain. So some other oppinions are welcome here.
If the user has shell access, ie logs in locally or remotely using SSH and etc, then you'd have to set a miniture environment for them inside the jail, complete with every program that you want them to have access to. That includes everything from the basic linux utilities like "ls" on up, as well as the shell (/bin/bash and etc) itself. Afterall, if they can not access /usr/bin and etc, then they can not possibly run a program that's within it. And a shell that provides nothing to the user is of no use that I can see. There are alot of projects around that simplify this for you, here's a couple: http://www.jmcresearch.com/projects/jail/ http://olivier.sessink.nl/jailkit/
Also changing the permissions on their home directory will not accomplish this. They still have access to / and everything else where the permissions permit them access.
Anyway, at the end of the day you should ask yourself 1 simple question. Do I trust this person with shell access to my box? If the answer is no, then the best policy is to not give them access in the first place. That said, so long as you take measures to secure the box, taking into account that other people will have access to it, and you monitor their activity on it, then giving a freind access is not that big of deal in my opinion. For instance, my ISP still gives every single customer of theirs, from dialup customers on up, shell access on a high speed Red Hat machine.
createjail(){
# make common jail for everybody if inexistent
if [ ! -d "/home/$USER" ]
then
mkdir -p "/home/$USER"
echo "Creating /home/$USER"
else
echo -e "Creating jail failed!\n/home/$USER already exists"
sleep 1
exit 1
fi
cd /home/$USER
# Create /bin/chroot-shell (Shell for jailed accounts)
if [ ! -x "/bin/chroot-$USER" ]
then
echo "Creating /bin/chroot-$USER"
################################
echo -e "#!/bin/sh
if [ \"\$1\" = \"-c\" ]
then
sudo `which chroot` /home/\$USER /bin/su - \$USER -c /bin/bash \"\$@\"
else
sudo `which chroot` /home/\$USER /bin/su - \$USER
fi
exit 0" > /bin/chroot-$USER
################################
chmod 755 /bin/chroot-$USER
fi
# Create Directories in jail that do not exist yet
for directory in $JAILDIRS ; do
if [ ! -d "/home/$USER/$directory" ] ; then
mkdir "/home/$USER/$directory"
echo "Creating /home/$USER/$directory"
fi
done
# Copy the apps and the related libs
echo "Copying necessary library-files to jail (may take some time)"
for app in $APPS
do
cp -a $app .$app
# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
done
fi
done
# xterm is needed for the "less" command
mkdir -p /home/$USER/usr/share/terminfo/x
cp /usr/share/terminfo/x/xterm /home/$USER/usr/share/terminfo/x
echo "Adding User \"$USER\" to system"
useradd -d "$HOMEDIR" -s "/bin/chroot-$USER" $USER
chmod 700 "$HOMEDIR"
# Enter password for new account
passwd $USER
# Create /usr/bin/groups in the jail
if [ ! -x "usr/bin/groups" ]
then
echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
chmod 755 usr/bin/groups
fi
# Add users to etc/passwd
#
# check if file exists (ie we are not called for the first time)
# if yes skip root's entry and do not overwrite the file
if [ ! -f etc/passwd ]
then
grep /etc/passwd -e "^root" > etc/passwd
fi
if [ ! -f etc/group ]
then
grep /etc/group -e "^root" > etc/group
fi
# grep the Username, which was given to us, from /etc/passwd and add it
# to ./etc/passwd replacing the $HOME with the directory as it will then # appear in the jail
echo "Adding User $USER to jail"
grep /etc/passwd -e "^$USER" | \
sed -e s/\\/home\\/$USER\\/home\\//\\/home\\// \
-e s/\\/bin\\/chroot-$USER/\\/bin\\/bash/ >> etc/passwd
# if the systems uses the one account/one group system we write the
# account`s group to etc/group
grep /etc/group -e "^$USER:" >> etc/group
# write the User's line from /etc/shadow to /home/jail/etc/shadow
grep /etc/shadow -e "^$USER:" >> etc/shadow
chmod 400 /home/$USER/etc/shadow
}
addprogram(){
cd /home/$USER
if [ ! -d "/home/$USER" ]
then
echo -e "Adding new program failed!\n/home/$USER does not exists"
exit 1
fi
if [ -e ".$app" ]
then
echo -e "Program already exists in /home/$USER$app"
sleep 1
exit 1
fi
echo "Copying necessary library-files to jail (may take some time)"
mkdir -p .`dirname $app`
cp -a $app .$app
# get list of necessary libraries
ldd $app > /dev/null
if [ "$?" = 0 ]
then
LIBS=`ldd $app | awk '{ print $3 }'`
for lib in $LIBS
do
if [ -e "/home/$USER$lib" ]
then
echo "/home/$USER$lib already exists"
else
echo "Copying $lib"
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
fi
done
fi
}
case "$1" in
-[uU])
createjail
addjailuser
;;
-[pP])
app="$3"
addprogram
;;
*)
echo "Error: Parameter missing"
echo
echo " Creating new chrooted account:"
echo " Usage: $0 -u username"
echo
echo " Copy program to jail environment"
echo " Usage: $0 -p username /full/path/to/program"
echo
echo " To uninstall: # userdel \$USER"
echo " # rm -rf /home/jail"
echo " delete the User's line from /etc/sudoers"
;;
esac
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.