Hi..

I used jailroot to create a chroot that I could allow users to connect to using SSH. I included on their home space, the psybnc tar.gz and an unzipped version.

Problem is I want the users to be able to 'make' the psybnc once they have made changes, atm I only get error messages when I try to make it..

Does anyone know what libs and progs I need to install to allow make to run correctly in the chroot, bare in mind that I want as little as possible in the chroot as I feel they only need to make the bnc and launch it..

Any help or suggestions would be greatly appreciated.

Thanks

First of all, using an app to perform chroot is in itself usefull, but does not give you full coverage of the security issues. Patching your kernel with grsecurity(.org)'s *will* make a difference. You'll get extra protection measures, intensive logging of whatever happens within a chroot and auditing capabilities. You'll need that if you allow remotes to "play" in your chrooted area's.

You'll also have to remind you what a chroot actually is for and how it can be broken. Providing a compiler and development packages IS NOT a good thing to do unless you want to provide people with opportunities to compile ANYTHING: you can't control that.
Since we're talking shell accounts here you will also want to set up strict user limits (/etc/security/limits.conf) to guard against resource hogging and run a background process daemon.
If you still want to allow them compiling anything, and you trust them, ask yourself WHY are you chrooting them in the first place?..

You could make a workaround that would involve having a separate chroot account where you install the compiler and development libs and add an obscure PAM module called PAM_make (or something like that) or a script that will only compile psy. Let them scp the tarball in, verify the source against a known-good one, compile, notify/scp to a holding area for retrieval.

Another workaround would be to provide them with a (SSL) web interface where people can submit their values which gets sanitized and sedded into a generic psy source you control and verified clean of malicious code, compiled and scp'ed to a holding area for retrieval.

Main thing to notice wrt security is that with any workaround you'll be weakening your boxen's security posture and you should ask yourself if it is really necessary and what the implications could be.
Luckily you're in the right forum for that.

Firstly, thanks for the in-depth answer. One of my favourite things about linux is/are the communities.

Okay you've made a very valid point, one which I hadn't considered well enough. Could I not restrict access to web browsers and ftp and only supply them the psybnc.tar.gz... that way they'd only be able to compile the psybnc and nothing more?

Would that help?

The reason for the tight security is to try and deter the idiots who decide that attacking my box would be amusing. I understand that there's no way you can stop a determined hacker, but you can at least put the n00bies off using security measures.

Also thanks for giving me a nudge in the right direction concerning resource hogging etc as I will have to approach that as soon as I am finished with the shell access.

I'm not entirely with you on this comment (forgive me I am still very new to all this). So I could setup a chroot account which is designed only to compile the psybnc code? How would I create the script that would only compile psybnc? When you say a 'holding area' what do you mean?

The other option of creating a ssl web interface is beyond my skills and I wouldn't know where to start.

Thanks for your help and yes I do understand what you're saying about workarounds weakening the system. Its a stand off between what people want and want you can risk to give..

ps. I'm using rc.firewall - 2.0rc9 and avast 4.0 (daemon).. are these any good?

Firstly, thanks for the in-depth answer. One of my favourite things about linux is/are the communities.
If you like LQ, please vote for us at JL.


Could I not restrict access to web browsers and ftp and only supply them the psybnc.tar.gz... that way they'd only be able to compile the psybnc and nothing more?
Yes, you're right: you could not :-]
I thought I read you're talking on the subject of shell accounts? How would you restrict them from downloading (read links,lynx,wget,HTTP PUT,ftp, scp,sftp) another tarball, compiling and running it? And I'm not even talking about exploiting conditions, like have ftp put something somewhere on the filesystem if you're not using Vsftp with chrooted users.

The reason for the tight security is to try and deter the idiots who decide that attacking my box would be amusing. I understand that there's no way you can stop a determined hacker, but you can at least put the n00bies off using security measures.
Where do I sign up for an account? :-]
Seriously, how would you be able to define what a newbie's capabilities are, and that at a time when you're not even done securing the base system? First take care of that I'd say.
I know, it seems a "daunting task" to do, and there's lotsa things under the sun you'll not be looking at, but take for instance simple measures you can provide like GRsecurity's TPE (trusted path execution). If I put a binary in /tmp (and it's mounted ro,noexec,nodev,nosuid) ld-linux.so might let you execute it. With TPE it just won't...


Also thanks for giving me a nudge in the right direction concerning resource hogging etc as I will have to approach that as soon as I am finished with the shell access.
Please don't make the mistake of prioritizing things in reverse.
First harden, secure the system itself, then secure the system users and daemons, the wetware comes after that.
Next to the first sticky thread, which may seem a bit overkill at a first glance, this thread touches on the basics, like many other threads here in Linux - Security, just browse a few pages back and read.


So I could setup a chroot account which is designed only to compile the psybnc code? How would I create the script that would only compile psybnc? When you say a 'holding area' what do you mean?
I'd envision it goes something like this.
Make a regular chroot. Put in the gcc development packages.
Let user have a passphrase-less SSH account, and make it not execute login, but a script, run from a static shell. Busybox provide a good compact one, including most "std" tools.
Chattr +iu everything outside /home/user. In /home/user make a dir where the psy source will live and chattr +iu. Make a compilation dir and link in the source tree from the psy source dir except the files where people are allowed to make modifications for.

Now the fun part should go like this. User logs in, script gets executed asking for changes. If ok, save changes and logout user.
Validate input, sed, awk, copy changed files to compilation dir, do the compile limbo, tarball it up, including stuff they would want like the salt etc etc., and move to a place where they can download it, like your ftp server, IOW a holding area.

The *real* fun part should be making the input validation script, because there'll be a few who will try to see if they can sneak in commands or other stuff you don't want. If you find that is the case, stop parsing, suspend and remove their account. Simple.
Making the script shouldn't be hard, depending on what exactly needs changing, if you're willing to make a little project out of it and document it in a way other people at LQ can reuse it later on, I'm willing to help you write the script parts. Well, I'd be willing to help anyway, but a well-documented solution (doesn't need to be more than 2 pages) should earn your work a spot on linuxanswers.org as well if that counts as an incentive...


The other option of creating a ssl web interface is beyond my skills and I wouldn't know where to start.
Apache-SSL and a Perl script (by a Perl pro) most likely.


Its a stand off between what people want and want you can risk to give..
It'll only be a standoff if you take care of the system first, and then the users. Else it'll be an onslaught, a carnage, killing fields where the only Wailing and Gnashing of Teeth will be yours, or at least it'll be like leaving home w/o your pants or djebellah on (provided you're part of a society that supports, and is committed to, the general idea of clothing and you are accustomed to wearing any).

Good indications to look at for the project heading that way are phrases like "I'll look into it", "I'll do that after <excuse>", "but I first need to get <excuse> done NOW", "that's too much hassle", "that won't happen" and "but I've got (a firewall|portsentry|distro X)".

---
Vote for LQ at Linuxjournal.com!

Okay thanks for the reply and information. Sorry I haven't responded earlier, don't have the time i used to have when I was a student.

Regarding the above. I think I was being a bit naieve, thinking I could remove the ftp, lynx programs from the chroot as they could just as easily use a program like WINSCP2 which allows you to transfer files easily using SSH ports

So I accept its not a wise idea to allow the users access to download and make their own programs. In fact it would be disastrous as they could exploit it.


I'll get onto this straight away and get it installed asap.. Thanks for the recommendation.


K just checking, but I think what you're saying is I create a generic logon and chroot just to update the psybnc. They logon to it and it runs a script asking for their new details (theres a make menuconfig prog already with the bnc, could i use that) and then re-compiles the new bnc, compresses it and places it in a public place. I assume they download it and re-upload it to their space and then untar it and they have their new bnc settings...

Now I've never done any scripting in linux so I'll have to read about it, and will probably have problems, so if you don't mind I might have to 'bug' you if I get too stuck...

If anything that I said, you feel is incorrect let me know...

Thanks
James