Chroot jail
Hi there!
I'm trying to set up a shell server to host eggdrop. I want it to be secure for me :P so that nobody can access all the files in my computer. I found out that I could do this with "chroot jail" but I can't manage to create one :( Here's what I did and the error it gave me: bash-> chroot /home/test/ chroot: cannot execute /bin/bash: No such file or directory :confused: Can someone here help me...I tried the 2 progs JailTool (http://www.westfalen.de/~gb/) and Jail Chroot Project (http://www.gsyc.inf.uc3m.es/~assman/jail/) Thanks |
do you have an executable file at that location?
/home/test/bin/bash |
Well I have the executable in my real /bin/bash
I tried to make a "ln -s /bin" in /home/test/ didn't work it says: chroot: cannot execute /bin/bash:: Too many levels of symbolic links I then tried to "cp /bin/bash /home/test/bin" didn't work :( chroot: cannot execute /bin/bash: No such file or directory |
Well what about the libraries for /bin/bash? Did you copy them also? To find out what libraries you need:
ldd /bin/bash |
Links will never work if they point outside the chroot jail.
If you chroot to /home/test and /home/test/bin is a symlink to /bin in the real filesystem you'll end up having a loop since within the chroot /bin is /home/test/bin in your fs. The point of chroot is to set / at a different level, in your case /home/test. The point is to not be able to reach out of /home/test, being / in the chroot, at all. So below /home/test you have to have all the binaries you want to execute and all the libraries they need to do so. Additionally you need the configfiles for the apps you want to use there. As Markus said, ldd is your friend to figure out which libraries are needed. |
What you said worked perfectly I can now set up chroot jail
The thing is I'd like to be able to use the chroot jail when someone login to my ssh server I tried this http://tjw.org/chroot-login-HOWTO/ but it doesn't work...it gives me an error when I login with the user that uses the chrooted jail (in this case the user peon) It does the command sudo .... but the result is a simple: Sorry Thansk for helping me out here |
I can't get the chrooted environnement to work when I ssh to my server :(
I also tried this http://chrootssh.sourceforge.net/ but still no result Does someone have an idea? |
copy files so as to mirror essential files inside chroot (and avoid outside links)
Better late than never (because I was searching for help on this and I like this forum; i.e. want to share knowledge because I'm looking for it too). I would agree with dazk about the symbolic links: *copy* essential files over so as to mirror where they would relatively be, like for lenny, a simple start would be:
sudo apt-get install libpam-chroot sudo pico /etc/security/chroot.conf (then add a line like "username /home/chroot", ctrl "x", "y", enter) sudo pico /etc/pam.d/common-session (then add "session required pam_chroot.so") sudo mkdir /home/chroot sudo mkdir /home/chroot/{home,bin,dev,lib} sudo cp /bin/bash /home/chroot/bin/ sudo cp -a /bin/sh /media/schwartzlab/bin/ sudo mknod -m 660 /home/chroot/dev/zero c 1 5 sudo mknod -m 660 /home/chroot/dev/null c 1 3 sudo cp -a /lib/{libncurses.so.5,libdl.so.2,libc.so.6,ld-linux.so.2} /home/chroot/lib/ sudo cp /lib/{libncurses.so.5.7,libdl-2.7.so,libc-2.7.so,ld-2.7.so} /home/chroot/lib/ note: if you want more commands, use "ldd command" (e.g. ldd /bin/bash) to know which libraries to copy over, and of course, if anything is updated, you'll need to update the chroot copies. Also, use "ls -la" to see if the command you want is a link (i.e. use "cp -a" so as to preserve that relative link and not have it link back to the original file; and of course, copy the file it links to), and also note if it has special permissions (e.g. /dev are 660). |
chroot ssh
Quote:
...for sure, had to supplement the above: sudo mkdir /home/chroot/dev/pts sudo mkdir /home/chroot/proc sudo pico /etc/fstab (add "none /home/chroot/dev/pts devpts defaults 0 0") (add "proc /home/chroot/proc proc defaults 0 0") sudo mount -a sudo mknod -m 666 /home/chroot/dev/ptmx c 5 2 but then I just get kicked out after logging in. So, I'm with you Gimpy on hoping someone will post a clue for chroot and ssh (and not just some link to a script)... |
To jail users, I used these links.
https://sourceforge.net/projects/lshell/files/ http://michael-prokop.at/chroot/ See if these links help you out. |
chrootdirectory in /etc/ssh/sshd_config
OK, so totally undid all my chroot (i.e. reverted everything to before my chroot adventure began), and simply did the following (as newer openSSH has conf file directives "chrootdirectory directory" and "forcecommand internal-sftp" built-in, and my people will never log in locally via the console):
sudo pico /etc/ssh/sshd_config (replace "Subsystem sftp /usr/lib/openssh/sftp-server" with "subsystem sftp internal-sftp"; also, add the following (to the very bottom)): match group groupname chrootdirectory %u forcecommand internal-sftp) sudo /etc/init.d/ssh restart sudo groupadd groupname sudo usermod -aG groupname -d /home/ username sudo chown root.root /home/username Yet I'm no better off than before: when I connect to the machine (with a member of groupname), I just get "connection to [my.host] closed". At least someone can read this and know that you don't have to do all that chroot stuff (anymore) if all your people are going to do is sftp… RESULTS (just tail/not full output): ssh -v username@my.host: ... debug1: Entering interactive session. debug1: channel 0: free: client-session, nchannels 1 Read from remote host my.host: Connection reset by peer Connection to my.host closed. Transferred: sent 1632, received 1800 bytes, in 0.0 seconds Bytes per second: sent 331161.3, received 365251.4 debug1: Exit status -1 sftp -v username@my.host: ... debug1: Entering interactive session. debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK Read from remote host db1.neurobio.pitt.edu: Connection reset by peer Transferred: sent 1632, received 1800 bytes, in 0.0 seconds Bytes per second: sent 261283.5, received 288180.3 debug1: Exit status -1 Connection closed |
All times are GMT -5. The time now is 08:23 PM. |