To lock users to their home directories in Linux, I've used the following:
Created the chrooted jail as follows:
#mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh
Created the chrooted jail as follows:
#mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh
Create /users/dev/null:
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
Open /usres/group and /users/passwd file and remove root and all other accounts.
# mknod -m 666 /users/dev/null c 1 3Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .Open /usres/group and /users/passwd file and remove root and all other accounts.
Copy required binary files, as described above to your jail directory /users/bin and other locations:
OR
OR
OR
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helperOR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .OR
# cp /bin/bashCopy all shared library files
The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
Output:
ldd /usr/bin/sftpOutput:
linux-gate.so.1 => (0x00456000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
libz.so.1 => /usr/lib/libz.so.1 (0x00110000)
libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)
libdl.so.2 => /lib/libdl.so.2 (0x00123000)
libnss3.so => /usr/lib/libnss3.so (0x00569000)
libc.so.6 => /lib/libc.so.6 (0x00b6c000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)
/lib/ld-linux.so.2 (0x00525000)
libplc4.so => /usr/lib/libplc4.so (0x008c9000)
libplds4.so => /usr/lib/libplds4.so (0x00133000)
libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)
libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)
You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
Open l2chroot and set BASE variable to point to chroot directory (jail) location:
Now copy all shared library files
OR
OR
OR
# cd /sbin
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chrootOpen l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/users"Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-serverOR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helperOR
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/shOR
# l2chroot /bin/bashOnce the Directories are created and populated accordingly, if openssh is newer than 4.6 version then we can add the following in the /etc/ssh/sshd_config for user based restrictions ( group based restrictions can be configured in a similar fashion):
Match User user1
ChrootDirectory /users
AllowTcpForwarding no
ChrootDirectory /users
AllowTcpForwarding no
We also need to make sure that the permissions are correct so that the above chrooting works, that is the user should own the files/directories inside the chroot but the chroot directory itself must be owned by root.
chown root:root /users
user1 owns the remaining files/directories inside
chown user1:user1 /users
and create a home directory as well
mkdir -p /users/home/user1/
References:
No comments:
Post a Comment