Thursday, 12 April 2012

lock a user to chroot directory

To lock users to their home directories in Linux, I've used the following:

Created the chrooted jail as follows:

 #mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh

Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ .
# cp -avr /etc/ .
# cp /etc/ .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .

Open /usres/group and /users/passwd file and remove root and all other accounts.
Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .

# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper

# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .

# cp /bin/bash

Copy all shared library files

The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp
Output: =>  (0x00456000) => /lib/ (0x0050e000) => /lib/ (0x0013e000) => /lib/ (0x008ba000) => /usr/lib/ (0x00110000) => /lib/ (0x0080e000) => /lib/ (0x00a8c000) => /usr/lib/ (0x00656000) => /usr/lib/ (0x00271000) => /usr/lib/ (0x00304000) => /lib/ (0x00777000) => /lib/ (0x00123000) => /usr/lib/ (0x00569000) => /lib/ (0x00b6c000) => /usr/lib/ (0x00127000) => /lib/ (0x00130000)
        /lib/ (0x00525000) => /usr/lib/ (0x008c9000) => /usr/lib/ (0x00133000) => /usr/lib/ (0x00d04000) => /lib/ (0x0032a000) => /lib/ (0x00341000) => /lib/ (0x00964000)
You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
# cd /sbin
# wget -O l2chroot
# chmod +x l2chroot

Open l2chroot and set BASE variable to point to chroot directory (jail) location:
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server

# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper

# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh

# l2chroot /bin/bashOnce the Directories are created and populated accordingly, if openssh is newer than 4.6 version then we can add the following in the /etc/ssh/sshd_config for user based restrictions ( group based restrictions can be configured in a similar fashion):
Match User user1
        ChrootDirectory /users           
        AllowTcpForwarding no
We also need to make sure that the permissions are correct so that the above chrooting works, that is the user should own the files/directories inside the chroot but the chroot directory itself must be owned by root.
chown root:root /users
user1 owns the remaining files/directories inside
chown user1:user1 /users
and create a home directory as well 
mkdir -p /users/home/user1/

No comments:

Post a Comment