Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: chroot shell tutorial

  1. #1
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands

    chroot shell tutorial

    chroot tutorial

    Let's say you want a user of your (linux) server to have no access to anything you don't want him/her to use..
    But you do want them to be able to log in and do their thing...
    you'll need to root jail (chroot) the user.
    There are lots of tutorials about chroot and also chrooted shells, but I couldn't find a good one, so I wrote one down while working my way thrue the othere tutorials..
    Hope you like it !!

    Reading and following any or all steps in this tutorial is at your own risk.
    I am not responsible for your stupidity

    this tutorial should work on all linux distributions, but i've only tested it on slackware (9.0 and 9.1)

    you'll need the following programs (wich are possibly not installed):


    If you can't seem to find or install these, this tutorial is not for you !!

    all thrue the tutorial you'll see bold italic lines.. they are supposed to be executed by you
    if that didn't say root. you'll need to become root.

    in this example the user "luser" will be added and jailed ..
    you'll need to be super user (root) to do all this..

    let's start by adding the user:
    useradd -d /tmp -s /bin/chrootshell luser
    this adds the user luser with home folder /tmp with shell /bin/chrootshell

    now set his password:
    passwd luser

    make his home dir:
    mkdir /home/luser

    now we need to make his shell..
    use your favorite editor to paste the following in /bin/chrootshell
    # chrootshell spawns chroot shell
    # (c) 2003 Anne Jan Brouwer
    #          GNU GPL
    if [ "$1" = "-c" ]
            for parameter in $*
                    if [ $i -gt 0 ]
                            PARAS="$PARAMETERS $parameter"
                    let i++
            sudo /usr/sbin/chroot /home/$USER /bin/su $USER -c "$PARAMETERS"
            sudo /usr/sbin/chroot /home/$USER /bin/su $USER
    make the "chrootshell" executable..
    chmod +x /bin/chrootshell

    now, let's go and make the chroot root
    we go to the users home dir, wich will become his root
    cd /home/luser
    note: we will be staying in for the rest of this tut !!!

    make the most important folders..
    mkdir bin dev etc home lib tmp usr

    make the users chrooted home dir
    mkdir home/luser
    chown luser:users home/luser

    make the chrooted tmp dir usable
    chmod 777 tmp
    chmod +t tmp

    let's make the chrooted passwd file
    grep root /etc/passwd >> etc/passwd
    now we'll need to edit the passwd file to change the lusers chrooted shell and path..
    fire up your favorite editor to edit the newly created passwd file.
    the line should look a little like this:
    change it to:
    not that 1020 is the users ID and is propably some other number on your puter.. don't change it to 1020 just because it said 1020 in my example ok

    now we'll make the chrooted group file
    grep root /etc/group >> etc/group
    grep users /etc/group >> etc/group

    we'll copy the standard /etc/profile and needed files you could chose to edit these
    cp /etc/profile etc
    cp /etc/DIR_COLORS etc
    cp /etc/HOSTNAME etc

    we'll need to make some much needed devices
    mknod -m 0666 dev/tty c 5 0
    mknod -m 0644 dev/urandom c 1 9
    mknod -m 0666 dev/null c 1 3

    let's now make some usefull (compatibility) links and folders..
    ln -s bin usr
    ln -s lib usr
    ln -s lib usr/libexec
    mkdir usr/local
    ln -s bin usr/local
    ln -s lib usr/local

    and make the terminfo (needed for a lot of programs) available in the root jail.
    mkdir usr/share
    cp -r /usr/share/terminfo usr/share

    now for the realy fun part...
    you'll have to find out some stuff:

    1. what do you want the user to be able to use
    2. what library's do these executables need
    3. what other files will the user be needing

    1. what do you want the user to be able to use

    the user will need a shell (bash)
    the user will need su (because the chrootshell script depends on it)
    the user will need basic tools (cp, cat, ls, rm, mv, cp etc.).
    you'd want the user to have some other tools (vi, pico, whoami etc..)
    you'd like for the user to have dircolors and id (needed if you want to use the standard etc/profile)

    copy these files to the users chrooted bin dir
    cp `which bash` `which su` `which cp` `which ln` `which ls` `which rm` `which mv` `which cp` `which du` `which cat` `which less` `which vi` `which pico` `which whoami` `which dircolors` `which id` bin
    note: the `which bash` part returns the full path of bash (/bin/bash) etc..

    2. what library's do these executables need

    the command ldd is realy usefull here..
    let's take bash for example:
    root@server~# ldd `which bash`
            libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001b000)
            libdl.so.2 => /lib/libdl.so.2 (0x40020000)
            libc.so.6 => /lib/libc.so.6 (0x40023000)
            /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
    and copy all the needed libs for each of the programs you chose in step 1 to the chrooted lib dir..

    let's first do so for bash
    cp /lib/libtermcap.so.2 /lib/libdl.so.2 /lib/libc.so.6 /lib/ld-linux.so.2 lib
    next the one (on my system) missing for su
    cp /lib/libcrypt.so.1 /lib/libnss_compat.so.2 /lib/libnss_files.so.2 lib
    note that ldd doesn't see that libnss is needed, it is!!
    next the ones for ls (only the ones not allready copied ofcourse )
    cp /lib/librt.so.1 /lib/libpthread.so.0 lib
    cp cp /lib/libncurses.so.5 lib

    3. what other files will the user be needing

    well this depends on what kind of programs the user is allowed to execute..
    there's no real telling what you'll have to give the user to be content..
    wait a minute !! the user has to be content with what you give him/her !!

    the last step is to add the user to the sudoers file..
    open the /etc/sudoers file with your favorite editor or use visudo
    add the line:
    luser ALL= NOPASSWD: /usr/sbin/chroot /home/luser /bin/su - luser*
    save and exit

    now to check it out.. try and log in as the newly created luser
    ssh -l luser localhost

    Copyright (c) 2003 by Anne Jan Brouwer (the_JinX). This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/ ).
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Great tutorial! I was reading about this in one of my honeypot/net books.

    Though, if you give the user access to a compiler they can break out of it....

    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Excellent effort.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Join Date
    Jun 2003
    this tutorial is some grateful

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Outstanding tutorial!

    I would just say be certain to check programs like vi to make sure a jailed user can not
    run commands outside the jail from a subshell (e.g. ex in vi). Wonderful post.

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

  6. #6
    Senior Member
    Join Date
    Oct 2003
    This post was really handy! Extremely helpful.
    Creating further mindless stupidity....through mindless automation.

  7. #7
    T3h Ch3F
    Join Date
    Sep 2001


    Jinxie this is insanely good.

    My brain is frying at the thought.

  8. #8
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Thnx Jinxie,

    maybe you could also make one about bash-scripting ?

    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  9. #9
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    What can i say.... excellent.

    /me applauds.

    I will try that out this instance
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  10. #10
    Senior Member
    Join Date
    Aug 2002
    nice tut , tested and ok it worked
    i hope you make a bash tut also

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts