-
November 12th, 2003, 06:10 PM
#1
chroot shell tutorial
chroot tutorial
Let's say you want a user of your (linux) server to have no access to anything you don't want him/her to use..
But you do want them to be able to log in and do their thing...
you'll need to root jail (chroot) the user.
There are lots of tutorials about chroot and also chrooted shells, but I couldn't find a good one, so I wrote one down while working my way thrue the othere tutorials..
Hope you like it !!
disclaimer:
Reading and following any or all steps in this tutorial is at your own risk.
I am not responsible for your stupidity
this tutorial should work on all linux distributions, but i've only tested it on slackware (9.0 and 9.1)
you'll need the following programs (wich are possibly not installed):
/usr/bin/sudo
/usr/sbin/chroot
If you can't seem to find or install these, this tutorial is not for you !!
all thrue the tutorial you'll see bold italic lines.. they are supposed to be executed by you
whoami
if that didn't say root. you'll need to become root.
su
in this example the user "luser" will be added and jailed ..
you'll need to be super user (root) to do all this..
let's start by adding the user:
useradd -d /tmp -s /bin/chrootshell luser
this adds the user luser with home folder /tmp with shell /bin/chrootshell
now set his password:
passwd luser
make his home dir:
mkdir /home/luser
now we need to make his shell..
use your favorite editor to paste the following in /bin/chrootshell
Code:
#!/bin/bash
# chrootshell spawns chroot shell
#
# (c) 2003 Anne Jan Brouwer
# GNU GPL
if [ "$1" = "-c" ]
then
i=0
PARAMETERS=""
for parameter in $*
do
if [ $i -gt 0 ]
then
PARAS="$PARAMETERS $parameter"
fi
let i++
done
sudo /usr/sbin/chroot /home/$USER /bin/su $USER -c "$PARAMETERS"
else
sudo /usr/sbin/chroot /home/$USER /bin/su $USER
fi
make the "chrootshell" executable..
chmod +x /bin/chrootshell
now, let's go and make the chroot root
we go to the users home dir, wich will become his root
cd /home/luser
note: we will be staying in for the rest of this tut !!!
make the most important folders..
mkdir bin dev etc home lib tmp usr
make the users chrooted home dir
mkdir home/luser
chown luser:users home/luser
make the chrooted tmp dir usable
chmod 777 tmp
chmod +t tmp
let's make the chrooted passwd file
grep root /etc/passwd >> etc/passwd
now we'll need to edit the passwd file to change the lusers chrooted shell and path..
fire up your favorite editor to edit the newly created passwd file.
the line should look a little like this:
luser:x:1020:100::/dev/null:/bin/chrootshell
change it to:
luser:x:1020:100::/home/luser:/bin/bash
not that 1020 is the users ID and is propably some other number on your puter.. don't change it to 1020 just because it said 1020 in my example ok
now we'll make the chrooted group file
grep root /etc/group >> etc/group
grep users /etc/group >> etc/group
we'll copy the standard /etc/profile and needed files you could chose to edit these
cp /etc/profile etc
cp /etc/DIR_COLORS etc
cp /etc/HOSTNAME etc
we'll need to make some much needed devices
mknod -m 0666 dev/tty c 5 0
mknod -m 0644 dev/urandom c 1 9
mknod -m 0666 dev/null c 1 3
let's now make some usefull (compatibility) links and folders..
ln -s bin usr
ln -s lib usr
ln -s lib usr/libexec
mkdir usr/local
ln -s bin usr/local
ln -s lib usr/local
and make the terminfo (needed for a lot of programs) available in the root jail.
mkdir usr/share
cp -r /usr/share/terminfo usr/share
now for the realy fun part...
you'll have to find out some stuff:
1. what do you want the user to be able to use
2. what library's do these executables need
3. what other files will the user be needing
1. what do you want the user to be able to use
the user will need a shell (bash)
the user will need su (because the chrootshell script depends on it)
the user will need basic tools (cp, cat, ls, rm, mv, cp etc.).
you'd want the user to have some other tools (vi, pico, whoami etc..)
you'd like for the user to have dircolors and id (needed if you want to use the standard etc/profile)
copy these files to the users chrooted bin dir
cp `which bash` `which su` `which cp` `which ln` `which ls` `which rm` `which mv` `which cp` `which du` `which cat` `which less` `which vi` `which pico` `which whoami` `which dircolors` `which id` bin
note: the `which bash` part returns the full path of bash (/bin/bash) etc..
2. what library's do these executables need
the command ldd is realy usefull here..
let's take bash for example:
Code:
root@server~# ldd `which bash`
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001b000)
libdl.so.2 => /lib/libdl.so.2 (0x40020000)
libc.so.6 => /lib/libc.so.6 (0x40023000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
and copy all the needed libs for each of the programs you chose in step 1 to the chrooted lib dir..
let's first do so for bash
cp /lib/libtermcap.so.2 /lib/libdl.so.2 /lib/libc.so.6 /lib/ld-linux.so.2 lib
next the one (on my system) missing for su
cp /lib/libcrypt.so.1 /lib/libnss_compat.so.2 /lib/libnss_files.so.2 lib
note that ldd doesn't see that libnss is needed, it is!!
next the ones for ls (only the ones not allready copied ofcourse )
cp /lib/librt.so.1 /lib/libpthread.so.0 lib
etc...
cp cp /lib/libncurses.so.5 lib
3. what other files will the user be needing
well this depends on what kind of programs the user is allowed to execute..
there's no real telling what you'll have to give the user to be content..
wait a minute !! the user has to be content with what you give him/her !!
the last step is to add the user to the sudoers file..
open the /etc/sudoers file with your favorite editor or use visudo
add the line:
luser ALL= NOPASSWD: /usr/sbin/chroot /home/luser /bin/su - luser*
save and exit
now to check it out.. try and log in as the newly created luser
ssh -l luser localhost
Copyright (c) 2003 by Anne Jan Brouwer (the_JinX). This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/ ).
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
November 12th, 2003, 06:56 PM
#2
Great tutorial! I was reading about this in one of my honeypot/net books.
Though, if you give the user access to a compiler they can break out of it....
http://www.bpfh.net/simes/computing/chroot-break.html
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
November 12th, 2003, 07:35 PM
#3
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 13th, 2003, 02:19 AM
#4
this tutorial is some grateful
-
November 13th, 2003, 10:11 AM
#5
Outstanding tutorial!
I would just say be certain to check programs like vi to make sure a jailed user can not
run commands outside the jail from a subshell (e.g. ex in vi). Wonderful post.
-- spurious
Get OpenSolaris http://www.opensolaris.org/
-
November 13th, 2003, 10:15 AM
#6
Senior Member
This post was really handy! Extremely helpful.
Creating further mindless stupidity....through mindless automation.
-
November 13th, 2003, 10:16 AM
#7
Sweet
Jinxie this is insanely good.
My brain is frying at the thought.
-
November 13th, 2003, 10:26 AM
#8
Thnx Jinxie,
maybe you could also make one about bash-scripting ?
Greetz,
-
November 13th, 2003, 08:20 PM
#9
What can i say.... excellent.
/me applauds.
I will try that out this instance
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
November 13th, 2003, 09:03 PM
#10
nice tut , tested and ok it worked
i hope you make a bash tut also
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|