chroot shell tutorial

[the_JinX]

chroot tutorial

Let's say you want a user of your (linux) server to have no access to anything you don't want him/her to use..
But you do want them to be able to log in and do their thing...
you'll need to root jail (chroot) the user.
There are lots of tutorials about chroot and also chrooted shells, but I couldn't find a good one, so I wrote one down while working my way thrue the othere tutorials..
Hope you like it !!

disclaimer:
Reading and following any or all steps in this tutorial is at your own risk.
I am not responsible for your stupidity

this tutorial should work on all linux distributions, but i've only tested it on slackware (9.0 and 9.1)

you'll need the following programs (wich are possibly not installed):

/usr/bin/sudo
/usr/sbin/chroot

If you can't seem to find or install these, this tutorial is not for you !!

all thrue the tutorial you'll see bold italic lines.. they are supposed to be executed by you
whoami
if that didn't say root. you'll need to become root.
su

in this example the user "luser" will be added and jailed ..
you'll need to be super user (root) to do all this..

let's start by adding the user:
useradd -d /tmp -s /bin/chrootshell luser
this adds the user luser with home folder /tmp with shell /bin/chrootshell

now set his password:
passwd luser

make his home dir:
mkdir /home/luser

now we need to make his shell..
use your favorite editor to paste the following in /bin/chrootshell

Code:

#!/bin/bash

# chrootshell spawns chroot shell
#
# (c) 2003 Anne Jan Brouwer
#          GNU GPL

if [ "$1" = "-c" ]
then
        i=0
        PARAMETERS=""
        for parameter in $*
        do
                if [ $i -gt 0 ]
                then
                        PARAS="$PARAMETERS $parameter"
                fi
                let i++
        done
        sudo /usr/sbin/chroot /home/$USER /bin/su $USER -c "$PARAMETERS"
else
        sudo /usr/sbin/chroot /home/$USER /bin/su $USER
fi

make the "chrootshell" executable..
chmod +x /bin/chrootshell

now, let's go and make the chroot root
we go to the users home dir, wich will become his root
cd /home/luser
note: we will be staying in for the rest of this tut !!!

make the most important folders..
mkdir bin dev etc home lib tmp usr

make the users chrooted home dir
mkdir home/luser
chown luser:users home/luser

make the chrooted tmp dir usable
chmod 777 tmp
chmod +t tmp

let's make the chrooted passwd file
grep root /etc/passwd >> etc/passwd
now we'll need to edit the passwd file to change the lusers chrooted shell and path..
fire up your favorite editor to edit the newly created passwd file.
the line should look a little like this:
luser:x:1020:100::/dev/null:/bin/chrootshell
change it to:
luser:x:1020:100::/home/luser:/bin/bash
not that 1020 is the users ID and is propably some other number on your puter.. don't change it to 1020 just because it said 1020 in my example ok

now we'll make the chrooted group file
grep root /etc/group >> etc/group
grep users /etc/group >> etc/group

we'll copy the standard /etc/profile and needed files you could chose to edit these
cp /etc/profile etc
cp /etc/DIR_COLORS etc
cp /etc/HOSTNAME etc

we'll need to make some much needed devices
mknod -m 0666 dev/tty c 5 0
mknod -m 0644 dev/urandom c 1 9
mknod -m 0666 dev/null c 1 3

let's now make some usefull (compatibility) links and folders..
ln -s bin usr
ln -s lib usr
ln -s lib usr/libexec
mkdir usr/local
ln -s bin usr/local
ln -s lib usr/local
and make the terminfo (needed for a lot of programs) available in the root jail.
mkdir usr/share
cp -r /usr/share/terminfo usr/share

now for the realy fun part...
you'll have to find out some stuff:

1. what do you want the user to be able to use
2. what library's do these executables need
3. what other files will the user be needing

1. what do you want the user to be able to use

the user will need a shell (bash)
the user will need su (because the chrootshell script depends on it)
the user will need basic tools (cp, cat, ls, rm, mv, cp etc.).
you'd want the user to have some other tools (vi, pico, whoami etc..)
you'd like for the user to have dircolors and id (needed if you want to use the standard etc/profile)

copy these files to the users chrooted bin dir
cp `which bash` `which su` `which cp` `which ln` `which ls` `which rm` `which mv` `which cp` `which du` `which cat` `which less` `which vi` `which pico` `which whoami` `which dircolors` `which id` bin
note: the `which bash` part returns the full path of bash (/bin/bash) etc..

2. what library's do these executables need

the command ldd is realy usefull here..
let's take bash for example:

Code:

root@server~# ldd `which bash`
        libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001b000)
        libdl.so.2 => /lib/libdl.so.2 (0x40020000)
        libc.so.6 => /lib/libc.so.6 (0x40023000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

and copy all the needed libs for each of the programs you chose in step 1 to the chrooted lib dir..

let's first do so for bash
cp /lib/libtermcap.so.2 /lib/libdl.so.2 /lib/libc.so.6 /lib/ld-linux.so.2 lib
next the one (on my system) missing for su
cp /lib/libcrypt.so.1 /lib/libnss_compat.so.2 /lib/libnss_files.so.2 lib
note that ldd doesn't see that libnss is needed, it is!!
next the ones for ls (only the ones not allready copied ofcourse )
cp /lib/librt.so.1 /lib/libpthread.so.0 lib
etc...
cp cp /lib/libncurses.so.5 lib

3. what other files will the user be needing

well this depends on what kind of programs the user is allowed to execute..
there's no real telling what you'll have to give the user to be content..
wait a minute !! the user has to be content with what you give him/her !!


the last step is to add the user to the sudoers file..
open the /etc/sudoers file with your favorite editor or use visudo
add the line:
luser ALL= NOPASSWD: /usr/sbin/chroot /home/luser /bin/su - luser*
save and exit

now to check it out.. try and log in as the newly created luser
ssh -l luser localhost


Copyright (c) 2003 by Anne Jan Brouwer (the_JinX). This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/ ).

[phishphreek]

Great tutorial! I was reading about this in one of my honeypot/net books.

Though, if you give the user access to a compiler they can break out of it....

http://www.bpfh.net/simes/computing/chroot-break.html

[thehorse13]

Excellent effort.

-TH13

[jeralcker]

this tutorial is some grateful

[spurious_inode]

Outstanding tutorial!

I would just say be certain to check programs like vi to make sure a jailed user can not
run commands outside the jail from a subshell (e.g. ex in vi). Wonderful post.

-- spurious

[disc0rd]

This post was really handy! Extremely helpful.

[Galdron]

Jinxie this is insanely good.


My brain is frying at the thought.

[Shrekkie]

Thnx Jinxie,

maybe you could also make one about bash-scripting ?

Greetz,

[instronics]

What can i say.... excellent.

/me applauds.

I will try that out this instance

[GrApHiCTrOn]

nice tut , tested and ok it worked
i hope you make a bash tut also