chroot shell tutorial
let's say you want a user of your (linux) server to have no access to anything you don't want him/her to use..
but you do want them to be able to log in and do their thing...
you'll need to root jail (chroot) the user.
there are lots of tutorials about chroot and also chrooted shells, but I couldn't find a good one, so I wrote one down while working my way thrue the othere tutorials and howto's..
hope you like it !!
disclaimer:
reading and following any or all steps in this tutorial is at your own risk.
I am not responsible for your stupidity !
his tutorial should work on all linux distributions, but i've only tested it on slackware (9.0, 9.1, 10, 10.1 and 10.2)
you'll need the following programs (wich are possibly not installed):
/usr/bin/sudo
/usr/sbin/chroot
If you can't seem to find or install these, this tutorial is not for you !!
all thrue the tutorial you'll see bold italic lines.. they are supposed to be executed by you
whoami
if that didn't say root. you'll need to become root.
su
in this example the user "luser" will be added and jailed ..
you'll need to be super user (root) to do all this..
let's start by adding the user:
useradd -d /tmp -s /bin/chrootshell luser
this adds the user luser with home folder /tmp with shell
/bin/chrootshell
now set his password:
passwd luser
make his home dir:
mkdir /home/luser
now we need to make his shell..
use your favorite editor to paste the following in /bin/chrootshell
make the "chrootshell" executable..
chmod +x /bin/chrootshell
now, let's go and make the chroot root ;)
we go to the users home dir, wich will become his root
cd /home/luser
note: we will be staying in for the rest of this tut !!!
make the most important folders..
mkdir bin dev etc home lib tmp usr
make the users chrooted home dir
mkdir home/luser
chown luser:users home/luser
make the chrooted tmp dir usable
chmod 777 tmp
chmod +t tmp
let's make the chrooted passwd file
grep root /etc/passwd >> etc/passwd
now we'll need to edit the passwd file to change the lusers chrooted shell and path..
fire up your favorite editor to edit the newly created passwd file.
the line should look a little like this:
luser: x:1020:100::/tmp:/bin/chrootshell
change it to:
luser: x:1020:100::/home/luser:/bin/bash
not that 1020 is the users ID and is propably some other number on your
puter.. don't change it to 1020 just because it said 1020 in my example ok ;)
now we'll make the chrooted group file
grep root /etc/group >> etc/group
grep users /etc/group >> etc/group
we'll copy the standard /etc/profile and needed files you could chose to edit these
cp /etc/profile etc
cp /etc/DIR_COLORS etc
cp /etc/HOSTNAME etc
we'll need to make some much needed devices
mknod -m 0666 dev/tty c 5 0
mknod -m 0644 dev/urandom c 1 9
mknod -m 0666 dev/null c 1 3
let's now make some usefull (compatibility) links and folders..
ln -s bin usr
ln -s lib usr
ln -s lib usr/libexec
mkdir usr/local
ln -s bin usr/local
ln -s lib usr/local
and make the terminfo (needed for a lot of programs) available in the root jail.
mkdir usr/share
cp -r /usr/share/terminfo usr/share
now for the realy fun part...
you'll have to find out some stuff:
1. what do you want the user to be able to use
2. what library's do these executables need
3. what other files will the user be needing
1. what do you want the user to be able to use
the user will need a shell (bash)
the user will need su (because the chrootshell script depends on it)
the user will need basic tools (cp, cat, ls, rm, mv etc.).
you'd want the user to have some other tools (vi, pico, whoami etc..)
you'd like for the user to have dircolors and id (needed if you want to use the standard etc/profile)
copy these files to the users chrooted bin dir
cp `which bash` `which su` `which cp` `which ln` `which ls` `which rm` `which mv` `which cp` `which du` `which cat` `which less` `which vi` `which pico` `which whoami` `which dircolors` `which id` bin
note: the `which bash` part returns the full path of bash (/bin/bash) etc..
2. what library's do these executables need
the command ldd is realy usefull here..
let's take bash for example:
root@server~# ldd `which bash`
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001b000)
libdl.so.2 => /lib/libdl.so.2 (0x40020000)
libc.so.6 => /lib/libc.so.6 (0x40023000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
and copy all the needed libs for each of the programs you chose in step 1 to the chrooted lib dir..
let's first do so for bash
cp /lib/libtermcap.so.2 /lib/libdl.so.2 /lib/libc.so.6 /lib/ld-linux.so.2 lib
next the one (on my system) missing for su
cp /lib/libcrypt.so.1 /lib/libnss_compat.so.2 /lib/libnss_files.so.2 lib
note that ldd doesn't see that libnss is needed, it is!!
next the ones for ls (only the ones not allready copied ofcourse ;))
cp /lib/librt.so.1 /lib/libpthread.so.0 lib
etc...
cp /lib/libncurses.so.5 lib
cp /lib/libresolv.so.2 lib
3. what other files will the user be needing
well this depends on what kind of programs the user is allowed to execute..
there's no real telling what you'll have to give the user to be content..
wait a minute !! the user has to be content with what you give him/her !!
the last step is to add the user to the sudoers file..
open the /etc/sudoers file with your favorite editor or use
visudo
add the line:
luser ALL= NOPASSWD: /usr/sbin/chroot /home/luser /bin/su - luser*
save and exit
now to check it out.. try and log in as the newly created luser
ssh -l luser localhost
A lot more info on chroot logins
A nice derived paper can be found at rootshellsecurity.com
Another system I'm gonna have to check out is jailkit..
Copyright (c) 2003-2005 by Anne Jan Brouwer (the_JinX).
This work is licensed under a Creative Commons License.
Attribution-ShareAlike 2.0 or later
reference:http://intmainvoid.nl/
but you do want them to be able to log in and do their thing...
you'll need to root jail (chroot) the user.
there are lots of tutorials about chroot and also chrooted shells, but I couldn't find a good one, so I wrote one down while working my way thrue the othere tutorials and howto's..
hope you like it !!
disclaimer:
reading and following any or all steps in this tutorial is at your own risk.
I am not responsible for your stupidity !
his tutorial should work on all linux distributions, but i've only tested it on slackware (9.0, 9.1, 10, 10.1 and 10.2)
you'll need the following programs (wich are possibly not installed):
/usr/bin/sudo
/usr/sbin/chroot
If you can't seem to find or install these, this tutorial is not for you !!
all thrue the tutorial you'll see bold italic lines.. they are supposed to be executed by you
whoami
if that didn't say root. you'll need to become root.
su
in this example the user "luser" will be added and jailed ..
you'll need to be super user (root) to do all this..
let's start by adding the user:
useradd -d /tmp -s /bin/chrootshell luser
this adds the user luser with home folder /tmp with shell
/bin/chrootshell
now set his password:
passwd luser
make his home dir:
mkdir /home/luser
now we need to make his shell..
use your favorite editor to paste the following in /bin/chrootshell
#!/bin/bash
# chrootshell spawns chroot shell
#
# (c) 2003-2005 Anne Jan Brouwer
# GNU GPL
if [ "$1" = "-c" ]
then
i=0
PARAMETERS=""
for parameter in $*
do
if [ $i -gt 0 ]
then
PARAMETERS="$PARAMETERS $parameter"
fi
let i++
done
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER -c "$PARAMETERS"
else
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
fi
make the "chrootshell" executable..
chmod +x /bin/chrootshell
now, let's go and make the chroot root ;)
we go to the users home dir, wich will become his root
cd /home/luser
note: we will be staying in for the rest of this tut !!!
make the most important folders..
mkdir bin dev etc home lib tmp usr
make the users chrooted home dir
mkdir home/luser
chown luser:users home/luser
make the chrooted tmp dir usable
chmod 777 tmp
chmod +t tmp
let's make the chrooted passwd file
grep root /etc/passwd >> etc/passwd
now we'll need to edit the passwd file to change the lusers chrooted shell and path..
fire up your favorite editor to edit the newly created passwd file.
the line should look a little like this:
luser: x:1020:100::/tmp:/bin/chrootshell
change it to:
luser: x:1020:100::/home/luser:/bin/bash
not that 1020 is the users ID and is propably some other number on your
puter.. don't change it to 1020 just because it said 1020 in my example ok ;)
now we'll make the chrooted group file
grep root /etc/group >> etc/group
grep users /etc/group >> etc/group
we'll copy the standard /etc/profile and needed files you could chose to edit these
cp /etc/profile etc
cp /etc/DIR_COLORS etc
cp /etc/HOSTNAME etc
we'll need to make some much needed devices
mknod -m 0666 dev/tty c 5 0
mknod -m 0644 dev/urandom c 1 9
mknod -m 0666 dev/null c 1 3
let's now make some usefull (compatibility) links and folders..
ln -s bin usr
ln -s lib usr
ln -s lib usr/libexec
mkdir usr/local
ln -s bin usr/local
ln -s lib usr/local
and make the terminfo (needed for a lot of programs) available in the root jail.
mkdir usr/share
cp -r /usr/share/terminfo usr/share
now for the realy fun part...
you'll have to find out some stuff:
1. what do you want the user to be able to use
2. what library's do these executables need
3. what other files will the user be needing
1. what do you want the user to be able to use
the user will need a shell (bash)
the user will need su (because the chrootshell script depends on it)
the user will need basic tools (cp, cat, ls, rm, mv etc.).
you'd want the user to have some other tools (vi, pico, whoami etc..)
you'd like for the user to have dircolors and id (needed if you want to use the standard etc/profile)
copy these files to the users chrooted bin dir
cp `which bash` `which su` `which cp` `which ln` `which ls` `which rm` `which mv` `which cp` `which du` `which cat` `which less` `which vi` `which pico` `which whoami` `which dircolors` `which id` bin
note: the `which bash` part returns the full path of bash (/bin/bash) etc..
2. what library's do these executables need
the command ldd is realy usefull here..
let's take bash for example:
root@server~# ldd `which bash`
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001b000)
libdl.so.2 => /lib/libdl.so.2 (0x40020000)
libc.so.6 => /lib/libc.so.6 (0x40023000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
and copy all the needed libs for each of the programs you chose in step 1 to the chrooted lib dir..
let's first do so for bash
cp /lib/libtermcap.so.2 /lib/libdl.so.2 /lib/libc.so.6 /lib/ld-linux.so.2 lib
next the one (on my system) missing for su
cp /lib/libcrypt.so.1 /lib/libnss_compat.so.2 /lib/libnss_files.so.2 lib
note that ldd doesn't see that libnss is needed, it is!!
next the ones for ls (only the ones not allready copied ofcourse ;))
cp /lib/librt.so.1 /lib/libpthread.so.0 lib
etc...
cp /lib/libncurses.so.5 lib
cp /lib/libresolv.so.2 lib
3. what other files will the user be needing
well this depends on what kind of programs the user is allowed to execute..
there's no real telling what you'll have to give the user to be content..
wait a minute !! the user has to be content with what you give him/her !!
the last step is to add the user to the sudoers file..
open the /etc/sudoers file with your favorite editor or use
visudo
add the line:
luser ALL= NOPASSWD: /usr/sbin/chroot /home/luser /bin/su - luser*
save and exit
now to check it out.. try and log in as the newly created luser
ssh -l luser localhost
A lot more info on chroot logins
A nice derived paper can be found at rootshellsecurity.com
Another system I'm gonna have to check out is jailkit..
Copyright (c) 2003-2005 by Anne Jan Brouwer (the_JinX).
This work is licensed under a Creative Commons License.
Attribution-ShareAlike 2.0 or later
reference:http://intmainvoid.nl/
0 komentar: