https://wiki.d3xt3r01.tk//index.php?action=history&feed=atom&title=SSH_jailSSH jail - Revision history2026-05-05T17:28:47ZRevision history for this page on the wikiMediaWiki 1.45.1https://wiki.d3xt3r01.tk//index.php?title=SSH_jail&diff=6537&oldid=prevAdmin at 19:12, 25 January 20122012-01-25T19:12:31Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 22:12, 25 January 2012</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Adminhttps://wiki.d3xt3r01.tk//index.php?title=SSH_jail&diff=8&oldid=prevAdmin: New page: ==WHY== Because I wanted to jail some users .. for the fun of it .. they don't need to be able to move everywhere they want but basicaly .. I wanted to give some access to run a screen pro...2009-06-25T18:29:10Z<p>New page: ==WHY== Because I wanted to jail some users .. for the fun of it .. they don't need to be able to move everywhere they want but basicaly .. I wanted to give some access to run a screen pro...</p>
<p><b>New page</b></p><div>==WHY==<br />
Because I wanted to jail some users .. for the fun of it .. they don't need to be able to move everywhere they want but basicaly .. I wanted to give some access to run a screen proccess in a chrooted environment .. so .. here it goes<br />
<br />
==HOW==<br />
'''''Step 1''''': Getting, compiling, installing.<br />
<br />
<source lang="bash"><br />
wget http://wiki.d3xt3r01.tk/images/2/27/Jailkit-2.5.tar.gz<br />
tar -xzf jailkit-2.5.tar.gz<br />
cd jailkit-2.5<br />
./configure<br />
make<br />
sudo make install # be sure to do this part as root..<br />
</source><br />
<br />
'''''Step 2''''': Configuring<br />
<br />
Be sure to edit /etc/jailkit/jk_init.ini , some libs might be in different directories for other distros than Fedora ( which is what I'm using on the devel box ). I'll want to put user '''''bling''''' in a jail in /mnt/dex/jail/bling .. If you run into a thingy saying it can't find /etc/ld.so.conf .. see /etc/jailkit/jk_init.ini and add a ',' before it .. <br />
<br />
You'll see that bash wants /usr/bin/id so add it to /etc/jailkit/jk_init.ini in the [basicshell] section.<br />
<br />
<source lang="bash"><br />
cd /mnt/dex # Be sure to chown root:root /mnt/dex too ! .. jk_init will tell you it's not safe anyway .. <br />
mkdir -p jail/bling<br />
jk_init -v -j /mnt/dex/jail/bling basicshell # initialize his dir with the needed utilities<br />
adduser bling # add the regular user<br />
passwd bling # set the password for him ..<br />
...<br />
jk_jailuser -m -s /bin/bash -j /mnt/dex/jail/bling bling # modify his regular home to the new chroot<br />
mkdir jail/bling/tmp<br />
chmod a+rwx jail/bling/tmp<br />
</source><br />
<br />
==Adding another user==<br />
Adding more users is as easy as redoing the step 2.<br />
<br />
==Adding other binaries==<br />
Check out jk_init -l if you want your chrooted user to be able to access other stuff .. <br />
<br />
Also .. if you find something that's not there .. simply do a 'whereis binary' ; 'jk_cp -v -j /path/to/jailroot /path/to/binary' and it'll copy all the needed libraries with the right permissions and stuff .. Unfortunately jk_cp won't manage to do everything .. at least not all the time .. so .. installing strace for the user and strace-ing what you want to use in his home would be a good idea .. it should show you what it tries to open so you can copy it to him from the real world :)<br />
<br />
<source lang="bash"><br />
jk_cp -v -j /mnt/dex/jail/bling /usr/bin/screen # to enable screen use .. don't forget to mount dev and devpts<br />
</source><br />
<br />
==Other issues==<br />
If you want that user to be able to use the internet .. you'd better copy your /etc/resolv.conf to the jailed root/etc dir .. or add netbasics to the jk_init line..<br />
<br />
Also .. if some programs complain about not knowing the terminal .. in fedora you should just copy usr/share/terminfo/ to the jail ( or add midnightcommander and xterm to the jk_init line ). Also edit /etc/jailkit/jk_chrootsh.ini and add this<br />
<br />
<source lang="bash"><br />
[bling] # replace with the username ..<br />
env= DISPLAY, XAUTHORITY, TERM, PATH<br />
</source><br />
<br />
==PTYs==<br />
Screen might complain about not having PTYs .. so after some research .. <br />
<source lang="bash"><br />
mkdir /mnt/dex/jail/bling/dev<br />
mount --bind /dev /mnt/dex/jail/bling/dev<br />
mount --bind /dev/pts /mnt/dex/jail/bling/dev/pts<br />
# mounting proc would be nice but do it only if you need it!<br />
mount --bind /proc /mnt/dex/jail/bling/proc<br />
</source><br />
<br />
==Other info==<br />
Some programs need /var/run .. so <br />
<br />
<source lang="bash"><br />
mkdir -p /mnt/dex/jail/bling/var/run/screen<br />
chmod 777 /mnt/dex/jail/bling/var/run/screen<br />
</source><br />
<br />
finch ( the pidgin cli client .. ) wants /var/lib/dbus/machine-id so ..<br />
<source lang="bash"><br />
mkdir -p /mnt/dex/jail/bling/var/lib/dbus<br />
cp /var/lib/dbus/machine-id /mnt/dex/jail/bling/var/lib/dbus<br />
</source><br />
<br />
==HELP==<br />
<source lang="bash"><br />
jk_init --help<br />
jk_jailuser --help<br />
jk_cp --help<br />
</source><br />
<br />
==LINKS==<br />
[http://olivier.sessink.nl/jailkit/howtos_ssh_only.html JAILKIT]<br />
<br />
[http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ fuschlberger.net]<br />
<br />
[http://www.linux.com/feature/61387 linux.com]<br />
<br />
[[Category:SSH]]<br />
[[Category:Linux]]<br />
[[Category:Jail]]<br />
[[Category:HowTo]]</div>Admin