SSH jail
WHY
Because I wanted to jail some users .. for the fun of it .. they don't need to be able to move everywhere they want but basicaly .. I wanted to give some access to run a screen proccess in a chrooted environment .. so .. here it goes
HOW
Step 1: Getting, compiling, installing.
wget http://wiki.d3xt3r01.tk/images/2/27/Jailkit-2.5.tar.gz
tar -xzf jailkit-2.5.tar.gz
cd jailkit-2.5
./configure
make
sudo make install # be sure to do this part as root..Step 2: Configuring
Be sure to edit /etc/jailkit/jk_init.ini , some libs might be in different directories for other distros than Fedora ( which is what I'm using on the devel box ). I'll want to put user bling in a jail in /mnt/dex/jail/bling .. If you run into a thingy saying it can't find /etc/ld.so.conf .. see /etc/jailkit/jk_init.ini and add a ',' before it ..
You'll see that bash wants /usr/bin/id so add it to /etc/jailkit/jk_init.ini in the [basicshell] section.
cd /mnt/dex # Be sure to chown root:root /mnt/dex too ! .. jk_init will tell you it's not safe anyway ..
mkdir -p jail/bling
jk_init -v -j /mnt/dex/jail/bling basicshell # initialize his dir with the needed utilities
adduser bling # add the regular user
passwd bling # set the password for him ..
...
jk_jailuser -m -s /bin/bash -j /mnt/dex/jail/bling bling # modify his regular home to the new chroot
mkdir jail/bling/tmp
chmod a+rwx jail/bling/tmpAdding another user
Adding more users is as easy as redoing the step 2.
Adding other binaries
Check out jk_init -l if you want your chrooted user to be able to access other stuff ..
Also .. if you find something that's not there .. simply do a 'whereis binary' ; 'jk_cp -v -j /path/to/jailroot /path/to/binary' and it'll copy all the needed libraries with the right permissions and stuff .. Unfortunately jk_cp won't manage to do everything .. at least not all the time .. so .. installing strace for the user and strace-ing what you want to use in his home would be a good idea .. it should show you what it tries to open so you can copy it to him from the real world :)
jk_cp -v -j /mnt/dex/jail/bling /usr/bin/screen # to enable screen use .. don't forget to mount dev and devptsOther issues
If you want that user to be able to use the internet .. you'd better copy your /etc/resolv.conf to the jailed root/etc dir .. or add netbasics to the jk_init line..
Also .. if some programs complain about not knowing the terminal .. in fedora you should just copy usr/share/terminfo/ to the jail ( or add midnightcommander and xterm to the jk_init line ). Also edit /etc/jailkit/jk_chrootsh.ini and add this
[bling] # replace with the username ..
env= DISPLAY, XAUTHORITY, TERM, PATHPTYs
Screen might complain about not having PTYs .. so after some research ..
mkdir /mnt/dex/jail/bling/dev
mount --bind /dev /mnt/dex/jail/bling/dev
mount --bind /dev/pts /mnt/dex/jail/bling/dev/pts
# mounting proc would be nice but do it only if you need it!
mount --bind /proc /mnt/dex/jail/bling/procOther info
Some programs need /var/run .. so
mkdir -p /mnt/dex/jail/bling/var/run/screen
chmod 777 /mnt/dex/jail/bling/var/run/screenfinch ( the pidgin cli client .. ) wants /var/lib/dbus/machine-id so ..
mkdir -p /mnt/dex/jail/bling/var/lib/dbus
cp /var/lib/dbus/machine-id /mnt/dex/jail/bling/var/lib/dbusHELP
jk_init --help
jk_jailuser --help
jk_cp --help