SSH jail

From D3xt3r01.tk
Jump to navigationJump to search

WHY

Because I wanted to jail some users .. for the fun of it .. they don't need to be able to move everywhere they want but basicaly .. I wanted to give some access to run a screen proccess in a chrooted environment .. so .. here it goes

HOW

Step 1: Getting, compiling, installing.

wget http://wiki.d3xt3r01.tk/images/2/27/Jailkit-2.5.tar.gz
tar -xzf jailkit-2.5.tar.gz
cd jailkit-2.5
./configure
make
sudo make install # be sure to do this part as root..

Step 2: Configuring

Be sure to edit /etc/jailkit/jk_init.ini , some libs might be in different directories for other distros than Fedora ( which is what I'm using on the devel box ). I'll want to put user bling in a jail in /mnt/dex/jail/bling .. If you run into a thingy saying it can't find /etc/ld.so.conf .. see /etc/jailkit/jk_init.ini and add a ',' before it ..

You'll see that bash wants /usr/bin/id so add it to /etc/jailkit/jk_init.ini in the [basicshell] section.

cd /mnt/dex # Be sure to chown root:root /mnt/dex too ! .. jk_init will tell you it's not safe anyway .. 
mkdir -p jail/bling
jk_init -v -j /mnt/dex/jail/bling basicshell # initialize his dir with the needed utilities
adduser bling # add the regular user
passwd bling # set the password for him ..
...
jk_jailuser -m -s /bin/bash -j /mnt/dex/jail/bling bling # modify his regular home to the new chroot
mkdir jail/bling/tmp
chmod a+rwx jail/bling/tmp

Adding another user

Adding more users is as easy as redoing the step 2.

Adding other binaries

Check out jk_init -l if you want your chrooted user to be able to access other stuff ..

Also .. if you find something that's not there .. simply do a 'whereis binary' ; 'jk_cp -v -j /path/to/jailroot /path/to/binary' and it'll copy all the needed libraries with the right permissions and stuff .. Unfortunately jk_cp won't manage to do everything .. at least not all the time .. so .. installing strace for the user and strace-ing what you want to use in his home would be a good idea .. it should show you what it tries to open so you can copy it to him from the real world :)

jk_cp -v -j /mnt/dex/jail/bling /usr/bin/screen # to enable screen use .. don't forget to mount dev and devpts

Other issues

If you want that user to be able to use the internet .. you'd better copy your /etc/resolv.conf to the jailed root/etc dir .. or add netbasics to the jk_init line..

Also .. if some programs complain about not knowing the terminal .. in fedora you should just copy usr/share/terminfo/ to the jail ( or add midnightcommander and xterm to the jk_init line ). Also edit /etc/jailkit/jk_chrootsh.ini and add this

[bling] # replace with the username ..
env= DISPLAY, XAUTHORITY, TERM, PATH

PTYs

Screen might complain about not having PTYs .. so after some research ..

mkdir /mnt/dex/jail/bling/dev
mount --bind /dev /mnt/dex/jail/bling/dev
mount --bind /dev/pts /mnt/dex/jail/bling/dev/pts
# mounting proc would be nice but do it only if you need it!
mount --bind /proc /mnt/dex/jail/bling/proc

Other info

Some programs need /var/run .. so

mkdir -p /mnt/dex/jail/bling/var/run/screen
chmod 777 /mnt/dex/jail/bling/var/run/screen

finch ( the pidgin cli client .. ) wants /var/lib/dbus/machine-id so ..

mkdir -p /mnt/dex/jail/bling/var/lib/dbus
cp /var/lib/dbus/machine-id /mnt/dex/jail/bling/var/lib/dbus

HELP

jk_init --help
jk_jailuser --help
jk_cp --help

LINKS

JAILKIT

fuschlberger.net

linux.com