SSH jail

From D3xt3r01.tk
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

WHY

Because I wanted to jail some users .. for the fun of it .. they don't need to be able to move everywhere they want but basicaly .. I wanted to give some access to run a screen proccess in a chrooted environment .. so .. here it goes

HOW

Step 1: Getting, compiling, installing.

wget http://wiki.d3xt3r01.tk/images/2/27/Jailkit-2.5.tar.gz
tar -xzf jailkit-2.5.tar.gz
cd jailkit-2.5
./configure
make
sudo make install # be sure to do this part as root..

Step 2: Configuring

Be sure to edit /etc/jailkit/jk_init.ini , some libs might be in different directories for other distros than Fedora ( which is what I'm using on the devel box ). I'll want to put user bling in a jail in /mnt/dex/jail/bling .. If you run into a thingy saying it can't find /etc/ld.so.conf .. see /etc/jailkit/jk_init.ini and add a ',' before it ..

You'll see that bash wants /usr/bin/id so add it to /etc/jailkit/jk_init.ini in the [basicshell] section.

cd /mnt/dex # Be sure to chown root:root /mnt/dex too ! .. jk_init will tell you it's not safe anyway .. 
mkdir -p jail/bling
jk_init -v -j /mnt/dex/jail/bling basicshell # initialize his dir with the needed utilities
adduser bling # add the regular user
passwd bling # set the password for him ..
...
jk_jailuser -m -s /bin/bash -j /mnt/dex/jail/bling bling # modify his regular home to the new chroot
mkdir jail/bling/tmp
chmod a+rwx jail/bling/tmp

Adding another user

Adding more users is as easy as redoing the step 2.

Adding other binaries

Check out jk_init -l if you want your chrooted user to be able to access other stuff ..

Also .. if you find something that's not there .. simply do a 'whereis binary' ; 'jk_cp -v -j /path/to/jailroot /path/to/binary' and it'll copy all the needed libraries with the right permissions and stuff .. Unfortunately jk_cp won't manage to do everything .. at least not all the time .. so .. installing strace for the user and strace-ing what you want to use in his home would be a good idea .. it should show you what it tries to open so you can copy it to him from the real world :)

jk_cp -v -j /mnt/dex/jail/bling /usr/bin/screen # to enable screen use .. don't forget to mount dev and devpts

Other issues

If you want that user to be able to use the internet .. you'd better copy your /etc/resolv.conf to the jailed root/etc dir .. or add netbasics to the jk_init line..

Also .. if some programs complain about not knowing the terminal .. in fedora you should just copy usr/share/terminfo/ to the jail ( or add midnightcommander and xterm to the jk_init line ). Also edit /etc/jailkit/jk_chrootsh.ini and add this

[bling] # replace with the username ..
env= DISPLAY, XAUTHORITY, TERM, PATH

PTYs

Screen might complain about not having PTYs .. so after some research ..

mkdir /mnt/dex/jail/bling/dev
mount --bind /dev /mnt/dex/jail/bling/dev
mount --bind /dev/pts /mnt/dex/jail/bling/dev/pts
# mounting proc would be nice but do it only if you need it!
mount --bind /proc /mnt/dex/jail/bling/proc

Other info

Some programs need /var/run .. so

mkdir -p /mnt/dex/jail/bling/var/run/screen
chmod 777 /mnt/dex/jail/bling/var/run/screen

finch ( the pidgin cli client .. ) wants /var/lib/dbus/machine-id so ..

mkdir -p /mnt/dex/jail/bling/var/lib/dbus
cp /var/lib/dbus/machine-id /mnt/dex/jail/bling/var/lib/dbus

HELP

jk_init --help
jk_jailuser --help
jk_cp --help

LINKS

JAILKIT

fuschlberger.net

linux.com