Is there an auto chroot environment creator?

Usalabs · 05-08-2012, 01:35 AM

I'm running OpenSuse 11.4 along with apache, mysql, vsftp, etc etc, I also set up ssh on a non standard port, but when creating a new user, that user when using ssh can still cd and poke around outside his home directory, I read somewhere that setting up a chroot environment would stop him from poking around and only allow access to within his root directory and child directories, but, it's a very tedious trial and error process.

As I use webmin to do most of my administrative tasks, is there a sort of 'wizard' that can create the chroot environment automatically, during the new user creation process, and lock that user to that home directory, but still have access to a shell, and still cd to other directories within his home directory, IE.

User 'JackJ' is created then the wizard would create/copy all necessary directories/files in /home/JackJ then set appropriate permissions, then when 'JackJ' logs in using ssh, he can use commands such as wget and mono, and even use a shell such as sh or bash, but is totally unable to access anything outside his home directory.

ADDENDUM:
I found I could use virtualmin which does create a per user chroot environment, but it also sets up the system as a full fledged hosting system running apache, mysql, postfix, proftp, dovecot, dhcp, bind dns, squid, etc etc, requiring a static WAN IP.

unSpawn · 05-09-2012, 09:51 AM

See http://freecode.com/projects/jailkit?

Usalabs · 05-09-2012, 09:00 PM

Quote:

Originally Posted by unSpawn

See http://freecode.com/projects/jailkit?

I downloaded jailkit, configured, installed and setup a chroot according to the readme file, but now I can't use ssh, it logs in fine, but then drops connection after entering the user password, the error produced in the sys logs, is:- user aurorauser (1001) tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh

I even added the user section in /home/chroot/etc/jailkit/jk_lsh.ini to look like this:-

Code:

[aurorauser]
paths= /usr/bin
executables= /usr/bin/ssh
allow_word_expansion = 0
umask = 002

The /etc/passwd file is correct according to other posts I've seen, and also, the /home/chroot/etc/passwd file is also correct.

but still no go.

any suggestions?

What I want to do, is to only allow a user to login using ssh to his home folder ONLY, then is allowed to use commands such as wget, xbuild, nant, and mono, and also have access to mysql, but can only see a DB list of his own databases, when using 'show databases;'

More or less, the user would use his home directory as if it's an entirely separate system, but with limited access to shell commands, and still create child folders, and cd into them,,, just like a hosting provider, that allows ssh into your hosting space, but doesn't allow wandering around the system.

ADDENDUM>
Well, I guess it's not possible to do any of that, so I'll just use ssh in the normal way,,, who cares if a user wanders around the system, as long as all the right permissions are in place, plus, googling around, nobody has yet created a fully working nix distro that has a chroot environment wizard, such as a command line, that one would just type something like this using root:-

#create chroot

<prompt response>
create user name:_
create user password:_
Enter the application(s) you want to allow user to run:_
Enter directory for user home, ie (/home/ or /user/):_

Then the wizard would gather all required information and file locations, and create everything along with setting all the right permissions.

If someone can create virtualmin for a complete hosting system, then surely, someone could create something to auto create a chroot environment when a new user is created, (of course the option would be available during a clean install of the distro, whether to install the files needed for a chroot environment, or an option in the software package manager).

Amint · 04-19-2021, 12:55 PM

I am probably 6 months late, but you don't need to really make a chroot environment. There is rbash, which is implemented into Bash by default. You can use the -r option or run rbash to run a restricted shell environment. There are some cons, though, as you can still use ls / to poke around root files, and that users can't go anywhere, because cd is restricted. Some commands that redirect to /dev/null or any other files are restricted too. For example, bash_completion is restricted, as clicking Tab will result in this error:

Code:

rbash: /dev/null: restricted: cannot redirect output
bash_completion: _upvars: `-a0': invalid number specifier
rbash: /dev/null: restricted: cannot redirect output
bash_completion: _upvars: `-a0': invalid number specifier

Some commands are unrestricted, so the user can still run the original Bash. To get through this, here is a hack I found in the RedHat customer forums (https://access.redhat.com/solutions/65822).

1. Make a folder in the user's home called

Code:

programs

. Then, symlink the usable programs for the user to the folder.

Code:

# mkdir /home/user/programs && ln -s /bin/ls ~user/programs/ls

2. Modify ~/.bashrc as follows:

Code:

# User specific environment and startup programs  
readonly PATH=$HOME/programs  
export PATH

3. su into the user's account and test

Code:

# su user
$ sudo
rbash: /usr/lib/command-not-found: restricted: cannot specify `/' in command names

See man rbash for more info.