Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running OpenSuse 11.4 along with apache, mysql, vsftp, etc etc, I also set up ssh on a non standard port, but when creating a new user, that user when using ssh can still cd and poke around outside his home directory, I read somewhere that setting up a chroot environment would stop him from poking around and only allow access to within his root directory and child directories, but, it's a very tedious trial and error process.
As I use webmin to do most of my administrative tasks, is there a sort of 'wizard' that can create the chroot environment automatically, during the new user creation process, and lock that user to that home directory, but still have access to a shell, and still cd to other directories within his home directory, IE.
User 'JackJ' is created then the wizard would create/copy all necessary directories/files in /home/JackJ then set appropriate permissions, then when 'JackJ' logs in using ssh, he can use commands such as wget and mono, and even use a shell such as sh or bash, but is totally unable to access anything outside his home directory.
ADDENDUM:
I found I could use virtualmin which does create a per user chroot environment, but it also sets up the system as a full fledged hosting system running apache, mysql, postfix, proftp, dovecot, dhcp, bind dns, squid, etc etc, requiring a static WAN IP.
Last edited by Usalabs; 05-09-2012 at 12:01 AM.
Reason: Addendum
Click here to see the post LQ members have rated as the most helpful post in this thread.
I downloaded jailkit, configured, installed and setup a chroot according to the readme file, but now I can't use ssh, it logs in fine, but then drops connection after entering the user password, the error produced in the sys logs, is:- user aurorauser (1001) tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh
I even added the user section in /home/chroot/etc/jailkit/jk_lsh.ini to look like this:-
The /etc/passwd file is correct according to other posts I've seen, and also, the /home/chroot/etc/passwd file is also correct.
but still no go.
any suggestions?
What I want to do, is to only allow a user to login using ssh to his home folder ONLY, then is allowed to use commands such as wget, xbuild, nant, and mono, and also have access to mysql, but can only see a DB list of his own databases, when using 'show databases;'
More or less, the user would use his home directory as if it's an entirely separate system, but with limited access to shell commands, and still create child folders, and cd into them,,, just like a hosting provider, that allows ssh into your hosting space, but doesn't allow wandering around the system.
ADDENDUM>
Well, I guess it's not possible to do any of that, so I'll just use ssh in the normal way,,, who cares if a user wanders around the system, as long as all the right permissions are in place, plus, googling around, nobody has yet created a fully working nix distro that has a chroot environment wizard, such as a command line, that one would just type something like this using root:-
#create chroot
<prompt response>
create user name:_
create user password:_
Enter the application(s) you want to allow user to run:_
Enter directory for user home, ie (/home/ or /user/):_
Then the wizard would gather all required information and file locations, and create everything along with setting all the right permissions.
If someone can create virtualmin for a complete hosting system, then surely, someone could create something to auto create a chroot environment when a new user is created, (of course the option would be available during a clean install of the distro, whether to install the files needed for a chroot environment, or an option in the software package manager).
Distribution: Slackware, Gobo, Venom, Debian, Arch, Bedrock, Fedora, NixOS and Solus
Posts: 1
Rep:
I am probably 6 months late, but you don't need to really make a chroot environment. There is rbash, which is implemented into Bash by default. You can use the -r option or run rbash to run a restricted shell environment. There are some cons, though, as you can still use ls / to poke around root files, and that users can't go anywhere, because cd is restricted. Some commands that redirect to /dev/null or any other files are restricted too. For example, bash_completion is restricted, as clicking Tab will result in this error:
Some commands are unrestricted, so the user can still run the original Bash. To get through this, here is a hack I found in the RedHat customer forums (https://access.redhat.com/solutions/65822).
1. Make a folder in the user's home called
Code:
programs
. Then, symlink the usable programs for the user to the folder.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.