Dear Thomas,
doing a google search I found your post
http://archives.neohapsis.com/archives/linux/suse/2004-q1/0393.html
Because I'm interested in setting up a chroot ssh login, I'd like to know how you did it.
Thank you in advance!
Best regards,
Martin
No probs... I hope you don't mind, but I'm also sending it to the list which you found on Google. To those on the list who helped me get this set up - thanks!! As it happens, I've now moved away from the chroot login, but it did work very well (as far as I could tell). Here's what I had: I installed the "compart" (or was it "compartment"?) package from Yast. /etc/passwd contained: update:x:5000:65534:Update User:/home/update:/bin/compart.jail I used /home/update/JAIL not /home/update as /home/update/.ssh/authorised_keys contained the stuff to enable a passwordless login. /bin/compart.jail contained: #!/bin/bash sudo /usr/sbin/compartment --user update --group nogroup --chroot /home/update/JAIL /bin/bash "$@" /etc/sudoers contained: update ALL= NOPASSWD: /usr/sbin/compartment --user update --group nogroup --chroot /home/update/JAIL /bin/bash* The directory /home/update/JAIL ($JAIL) contained the full set of files that the update user required. `ldd` gave me the libraries that the programs all required, thus: .: total 1 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 . 0 drwxr-xr-x 4 root root 160 2004-01-29 16:03 .. 0 drwxr-xr-x 2 root root 192 2004-01-26 09:57 bin 0 drwxr-xr-x 2 root root 96 2004-01-23 14:08 dev 0 drwxr-xr-x 2 root root 128 2004-01-27 11:23 etc 1 drwxr-xr-x 3 root root 664 2004-01-26 09:55 lib 0 drwxr-xr-x 4 root root 112 2004-01-22 09:33 upload 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 usr ./bin: total 645 0 drwxr-xr-x 2 root root 192 2004-01-26 09:57 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 469 -rwxr-xr-x 1 root root 477132 2004-01-20 15:02 bash 68 -rwxr-xr-x 1 root root 68460 2004-01-20 15:02 ls 20 -rwxr-xr-x 1 root root 18928 2004-01-20 15:02 mkdir 52 -rwxr-xr-x 1 root root 52184 2004-01-20 15:02 mv 8 -rwxr-xr-x 1 root root 6096 2004-01-20 15:02 pwd 28 -rwxr-xr-x 1 root root 26656 2004-01-20 15:02 rm ./dev: total 0 0 drwxr-xr-x 2 root root 96 2004-01-23 14:08 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 crw-rw-rw- 1 root root 5, 0 2004-01-22 14:39 tty 0 crw-r--r-- 1 root root 1, 9 2004-01-20 16:00 urandom ./etc: total 12 0 drwxr-xr-x 2 root root 128 2004-01-27 11:23 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 4 -r-------- 1 root root 27 2004-01-22 16:11 group 4 -rw-r--r-- 1 root root 1722 2004-01-21 09:08 ld.so.cache 4 -r-------- 1 root root 65 2004-01-22 16:12 passwd ./lib: total 1789 1 drwxr-xr-x 3 root root 664 2004-01-26 09:55 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 drwxr-xr-x 2 root root 112 2004-01-23 14:08 i686 92 -rwxr-xr-x 1 root root 91085 2004-01-22 14:47 ld-linux.so.2 28 -rwxr-xr-x 1 root root 25416 2004-01-20 15:02 libacl.so.1 16 -rwxr-xr-x 1 root root 13974 2004-01-20 15:02 libattr.so.1 8 -rwxr-xr-x 1 root root 7518 2004-01-22 16:05 libcom_err.so.2 44 -rwxr-xr-x 1 root root 43395 2004-01-22 14:47 libcrypt.so.1 12 -rwxr-xr-x 1 root root 11856 2004-01-20 15:02 libdl.so.2 104 -rwxr-xr-x 1 root root 104452 2004-01-22 16:05 libext2fs.so.2 124 -rwxr-xr-x 1 root root 122891 2004-01-20 15:02 libhistory.so.4 304 -rwxr-xr-x 1 root root 307598 2004-01-20 15:02 libncurses.so.5 88 -rwxr-xr-x 1 root root 87717 2004-01-22 14:47 libnsl.so.1 52 -rwxr-xr-x 1 root root 50541 2004-01-21 09:11 libnss_compat.so.2 44 -rwxr-xr-x 1 root root 44639 2004-01-21 09:13 libnss_files.so.2 637 -rwxr-xr-x 1 root root 650278 2004-01-20 15:02 libreadline.so.4 72 -rwxr-xr-x 1 root root 70056 2004-01-22 14:47 libresolv.so.2 36 -rwxr-xr-x 1 root root 34085 2004-01-20 15:02 librt.so.1 12 -rwxr-xr-x 1 root root 10600 2004-01-22 14:47 libutil.so.1 52 -rwxr-xr-x 1 root root 52751 2004-01-21 11:35 libxcrypt.so.1 64 -rwxr-xr-x 1 root root 61850 2004-01-22 14:47 libz.so.1 ./lib/i686: total 1390 0 drwxr-xr-x 2 root root 112 2004-01-23 14:08 . 1 drwxr-xr-x 3 root root 664 2004-01-26 09:55 .. 1289 -rwxr-xr-x 1 root root 1315242 2004-01-20 15:02 libc.so.6 100 -rwxr-xr-x 1 root root 98628 2004-01-20 15:02 libpthread.so.0 ./usr: total 0 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 drwxr-xr-x 2 root root 192 2004-01-26 09:56 bin 0 drwxr-xr-x 2 root root 280 2004-01-23 14:08 lib ./usr/bin: total 504 0 drwxr-xr-x 2 root root 192 2004-01-26 09:56 . 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 .. 8 -rwxr-xr-x 1 root root 6056 2004-01-22 16:03 env 4 -rw-r--r-- 1 root root 19 2004-01-20 15:00 groups 12 -rwxr-xr-x 1 root root 9400 2004-01-20 15:02 id 192 -rwxr-xr-x 1 root root 196256 2004-01-20 15:02 rsync 32 -rwxr-xr-x 1 root root 28772 2004-01-22 14:33 scp 256 -rwxr-xr-x 1 root root 260976 2004-01-20 15:02 ssh ./usr/lib: total 2221 0 drwxr-xr-x 2 root root 280 2004-01-23 14:08 . 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 .. 148 -rwxr-xr-x 1 root root 147873 2004-01-22 14:48 libasn1.so.5 8 -rwxr-xr-x 1 root root 7801 2004-01-22 14:48 libcom_err.so.1 941 -r-xr-xr-x 1 root root 961852 2004-01-22 14:47 libcrypto.so.0.9.6 729 -rwxr-xr-x 1 root root 744626 2004-01-22 14:48 libdb-4.0.so 52 -rwxr-xr-x 1 root root 53230 2004-01-22 14:48 libgssapi.so.1 260 -rwxr-xr-x 1 root root 263374 2004-01-22 14:48 libkrb5.so.17 84 -rwxr-xr-x 1 root root 84253 2004-01-22 14:48 libroken.so.9 upload/: total 0 0 drwxr-xr-x 4 root root 112 2004-01-22 09:33 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 drwxr-xr-x 7 update nogroup 256 2004-02-09 23:04 catalogue 0 drwxrwxrwx 2 update nogroup 48 2004-01-30 08:35 publicsite $JAIL/etc/passwd contained: root:x:0:0:root:/root:/bin/bash update:x:5000:65534::/:/bin/bash $JAIL/etc/group contained: root:x:0: nogroup:x:65534: I think my biggest problem was tweaking the sudoers and the conmpart.jail files to work properly together. Possible improvements and other security thoughts: 1. I think to make it more secure I'd put it in a separate partition, with appropriate security options set. The only problem is that given that this user would be allowed to upload files (to $JAIL/upload/catalogue and $JAIL/upload/publicsite), I wouldn't be able to make it readonly. 2. PAM was to be used to limit upload's logon times to certain times of day, and to only allow root@other_host to login as update. This wouyld mean that the other machine would have to be root-compromised to let an unauthorised user log in to the chroot jail. 3. A cron job that performs and compares checksums on files in $JAIL, replacing them if required (and reporting if this happens). 4. The files uploaded by the update user are copied out of the jail undergo a set of sanity checks and are _then_ put in place of the current website and catalogue. 5. I though about using `chattr` to make files really difficult to modify, but I find out much about it before I discovered that it's not so available for ReiserFS. The reason I'm not using this system now is that I couldn't get rsync to work, and if I'm reduced to having all files uploaded I may as well use sftp and have no direct shell access whatsoever. Hell, it's only bandwidth! Tom.
/ 2004-02-11 11:46:52 -0000 \ Tom Knight:
The reason I'm not using this system now is that I couldn't get rsync to work, and if I'm reduced to having all files uploaded I may as well use sftp and have no direct shell access whatsoever. Hell, it's only bandwidth!
Can you elaborate on that? Why does rsync not work for you? Because in the "jail" there are no files to compare to? Or where is the problem... Lars Ellenberg
-----Original Message----- From: Lars Ellenberg [mailto:l.g.e@web.de] Sent: 11 February 2004 12:54 To: suse-security@suse.com Subject: Re: [suse-security] RE: Setting up a chroot ssh login
/ 2004-02-11 11:46:52 -0000 \ Tom Knight:
The reason I'm not using this system now is that I couldn't get rsync to work, and if I'm reduced to having all files uploaded I may as well use sftp and have no direct shell access whatsoever. Hell, it's only bandwidth!
Can you elaborate on that? Why does rsync not work for you? Because in the "jail" there are no files to compare to? Or where is the problem...
Oops, I take that back, the rsync did work (I forgot!), but we decided to switch to using sftp anyway... I think it was through paranoia, and because the machines aresitting next to each other. The brief for the task changed from needing shell (and rsync) access to just copying files. Apologies for the confusion, Tom.
participants (2)
-
Lars Ellenberg
-
Tom Knight