[Note: This is a draft version of the post; it'll be revised as soon as possible]
Introduction - What is a chroot?
Let's start installing!
Step 1 - Download JailKit from
$ wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.bz2
Step 2 - Uncompress and install
$ tar jxvf jailkit-2.11.tar.bz2
With a non root user launch:
$ cd jailkit-2.11
$ ./configure
$ make
then
$ su
# make install
Step 3 - Modify the ini file
# vi /etc/jailkit/jk_init.ini
On CentOS 5 we need to change the "paths" parameter with
paths=/usr/libexec/openssh/sftp-server
on Utuntu 8.04 Lts (64Bit) with
paths=/usr/lib/openssh/sftp-server
under the [sftp] section
(save the conf with [escape]:wq)
Step 4 - Let's create the chroot Jail
# su -
# jk_init -v -j /WEBJAIL2 basicshell ssh sftp
The above command creates a jail (called WEBJAIL2) with "basicshell" commands, ssh and sftp support.
Take a look to jk_init.ini for various options available or consult the JailKit manual at http://olivier.sessink.nl/jailkit/jailkit.8.html
Step 5 - Create users
Create with the adduser command a new users as usual.
For example
# adduser sftptest
# passwd sftptest
Step 6 - Put the user into the cage
In CentOS 5 setup, an error occurred if I do not copy first jk_lsh to jail; so I use:
# jk_cp -j /WEBJAIL2 /usr/sbin/jk_lsh
then i can "import" the user to the jail with:
# jk_jailuser -m -j /WEBJAIL2/ sftptest
Step 6a - Sftp/SCP access ONLY
If you want that your server users can have access to the Sftp/SCP only, after the previous steps, you must edit jk_lsh.ini in the jail.
If the jailkit directory doesn't exist, use:
# mkdir -p /jail/etc/jailkit
Introduction - What is a chroot?
"A chroot on Unix operating systems is an operation that changes the apparent disk root directory
for the current running process and its children. A program that is
re-rooted to another directory cannot access or name files outside that
directory, and the directory is called a "chroot jail" or (less commonly) a "chroot prison". The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program."
for the current running process and its children. A program that is
re-rooted to another directory cannot access or name files outside that
directory, and the directory is called a "chroot jail" or (less commonly) a "chroot prison". The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program."
(Definition from Wikipedia, the free encyclopedia)
A system administrator can use "chrooted" environments for improving the strength of a Unix system, by limiting logged users to use a small environment with few/basic functionalities.
Chroot can also be used for "running inside" Unix daemons, so services are "entrapped" into the jail and they can "see" only a limited part of the filesystem.
Chroot can also be used for "running inside" Unix daemons, so services are "entrapped" into the jail and they can "see" only a limited part of the filesystem.
In this post we will create a chroot environment for giving access to users with sftp/ssh protocol and/or basic shell access.
Note: The chroot environments don't assure "security", but in combination with others hardening tricks (see my other posts) may improve the strength of the system and put "on the way" more obstacles to the attackers.
Indeed a chroot-jail can be break... for example visit chroot break page
Indeed a chroot-jail can be break... for example visit chroot break page
Let's start installing!
Step 1 - Download JailKit from
$ wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.bz2
Step 2 - Uncompress and install
$ tar jxvf jailkit-2.11.tar.bz2
With a non root user launch:
$ cd jailkit-2.11
$ ./configure
$ make
then
$ su
# make install
Step 3 - Modify the ini file
If you use 64bit version of Debian or other distros (e.g. CentOS) you must change some paths.
Check the jk_init.ini and verify that paths of the sections you are interested in, are correct.
Check the jk_init.ini and verify that paths of the sections you are interested in, are correct.
For example:
# vi /etc/jailkit/jk_init.ini
On CentOS 5 we need to change the "paths" parameter with
paths=/usr/libexec/openssh/sftp-server
on Utuntu 8.04 Lts (64Bit) with
paths=/usr/lib/openssh/sftp-server
under the [sftp] section
(save the conf with [escape]:wq)
Step 4 - Let's create the chroot Jail
# su -
# jk_init -v -j /WEBJAIL2 basicshell ssh sftp
The above command creates a jail (called WEBJAIL2) with "basicshell" commands, ssh and sftp support.
Take a look to jk_init.ini for various options available or consult the JailKit manual at http://olivier.sessink.nl/jailkit/jailkit.8.html
Step 5 - Create users
Create with the adduser command a new users as usual.
For example
# adduser sftptest
# passwd sftptest
Step 6 - Put the user into the cage
In CentOS 5 setup, an error occurred if I do not copy first jk_lsh to jail; so I use:
# jk_cp -j /WEBJAIL2 /usr/sbin/jk_lsh
then i can "import" the user to the jail with:
# jk_jailuser -m -j /WEBJAIL2/ sftptest
Step 6a - Sftp/SCP access ONLY
If you want that your server users can have access to the Sftp/SCP only, after the previous steps, you must edit jk_lsh.ini in the jail.
If the jailkit directory doesn't exist, use:
# mkdir -p /jail/etc/jailkit
Now you can authorize jk_lsh command to execute sftp
(If you use jk_lsh "shell" you must specify which command can be executed, indeed jk_lsh is not an interactive shell but it allows the access only via ssh for executing commands in chroot jail)
# vi /WEBJAIL2/etc/jailkit/jk_lsh.ini
An example of jk_lsh.ini for CentOS 5 could be:
[sftptest]
paths = /usr/libexec/openssh/
executables = /usr/libexec/openssh/sftp-server
allow_word_expansion = 0
An example of jk_lsh.ini for Ubuntu 8.04 Lts could be:
[sftptest]
paths = /usr/lib/openssh/
executables = /usr/lib/openssh/sftp-server
allow_word_expansion = 0
Step 6b - Full SSH Access by using Bash as shell
Modify as follow the /etc/passwd into the chrooted environment for example:
vi /WEBJAIL2/etc/passwd
change
sftptest:x:505:506::/home/devel01:/usr/sbin/jk_lsh
with
sftptest:x:505:506::/home/devel01:/bin/bash
then copy .bashrc from your "real" user to the chrooted one. For example
cp /home/sftptest/.bashrc /WEBJAIL2/home/sftptest/
Step 7 - Verify if all is done
Try to view if in /etc/passwd the shell and the path of the chrooted user has been changed:
# cat /etc/passwd | grep sftptest
# sftptest:x:505:506::/WEBJAIL2/./home/sftptest:/usr/sbin/jk_chrootsh
Try if the home directory has been created on the jail
# ls -ld /WEBJAIL2/home/sftptest
If all is ok, then try to connect to the system with
# ssh sftptest@yourserver.net
(if you had used "Step 6b" option)
# sftp sftptest@yourserver.net
(if you had used "Step 6a" option)
If you are logged in, you can browse the jail filesystem; you will see that you can do only simple operation on it
Step 8 - Check the Jail
When you update your system (e.g. by using YUM), it's important to upgrade the files into the jail too; in this way you can avoid security issues.
You need to modify the jk_check.ini file one time with:
# vi /etc/jailkit/jk_check.ini
A very basic content of the file could be:
[/WEBJAIL2]
ignorepathoncompare = /WEBJAIL2/home/, /WEBJAIL2/etc/
ignorewritableforgroup = /WEBJAIL2/home/
ignorewritableforothers = /WEBJAIL2/home/tmp/
# jk_check tests for setuid root and setgid root files
# if you deliberately have such files specify them here
#ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
#ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
#ignoresetuidexecuteforothers =
I suggest you to run jk_check as soon as possible your distro update procedure is done.
Last trick! See the jk_check command manual for further details about the meaning of the parameters.
One more suggestion!
If you are interested in IT Security, join us at "GNU/Linux Security & Hardening" group on Linkedin
Reference and Links
http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html
http://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html
http://en.wikipedia.org/wiki/Chroot
http://www.bpfh.net/simes/computing/chroot-break.html
NOTE
Digital Patch Posts by Angelo F. are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Based on a work at digitalpatch.blogspot.com.
No comments:
Post a Comment