Introduction - What is a chroot?
for the current running process and its children. A program that is
re-rooted to another directory cannot access or name files outside that
directory, and the directory is called a "chroot jail" or (less commonly) a "chroot prison". The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program."
(Definition from Wikipedia, the free encyclopedia)
Chroot can also be used for "running inside" Unix daemons, so services are "entrapped" into the jail and they can "see" only a limited part of the filesystem.
Indeed a chroot-jail can be break... for example visit chroot break page
Let's start installing!
Step 1 - Download JailKit from
$ wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.bz2
Step 2 - Uncompress and install
$ tar jxvf jailkit-2.11.tar.bz2
With a non root user launch:
$ cd jailkit-2.11
# make install
Step 3 - Modify the ini file
Check the jk_init.ini and verify that paths of the sections you are interested in, are correct.
# vi /etc/jailkit/jk_init.ini
On CentOS 5 we need to change the "paths" parameter with
on Utuntu 8.04 Lts (64Bit) with
under the [sftp] section
(save the conf with [escape]:wq)
Step 4 - Let's create the chroot Jail
# su -
# jk_init -v -j /WEBJAIL2 basicshell ssh sftp
The above command creates a jail (called WEBJAIL2) with "basicshell" commands, ssh and sftp support.
Take a look to jk_init.ini for various options available or consult the JailKit manual at http://olivier.sessink.nl/jailkit/jailkit.8.html
Step 5 - Create users
Create with the adduser command a new users as usual.
# adduser sftptest
# passwd sftptest
Step 6 - Put the user into the cage
In CentOS 5 setup, an error occurred if I do not copy first jk_lsh to jail; so I use:
# jk_cp -j /WEBJAIL2 /usr/sbin/jk_lsh
then i can "import" the user to the jail with:
# jk_jailuser -m -j /WEBJAIL2/ sftptest
Step 6a - Sftp/SCP access ONLY
If you want that your server users can have access to the Sftp/SCP only, after the previous steps, you must edit jk_lsh.ini in the jail.
If the jailkit directory doesn't exist, use:
# mkdir -p /jail/etc/jailkit
Now you can authorize jk_lsh command to execute sftp
(If you use jk_lsh "shell" you must specify which command can be executed, indeed jk_lsh is not an interactive shell but it allows the access only via ssh for executing commands in chroot jail)
# vi /WEBJAIL2/etc/jailkit/jk_lsh.ini
An example of jk_lsh.ini for CentOS 5 could be:
paths = /usr/libexec/openssh/
executables = /usr/libexec/openssh/sftp-server
allow_word_expansion = 0
An example of jk_lsh.ini for Ubuntu 8.04 Lts could be:
paths = /usr/lib/openssh/
executables = /usr/lib/openssh/sftp-server
allow_word_expansion = 0
Step 6b - Full SSH Access by using Bash as shell
Modify as follow the /etc/passwd into the chrooted environment for example:
then copy .bashrc from your "real" user to the chrooted one. For example
cp /home/sftptest/.bashrc /WEBJAIL2/home/sftptest/
Step 7 - Verify if all is done
Try to view if in /etc/passwd the shell and the path of the chrooted user has been changed:
# cat /etc/passwd | grep sftptest
Try if the home directory has been created on the jail
# ls -ld /WEBJAIL2/home/sftptest
If all is ok, then try to connect to the system with
# ssh email@example.com
(if you had used "Step 6b" option)
# sftp firstname.lastname@example.org
(if you had used "Step 6a" option)
If you are logged in, you can browse the jail filesystem; you will see that you can do only simple operation on it
Step 8 - Check the Jail
When you update your system (e.g. by using YUM), it's important to upgrade the files into the jail too; in this way you can avoid security issues.
You need to modify the jk_check.ini file one time with:
# vi /etc/jailkit/jk_check.ini
A very basic content of the file could be:
ignorepathoncompare = /WEBJAIL2/home/, /WEBJAIL2/etc/
ignorewritableforgroup = /WEBJAIL2/home/
ignorewritableforothers = /WEBJAIL2/home/tmp/
# jk_check tests for setuid root and setgid root files
# if you deliberately have such files specify them here
#ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
#ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
I suggest you to run jk_check as soon as possible your distro update procedure is done.
Last trick! See the jk_check command manual for further details about the meaning of the parameters.
One more suggestion!
Reference and Links
Digital Patch Posts by Angelo F. are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Based on a work at digitalpatch.blogspot.com.