Tuesday, March 2, 2010

OpenSSH daemon hardening ( Part 3 ) - Setup a chroot enviroment on CentOS 5 with JailKit

[Note: This is a draft version of the post; it'll be revised as soon as possible]

Introduction - What is a chroot?

"A chroot on Unix operating systems is an operation that changes the apparent disk root directory
for the current running process and its children. A program that is
re-rooted to another directory cannot access or name files outside that
directory, and the directory is called a "chroot jail" or (less commonly) a "chroot prison". The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program."

(Definition from Wikipedia, the free encyclopedia)

A system administrator can use "chrooted" environments for improving the strength of a Unix system, by limiting logged users to use a small environment with few/basic functionalities.
Chroot can also be used for "running inside" Unix daemons, so services are "entrapped" into the jail and they can "see" only a limited part of the filesystem.
In this post we will create a chroot environment for giving access to users with sftp/ssh protocol and/or basic shell access.

Note: The chroot environments don't assure "security", but in combination with others hardening tricks (see my other posts)  may improve the strength of the system and put  "on the way" more obstacles to the attackers.

Indeed a chroot-jail can be break... for example visit chroot break page

Let's start installing!


Step 1 - Download JailKit from

$ wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.bz2

Step 2 - Uncompress and install

$ tar jxvf jailkit-2.11.tar.bz2

With a non root user launch:

$ cd jailkit-2.11
$ ./configure
$ make


$ su
# make install

Step 3 - Modify the ini file

If you use 64bit version of Debian or other distros (e.g. CentOS) you must change some paths.

Check the jk_init.ini and verify that paths of the sections you are interested in, are correct.

For example:

# vi /etc/jailkit/jk_init.ini


On CentOS 5  we need to change the "paths" parameter with


on Utuntu 8.04 Lts (64Bit) with


under the [sftp] section

(save the conf with [escape]:wq)

Step 4 - Let's create the chroot Jail

# su -

# jk_init -v -j /WEBJAIL2 basicshell ssh sftp

The above command creates a jail (called WEBJAIL2) with "basicshell" commands, ssh and sftp support.

Take a look to jk_init.ini for various options available or consult the JailKit manual at http://olivier.sessink.nl/jailkit/jailkit.8.html

Step 5 - Create users

Create with the adduser  command a new users as usual.

For example

# adduser sftptest
# passwd sftptest

Step 6 - Put the user into the cage

In CentOS 5 setup, an error occurred if I do not copy first jk_lsh to jail; so I use:

# jk_cp -j /WEBJAIL2 /usr/sbin/jk_lsh

then i can "import" the user to the jail with:

# jk_jailuser -m -j /WEBJAIL2/ sftptest

Step 6a - Sftp/SCP access ONLY 

If you want that your server users can have access to the Sftp/SCP only, after the previous steps, you must edit jk_lsh.ini in the jail.

If the jailkit directory doesn't exist, use:

# mkdir -p /jail/etc/jailkit

Now you can authorize jk_lsh command to execute sftp

(If you use jk_lsh "shell" you must specify which command can be executed, indeed  jk_lsh is not an interactive shell but it allows the access only  via ssh for executing commands in chroot jail)

# vi /WEBJAIL2/etc/jailkit/jk_lsh.ini

An example of jk_lsh.ini for CentOS 5 could be:

paths = /usr/libexec/openssh/
executables = /usr/libexec/openssh/sftp-server
allow_word_expansion = 0

An example of jk_lsh.ini for Ubuntu 8.04 Lts could be:

paths = /usr/lib/openssh/
executables = /usr/lib/openssh/sftp-server
allow_word_expansion = 0

Step 6b - Full SSH Access by using Bash as shell

Modify as follow the /etc/passwd into the chrooted environment for example:

vi /WEBJAIL2/etc/passwd





then copy .bashrc from your "real" user to the chrooted one. For example

cp /home/sftptest/.bashrc /WEBJAIL2/home/sftptest/

Step 7 - Verify if all is done

Try to view if in /etc/passwd the shell and the path of the chrooted user has been changed:

# cat /etc/passwd | grep sftptest
# sftptest:x:505:506::/WEBJAIL2/./home/sftptest:/usr/sbin/jk_chrootsh

Try if the home directory has been created on the jail

# ls -ld /WEBJAIL2/home/sftptest

If all is ok, then try to connect to the system with

# ssh sftptest@yourserver.net 

(if you had used "Step 6b" option)
# sftp sftptest@yourserver.net 
(if you had used "Step 6a" option)

If you are logged in, you can browse the jail filesystem; you will see that you can do only simple operation on it

Step 8 - Check the Jail

When you update your system (e.g. by using YUM), it's important to upgrade the files into the jail too; in this way you can avoid security issues.

You need to modify the jk_check.ini file one time with:

# vi /etc/jailkit/jk_check.ini

A very basic content of the file could be:


ignorepathoncompare = /WEBJAIL2/home/, /WEBJAIL2/etc/
ignorewritableforgroup = /WEBJAIL2/home/
ignorewritableforothers = /WEBJAIL2/home/tmp/

# jk_check tests for setuid root and setgid root files
# if you deliberately have such files specify them here
#ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
#ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
#ignoresetuidexecuteforothers =

I suggest you to run jk_check as soon as possible your distro update procedure is done.

Last trick! See the jk_check command manual for further details about the meaning of the parameters.

One more suggestion!

If you are interested in IT Security, join us at "GNU/Linux Security & Hardening" group on Linkedin

Reference and Links




Creative Commons License
Digital Patch Posts by Angelo F. are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Based on a work at digitalpatch.blogspot.com.

No comments:

Post a Comment