Tuesday, March 2, 2010

OpenSSH daemon hardening ( Part 3 ) - Setup a chroot enviroment on CentOS 5 with JailKit

[Note: This is a draft version of the post; it'll be revised as soon as possible]

Introduction - What is a chroot?


 
"A chroot on Unix operating systems is an operation that changes the apparent disk root directory
for the current running process and its children. A program that is
re-rooted to another directory cannot access or name files outside that
directory, and the directory is called a "chroot jail" or (less commonly) a "chroot prison". The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program."

(Definition from Wikipedia, the free encyclopedia)



A system administrator can use "chrooted" environments for improving the strength of a Unix system, by limiting logged users to use a small environment with few/basic functionalities.
Chroot can also be used for "running inside" Unix daemons, so services are "entrapped" into the jail and they can "see" only a limited part of the filesystem.
In this post we will create a chroot environment for giving access to users with sftp/ssh protocol and/or basic shell access.

Note: The chroot environments don't assure "security", but in combination with others hardening tricks (see my other posts)  may improve the strength of the system and put  "on the way" more obstacles to the attackers.

Indeed a chroot-jail can be break... for example visit chroot break page


Let's start installing!


 

Step 1 - Download JailKit from

$ wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.bz2


Step 2 - Uncompress and install


$ tar jxvf jailkit-2.11.tar.bz2

With a non root user launch:

$ cd jailkit-2.11
$ ./configure
$ make


then

$ su
# make install



Step 3 - Modify the ini file




If you use 64bit version of Debian or other distros (e.g. CentOS) you must change some paths.


Check the jk_init.ini and verify that paths of the sections you are interested in, are correct.

For example:

# vi /etc/jailkit/jk_init.ini


 

On CentOS 5  we need to change the "paths" parameter with

paths=/usr/libexec/openssh/sftp-server


on Utuntu 8.04 Lts (64Bit) with

paths=/usr/lib/openssh/sftp-server
 

under the [sftp] section

(save the conf with [escape]:wq)



Step 4 - Let's create the chroot Jail

# su -

# jk_init -v -j /WEBJAIL2 basicshell ssh sftp

The above command creates a jail (called WEBJAIL2) with "basicshell" commands, ssh and sftp support.

Take a look to jk_init.ini for various options available or consult the JailKit manual at http://olivier.sessink.nl/jailkit/jailkit.8.html


Step 5 - Create users


Create with the adduser  command a new users as usual.

For example

# adduser sftptest
# passwd sftptest


Step 6 - Put the user into the cage


In CentOS 5 setup, an error occurred if I do not copy first jk_lsh to jail; so I use:

# jk_cp -j /WEBJAIL2 /usr/sbin/jk_lsh

then i can "import" the user to the jail with:

# jk_jailuser -m -j /WEBJAIL2/ sftptest






Step 6a - Sftp/SCP access ONLY 

If you want that your server users can have access to the Sftp/SCP only, after the previous steps, you must edit jk_lsh.ini in the jail.


If the jailkit directory doesn't exist, use:


# mkdir -p /jail/etc/jailkit


Now you can authorize jk_lsh command to execute sftp


(If you use jk_lsh "shell" you must specify which command can be executed, indeed  jk_lsh is not an interactive shell but it allows the access only  via ssh for executing commands in chroot jail)



# vi /WEBJAIL2/etc/jailkit/jk_lsh.ini


An example of jk_lsh.ini for CentOS 5 could be:


[sftptest]
paths = /usr/libexec/openssh/
executables = /usr/libexec/openssh/sftp-server
allow_word_expansion = 0


An example of jk_lsh.ini for Ubuntu 8.04 Lts could be:

[sftptest]
paths = /usr/lib/openssh/
executables = /usr/lib/openssh/sftp-server
allow_word_expansion = 0




Step 6b - Full SSH Access by using Bash as shell


Modify as follow the /etc/passwd into the chrooted environment for example:


vi /WEBJAIL2/etc/passwd

change 

sftptest:x:505:506::/home/devel01:/usr/sbin/jk_lsh




with


sftptest:x:505:506::/home/devel01:/bin/bash

then copy .bashrc from your "real" user to the chrooted one. For example


cp /home/sftptest/.bashrc /WEBJAIL2/home/sftptest/



Step 7 - Verify if all is done

Try to view if in /etc/passwd the shell and the path of the chrooted user has been changed:

# cat /etc/passwd | grep sftptest
# sftptest:x:505:506::/WEBJAIL2/./home/sftptest:/usr/sbin/jk_chrootsh

Try if the home directory has been created on the jail

# ls -ld /WEBJAIL2/home/sftptest

If all is ok, then try to connect to the system with

# ssh sftptest@yourserver.net 

(if you had used "Step 6b" option)
# sftp sftptest@yourserver.net 
(if you had used "Step 6a" option)



If you are logged in, you can browse the jail filesystem; you will see that you can do only simple operation on it









Step 8 - Check the Jail

When you update your system (e.g. by using YUM), it's important to upgrade the files into the jail too; in this way you can avoid security issues.


You need to modify the jk_check.ini file one time with:

# vi /etc/jailkit/jk_check.ini

A very basic content of the file could be:






[/WEBJAIL2]

ignorepathoncompare = /WEBJAIL2/home/, /WEBJAIL2/etc/
ignorewritableforgroup = /WEBJAIL2/home/
ignorewritableforothers = /WEBJAIL2/home/tmp/

# jk_check tests for setuid root and setgid root files
# if you deliberately have such files specify them here
#ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
#ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt, /home/testchroot/usr/bin/smbumount
#ignoresetuidexecuteforothers =



I suggest you to run jk_check as soon as possible your distro update procedure is done.


Last trick! See the jk_check command manual for further details about the meaning of the parameters.



One more suggestion!


If you are interested in IT Security, join us at "GNU/Linux Security & Hardening" group on Linkedin


Reference and Links

http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html
http://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html
http://en.wikipedia.org/wiki/Chroot

http://www.bpfh.net/simes/computing/chroot-break.html  

NOTE


Creative Commons License
Digital Patch Posts by Angelo F. are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License.
Based on a work at digitalpatch.blogspot.com.

No comments:

Post a Comment