Set rssh Chroot Jail on Linux to block users in your home directory
Today a friend I wonder how you can restrict a user to connect to when ssh only has access to your home.
This would restrict access to the system directories of a specific user is nothing new, but I was unaware.
So do not be evil for I began to investigate and found that the software supports rssh chroot option. If we want to incarcerate users have the option chrootpath.
chrootpath
This line is used to establish the root directory where the chroot jail will be located, that in order to enhance the security of the system.
A chroot on Linux or Unix is an operation which changes the root directory for the user. Only affects the present process and their children.
If your default home directory is / home / user typically can access the files in the / etc, / sbin or bin. This allows an attacker to install programs from the Web server in / tmp. The functionality of restringuir chroot allows access to the file system and holds the user within your home directory or home.
Setting rssh chroot
Chroot /usuarios / /usuarios
It is possible to mount the file system /usuarios with the options noexec / nosuid to improve security.
Directories required in the cage:
- / users / dev - File Device
- / users / etc - configuration files such as passwd
- / users / lib - Shared Libraries
- / users / usr - rssh and other binary
- / users / bin - Copy the default shell (/ bin / csh or / bin / bash)
Necessary files into the cage in /usuarios directory / /usuarios predeterminado para RHEL / CentOS / Linux Debian
- / etc / ld.so.cache
- / etc / ld.so.cache.d / *
- / etc / ld.so.conf
- / etc / nsswitch.conf
- / etc / passwd
- / etc / group
- / etc / hosts
- / etc / resolv.conf
- / usr / bin / scp
- / usr / bin / rssh
- / usr / bin / sftp
- / usr / libexec / openssh / sftp-server or / usr / lib / openssh / sftp-server
- / usr / libexec / rssh_chroot_helper or / usr / lib / rssh / rssh_chroot_helper (the suid has to be established in this binary)
- / bin / sh or / bin / bash (the default shell)
To increase the safety limit the number of binary inside the cage to a minimum. Usually /bin/bash /bin/sh / /bin/sh is not necessary but in some systems can give error.
About File System
The files have to be within the directory of the cage en nuestro caso de ejemplo, /usuarios our en nuestro caso de ejemplo, /usuarios and in turn within directories that mimic its location in the file system root (/).
For /usr/bin/rssh / /usr/bin/rssh is on. If our cage is located /usuarios, / /usuarios, copy /usr/bin/rssh /usuarios/usr/bin/rssh / /usuarios/usr/bin/rssh
The following instructions have been tested successfully in:
- FreeBSD
- Solaris UNIX
- RHEL / Redhat / Fedora / CentOS Linux
- Debian Linux
Built environment Chroot
We create all the necessary directories:
deathbian: ~ # mkdir-p / Users / (dev, etc, lib, usr, bin) deathbian: ~ # mkdir-p / users / usr / bin deathbian: ~ # mkdir-p / users / libexec / openssh
We create / users / dev / null:
deathbian: ~ # mknod-m 666 / users / dev / null c 1 3
We copied the configuration files in / etc / directory inside the cage / users / etc:
deathbian: ~ # cd / users / etc deathbian: ~ # cp / etc / ld.so.cache. deathbian: ~ # cp-avr / etc / ld.so.cache.d. deathbian: ~ # cp / etc / ld.so.conf. deathbian: ~ # cp / etc / nsswitch.conf. deathbian: ~ # cp / etc / passwd. deathbian: ~ # cp / etc / group. deathbian: ~ # cp / etc / hosts. deathbian: ~ # cp / etc / resolv.conf.
We opened the files / users / group and / users / passwd to remove the accounts of root and the others.
Now copy the binaries required to the directory / user / bin:
deathbian: ~ # cd / users / usr / bin deathbian: ~ # cp / usr / bin / scp. deathbian: ~ # cp / usr / bin / rssh. deathbian: ~ # cp / usr / bin / sftp. deathbian: ~ # cd / users / usr / libexec / openssh / deathbian: ~ # cp / usr / libexec / openssh / sftp-server. Or deathbian: ~ # cp / usr / lib / openssh / sftp-server. deathbian: ~ # cd / users / usr / libexec / deathbian: ~ # cp / usr / libexec / rssh_chroot_helper Or deathbian: ~ # cp / usr / lib / rssh / rssh_chroot_helper deathbian: ~ # cd / users / bin / deathbian: ~ # cp / bin / sh. Or deathbian: ~ # cp / bin / bash.
We copied all the files in the Shared libraries
The archives of the libraries than any of these files need can be found by using the command ldd / strace For example, to run against ldd / usr / bin / wget, produces the following information:
deathbian: ~ # ldd / usr / bin / wget linux-gate.so.1 => (0xb7fdc000) libdl.so.2 => / lib/tls/i686/cmov/libdl.so.2 (0xb7fc2000) librt.so.1 => / lib/tls/i686/cmov/librt.so.1 (0xb7fb9000) libssl.so.0.9.8 => / usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7f76000) libcrypto.so.0.9.8 => / usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7e34000) libc.so.6 => / lib/tls/i686/cmov/libc.so.6 (0xb7ce5000) / lib/ld-linux.so.2 (0xb7fdd000) libpthread.so.0 => / lib/tls/i686/cmov/libpthread.so.0 (0xb7ccd000) libz.so.1 => / usr/lib/libz.so.1 (0xb7cb8000)
We need to copy all those bookshelves, I recommend using the script l2chroot this purpose. The script downloaded it this way:
deathbian: ~ # cd / sbin deathbian: ~ # wget-O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt deathbian: ~ # chmod + x l2chroot
L2chroot edit the script and change the variable BASE by our directory chroot (jail), BASE = "/ users":
Now we copy all the files in the shared libraries:
deathbian: ~ # l2chroot / usr / bin / scp deathbian: ~ # l2chroot / usr / bin / rssh deathbian: ~ # l2chroot / usr / bin / sftp deathbian: ~ # l2chroot / usr / libexec / openssh / sftp-server Or deathbian: ~ # l2chroot / usr / lib / openssh / sftp-server deathbian: ~ # l2chroot / usr / libexec / rssh_chroot_helper Or deathbian: ~ # l2chroot / usr / lib / rssh / rssh_chroot_helper deathbian: ~ # l2chroot / bin / sh Or deathbian: ~ # l2chroot / bin / bash
Change the configuration of Syslogd
The function of the library syslog works by typing messages to a FIFO file /dev/log. / /dev/log. You need to pass the -a /path/to/chroot/dev/log. Using this argument you can specify additional sockets in which syslogd listen. This is necessary if they will allow a daemon running within the chroot (). You can use up to 19 additional sockets. If the environment needs more, you can increase the symbol MAXFUNIX within the source file syslogd.c.
Edit / etc / sysconfig / syslog, we look for the line:
SYSLOGD_OPTIONS="-m 0"
and exchange it for:
SYSLOGD_OPTIONS="-m 0 -a /usuarios/dev/log"
Save and close the file and then restart syslog.
deathbian: ~ # / etc / init.d / syslog restart
If you are using Debian / Ubuntu, to implement these changes described /etc/default/syslogd the / etc /etc/default/syslogd
Set the path of chroot
Edit /etc/rssh.conf etc /etc/rssh.conf and change the variable chrootpath=/usuarios maintain.
Add the user to the cage
Now we configure the user's account of rssh. For example, with the following command to add user fher98 within chroot:
deathbian: ~ # useradd-m-d / usuarios/fher98-s / usr / bin / rssh fher98 deathbian: ~ # passwd fher98
Now fher98 can login using sftp or copy files using scp. Even you can create, work and transfer files, but do not have access to navigate to another directory system.
Popularity: 1% [?]
Trackback URI | Comments RSS
