Chroot
pam-chroot
The pam-chroot module is a nice way to restrict certain users to their very own chroot environment. However, it can be a bit tricky to setup:
sshd
I found it easier to just spawn a 2nd sshd server and set ChrootDirectory. We still have to prepare the chroot environment though:
mkdir /var/chroot cd /var/chroot mkdir -p bin dev home/joe/.ssh lib useradd -u 2000 -s /bin/sh -d `pwd`/home/joe joe passwd -d joe mknod -m666 dev/null c 1 3 mknod -m444 dev/random c 1 8 mknod -m666 dev/tty c 5 0 mknod -m444 dev/urandom c 1 9 mknod -m666 dev/zero c 1 5 for i in ld.so.1 ld-2.7.so libc.so.6 libc-2.7.so; do ln /lib/$i lib/$i; done
Now for the start scripts, in Debian:
$ grep ^SSHD_OPTS /etc/default/ssh.chroot SSHD_OPTS="-f /etc/ssh/sshd_config.chroot" $ sed 's/default\/ssh/default\/ssh.chroot/;s/sshd.pid/sshd.chroot.pid/' \ /etc/init.d/ssh > /etc/init.d/ssh.chroot $ update-rc.d ssh.chroot defaults
Note that we're planning to only allow key-based authentication in this example. For this we will add the correct public key to the authorized_keys within the chroot environment:
cat ~/.ssh/joe-chroot-key.pub > home/joe/.ssh/authorized_keys chown -R 2000 home/joe chmod -R og-rwx home/joe
Also, since our 2nd sshd still uses our local userdatabase, we might have to adjust our sshd_config and our PAM settings:
$ cat /etc/ssh/sshd_config.chroot [...] Port 2222 ChrootDirectory=/var/chroot PidFile=/var/run/sshd.chroot.pid PermitRootLogin no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no AllowUsers joe AllowGroups joe # AcceptEnv LANG $ grep joe /etc/security/access.conf + : alice joe : ALL
After starting our 2nd sshd, we should be able to connect to port 2222:
$ /etc/init.d/ssh.chroot start $ ssh -p 2222 joe@localhost $ pstree -alp [...] |-sshd,25513 -f /etc/ssh/sshd_config.chroot | `-sshd,12782 | `-sshd,12798 | `-sh,12799 $ ls -lgo /proc/12798 /cwd lrwxrwxrwx 1 0 2010-12-08 16:17 /proc/12798/cwd -> /var/chroot
tor
This had been described[1] in TorInChroot and OpenbsdChrootedTor, but may not work anymore:
CHROOT=/var/chroot/ mkdir -p $CHROOT/lib $CHROOT/usr/lib for i in `ldd $CHROOT/opt/tor/bin/tor | awk '{print $3}' | grep -E '^/'`; do cp "$i" $CHROOT/"`dirname $i`"/ done cp /lib/ld* /lib/libnss* $CHROOT/lib cp /usr/lib/libnss3.so $CHROOT/usr/lib
Linux
With /proc
mounted, we can list all chrooted processes:
$ ls -d /proc/*/root | while read -r f; do readlink "$f" | grep -q '^/$' || echo "$f" | cut -d/ -f3; done | xargs ps -fp UID PID PPID C STIME TTY TIME CMD dovecot 1137 1080 0 Jul09 ? 00:00:00 dovecot/anvil postfix 11707 11483 0 09:08 ? 00:00:00 tlsmgr -l -t unix -u -c postfix 12116 11483 0 21:12 ? 00:00:00 cleanup -z -t unix -u -c postfix 12117 11483 0 21:12 ? 00:00:00 trivial-rewrite -n rewrite -t unix -u -c dovenull 21413 1080 0 19:53 ? 00:00:00 dovecot/imap-login dovenull 2487 1080 0 Jul09 ? 00:00:00 dovecot/imap-login dovecot 2488 1080 0 Jul09 ? 00:00:00 dovecot/stats dovenull 32221 1080 0 20:35 ? 00:00:00 dovecot/imap-login postfix 5942 11483 0 20:57 ? 00:00:00 pickup -l -t unix -u -c postfix 8470 11483 0 21:06 ? 00:00:00 smtpd -n localhost:smtp -t inet -u -c -s 2 -o content_filter=spamassassin -o smtpd_tls_security_level=may postfix 9662 11483 0 21:10 ? 00:00:00 anvil -l -t unix -u -c