From Segfault
Jump to: navigation, search


The pam-chroot module is a nice way to restrict certain users to their very own chroot environment. However, it can be a bit tricky to setup:


I found it easier to just spawn a 2nd sshd server and set ChrootDirectory. We still have to prepare the chroot environment though:

 $ mkdir /var/chroot
 $ cd /var/chroot
 $ mkdir -p bin dev home/joe/.ssh lib
 $ useradd -u 2000 -s /bin/sh -d `pwd`/home/joe joe
 $ passwd -d joe
 $ mknod -m666 dev/null    c 1 3
 $ mknod -m444 dev/random  c 1 8
 $ mknod -m666 dev/tty     c 5 0
 $ mknod -m444 dev/urandom c 1 9
 $ mknod -m666 dev/zero    c 1 5
 $ for i in; do ln /lib/$i lib/$i; done

Now for the start scripts, in Debian:

 $ grep ^SSHD_OPTS /etc/default/ssh.chroot 
 SSHD_OPTS="-f /etc/ssh/sshd_config.chroot"
 $ sed 's/default\/ssh/default\/ssh.chroot/;s/' \
            /etc/init.d/ssh > /etc/init.d/ssh.chroot
 $ update-rc.d ssh.chroot defaults

Note that we're planning to only allow key-based authentication in this example. For this we will add the correct public key to the authorized_keys within the chroot environment:

 $ cat ~/.ssh/ > home/joe/.ssh/authorized_keys
 $ chown -R 2000 home/joe
 $ chmod -R og-rwx home/joe

Also, since our 2nd sshd still uses our local userdatabase, we might have to adjust our sshd_config and our PAM settings:

 $ cat /etc/ssh/sshd_config.chroot
 Port 2222 
 PermitRootLogin no
 AllowAgentForwarding no
 AllowTcpForwarding no
 X11Forwarding no
 AllowUsers joe
 AllowGroups joe
 # AcceptEnv LANG
 $ grep joe /etc/security/access.conf 
 +  : alice joe  : ALL

After starting our 2nd sshd, we should be able to connect to port 2222:

 $ /etc/init.d/ssh.chroot start
 $ ssh -p 2222 joe@localhost
 $ pstree -alp
 |-sshd,25513 -f /etc/ssh/sshd_config.chroot
 |   `-sshd,12782                                 
 |       `-sshd,12798                                  
 |           `-sh,12799
 $ ls -lgo /proc/12798  /cwd
 lrwxrwxrwx 1 0 2010-12-08 16:17 /proc/12798/cwd -> /var/chroot


 $ CHROOT=/var/chroot/
 $ mkdir -p $CHROOT/lib $CHROOT/usr/lib
 $ for i in `ldd $CHROOT/opt/tor/bin/tor | awk '{print $3}' | egrep '^/'`; do
        cp "$i" $CHROOT/"`dirname $i`"/
 $ cp /lib/ld* /lib/libnss*  $CHROOT/lib
 $ cp /usr/lib/    $CHROOT/usr/lib