pam-chroot

The pam-chroot module is a nice way to restrict certain users to their very own chroot environment. However, it can be a bit tricky to setup:

sshd

I found it easier to just spawn a 2nd sshd server and set ChrootDirectory. We still have to prepare the chroot environment though:

mkdir /var/chroot
cd /var/chroot
mkdir -p bin dev home/joe/.ssh lib
useradd -u 2000 -s /bin/sh -d `pwd`/home/joe joe
passwd -d joe

mknod -m666 dev/null    c 1 3
mknod -m444 dev/random  c 1 8
mknod -m666 dev/tty     c 5 0
mknod -m444 dev/urandom c 1 9
mknod -m666 dev/zero    c 1 5
for i in ld.so.1 ld-2.7.so libc.so.6 libc-2.7.so; do ln /lib/$i lib/$i; done

Now for the start scripts, in Debian:

$ grep ^SSHD_OPTS /etc/default/ssh.chroot 
SSHD_OPTS="-f /etc/ssh/sshd_config.chroot"
 
$ sed 's/default\/ssh/default\/ssh.chroot/;s/sshd.pid/sshd.chroot.pid/' \
          /etc/init.d/ssh > /etc/init.d/ssh.chroot
 
$ update-rc.d ssh.chroot defaults

Note that we're planning to only allow key-based authentication in this example. For this we will add the correct public key to the authorized_keys within the chroot environment:

cat ~/.ssh/joe-chroot-key.pub > home/joe/.ssh/authorized_keys
chown -R 2000 home/joe
chmod -R og-rwx home/joe

Also, since our 2nd sshd still uses our local userdatabase, we might have to adjust our sshd_config and our PAM settings:

$ cat /etc/ssh/sshd_config.chroot
[...]
Port 2222 
ChrootDirectory=/var/chroot
PidFile=/var/run/sshd.chroot.pid
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
AllowUsers joe
AllowGroups joe
# AcceptEnv LANG

$ grep joe /etc/security/access.conf 
+  : alice joe  : ALL

After starting our 2nd sshd, we should be able to connect to port 2222:

$ /etc/init.d/ssh.chroot start
$ ssh -p 2222 joe@localhost

$ pstree -alp
[...]
|-sshd,25513 -f /etc/ssh/sshd_config.chroot
|   `-sshd,12782                                 
|       `-sshd,12798                                  
|           `-sh,12799
 
$ ls -lgo /proc/12798  /cwd
lrwxrwxrwx 1 0 2010-12-08 16:17 /proc/12798/cwd -> /var/chroot

tor

This had been described^[1] in TorInChroot and OpenbsdChrootedTor, but may not work anymore:

CHROOT=/var/chroot/
mkdir -p $CHROOT/lib $CHROOT/usr/lib
for i in `ldd $CHROOT/opt/tor/bin/tor | awk '{print $3}' | grep -E '^/'`; do
        cp "$i" $CHROOT/"`dirname $i`"/
done

cp /lib/ld* /lib/libnss*  $CHROOT/lib
cp /usr/lib/libnss3.so    $CHROOT/usr/lib

Linux

With /proc mounted, we can list all chrooted processes:

$ ls -d /proc/*/root | while read -r f; do readlink "$f" | grep -q '^/$' || echo "$f" | cut -d/ -f3; done | xargs ps -fp
UID        PID  PPID  C STIME TTY          TIME CMD
dovecot   1137  1080  0 Jul09 ?        00:00:00 dovecot/anvil
postfix  11707 11483  0 09:08 ?        00:00:00 tlsmgr -l -t unix -u -c
postfix  12116 11483  0 21:12 ?        00:00:00 cleanup -z -t unix -u -c
postfix  12117 11483  0 21:12 ?        00:00:00 trivial-rewrite -n rewrite -t unix -u -c
dovenull 21413  1080  0 19:53 ?        00:00:00 dovecot/imap-login
dovenull  2487  1080  0 Jul09 ?        00:00:00 dovecot/imap-login
dovecot   2488  1080  0 Jul09 ?        00:00:00 dovecot/stats
dovenull 32221  1080  0 20:35 ?        00:00:00 dovecot/imap-login
postfix   5942 11483  0 20:57 ?        00:00:00 pickup -l -t unix -u -c
postfix   8470 11483  0 21:06 ?        00:00:00 smtpd -n localhost:smtp -t inet -u -c -s 2 -o content_filter=spamassassin -o smtpd_tls_security_level=may
postfix   9662 11483  0 21:10 ?        00:00:00 anvil -l -t unix -u -c

References