User Tools

Site Tools


linux:chroot-users

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux:chroot-users [2019/01/21 11:23] (current)
seanburns created
Line 1: Line 1:
 +<​markdown>​
 +# chroot a current user
 +## Date: Thu 25 Oct 2018 
  
 +**Step 1**: Let's create a user first. We're imagining that we have a
 +preexisting user and that we need to ``chroot`` that user going forward.
 +
 +```bash
 +$ sudo su
 +# useradd -m -U -s /bin/bash omicron
 +# passwd omicron
 +```
 +
 +**Step 2**: We'll ``chroot`` *omicron* in a new directory ``/​var/​chroot``.
 +
 +```bash
 +# mkdir /var/chroot
 +```
 +
 +**Step 3**: Set up available binaries for the user. We'll only allow ``bash``
 +for now.  To do that, we'll create a ``bin/`` directory, and copy bash to that
 +directory.
 +
 +```bash
 +# mkdir /​var/​chroot/​bin
 +# which bash
 +/​usr/​bin/​bash
 +# cp /​usr/​bin/​bash /​var/​chroot/​bin/​
 +```
 +
 +**Step 4**: Copy the libraries for the bash binary.
 +
 +```bash
 +# ldd /​usr/​bin/​bash
 +## comment: because we see that these are all lib64
 +# mkdir /​var/​chroot/​lib64 ​      
 +# cp /​lib64/​libtinfo.so.6 lib64/
 +# cp /​lib64/​libdl.so.2 lib64/
 +# cp /​lib64/​libc.so.6 lib64/
 +# cp /​lib64/​ld-linux-x86-64.so.2 lib64/
 +```
 +
 +**Step 5**: Create and test the ``chroot``
 +
 +```bash
 +# chroot /​var/​chroot/​
 +bash-4.4# ls
 +bash: ls: command not found
 +bash-4.4# help
 +bash-4.4# dirs
 +bash-4.4# cd bin/
 +bash-4.4# dirs
 +bash-4.4# cd ../lib64/
 +bash-4.4# dirs
 +bash-4.4# cd ..
 +bash-4.4# exit
 +```
 +
 +**Step 6**: Create a new group called *chrootjail*. We can add users to this
 +group that we want to jail. Instructions are based on [linuxconfig.org][1].
 +
 +```bash
 +# groupadd chrootjail
 +# usermod -a -G chrootjail omicron
 +# groups omicron
 +```
 +
 +**Step 7**: Edit ``/​etc/​ssh/​sshd_config`` to direct users in ``chrootjail``
 +group to ``chroot`` directory. Add the following line at the end of the file.
 +Then restart ssh server.
 +
 +```bash
 +# nano /​etc/​ssh/​sshd_config
 +Match group chrootjail
 +            ChrootDirectory /​var/​chroot/​
 +```
 +
 +Exit ``nano``.
 +
 +
 +**Step 8**: Test ``ssh``.
 +
 +Before restarting ssh, let's log out of the server and ``ssh``
 +back in as the user *omicron*:
 +
 +```bash
 +# exit
 +$ exit
 +$ ssh omicron@relevant_ip_address
 +$ exit
 +```
 +
 +**Step 9**: Restart ssh and test ``chroot``.
 +
 +That works as expected. Now ssh back in as your main user. Become root ,
 +restart ``ssh``, exit, and then ``ssh`` back in as *omicron*. The user should
 +be in the ``chroot`` directory.
 +
 +```bash
 +$ exit
 +$ sudo su
 +# systemctl restart sshd
 +# exit
 +$ exit
 +```
 +
 +[1]:​https://​linuxconfig.org/​how-to-automatically-chroot-jail-selected-ssh-user-logins
 +</​markdown>​
linux/chroot-users.txt ยท Last modified: 2019/01/21 11:23 by seanburns