jail time: chroot’ed sftp with rssh

Filed In: code, sysadmin

Installing rssh to allow scp/sftp sessions only for user accounts is a breeze. Getting them into a chroot jail took a bit more reseach, but in the end turned out to be pretty easy.

This is on CentOS 4.6, but this technique should work almost identically for any Linux system thanks to the l2chroot script.

install rssh

found my RPM at http://dag.wieers.com/rpm/packages/rssh/ and it installed flawlessly with yum. See the rssh site for instructions for other platforms.

configure rssh

  • Default configuration file is located at /etc/rssh.conf
  • Default rssh binary location /usr/bin/rssh
  • Default port none – (openssh 22 port used – rssh is shell with security features)

So the editing of /etc/rssh.conf is simple, and proceeded according to the nixcraft guide, but I only uncommented

allowscp
allowsftp

and set

chrootpath = /home/jail

and added a single line for per-user config, although this probably isn’t even necessary:

user=adama:112:00011:/home/jail

update: in fact it is not necessary, and though it should not hurt it could cause permissions issues (see comments). If you want all the jailed users to share the same type of abilities, then per-user config can be skipped.

create chroot jail

# mkdir /home/jail

and again the nixcraft guide is very good, but I found it much easier than they indicate (for sftp-only anyway). Copying all the required .so’s is easy with the l2chroot script, which parses ldd output for a given binary and automatically mirrors a tree containing all the mentioned files.

# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chroot

Open l2chroot and set BASE variable to point to chroot directory (jail) location:

BASE="/home/jail"

and then do the copy:

# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper

There is no need for copying anything in /etc or /dev.

and finally create a home sweet home for our new semi-welcome guest:

# mkdir -p /home/jail/home/adama

no need to copy /etc/skel or anything because the whole point is for them not to get a shell.

setup system user account

give them a home dir inside the jail and a shell of rssh:

# /usr/sbin/useradd -d /home/jail/home/adama -s /usr/bin/rssh adama

mount other system locations

The best part is, you can give the guest access to any other node on the system with the –bind option to mount.

So if you want to give them access to /var/www/sites/special, you could mount that from inside the jail with

# mount --bind -o noexec,nosuid /var/www/sites/special /home/jail/home/adama/ext_special

for instance. The noexec,nosuid options provide a bit of extra security, and in fact ideally should be set on whatever partition the jail resides on as well.

According to the mount man page, --bind option is supported in linux kernels 2.4.0+

And to see the appropriate entry to add to fstab (to do the mount automatically after reboot), you can do

# cat /etc/mtab
10 Comments
Tags: , , , , ,

There are 10 Comments to "jail time: chroot’ed sftp with rssh"

  • Girish Ram says:
    9 October 2009 at 12:13 am

    I installed resticted shell on a centos 5.3 box. I could not contain the user to his directory. When I tried to set the entry in the /etc/rssh.conf to:

    user=girishram:011:00010:/users/girishram

    I won’t allow me to login. but if I set it to :user=girishram:011:00010:, it will allow me to login but does not prevent me from seeing the other directiries under /users.

    Any way around this?

    Thanks
    Girish

  • sbeam says:
    9 October 2009 at 9:45 am

    @Girish Try commenting that line out entirely. I found it is not necessary at all and should update this howto (consider this the update)

    If you still can’t login, check logs for the reason. Could be a permissions problem. And make sure the chroot environment is set up correctly under /users (I’d suggest making a separate chroot area for clarity, like /users/jail)

  • Girish Ram says:
    6 December 2009 at 1:30 am

    Thank you sbeam, commenting that line worked. Now my problem I have is that I am unable to contain the user to their home directory.

    when I set the chrootpath the user is able to see everything under the path. When I disable the path and try to set the path on the user entry, the login fails:

    user girishram attempted to execute forbidden commands
    command: /usr/libexec/openssh/sftp-server

    Any thing I can do confine the user to their home directory?

    Thanks
    Girish

  • sbeam says:
    7 December 2009 at 10:22 am

    the behavior sounds like what is expected, the user can move around within the jail as the permissions let him. If you want to prevent him from seeing other user’s directories under /home/, then turn off the read bit in that directory.

    $ chmod 711 /home/jail/home

    or

    $ chmod go-r /home/jail/home

    Then in the SFTP shell he should get ‘permission denied’ upon trying to view the contents of /home

    enjoy!

  • Girish says:
    9 December 2009 at 1:17 pm

    sbeam,

    Thank you. I will use this approach to contain the user from being able to see the contents of other peoples folders.

    Thanks
    Girish

  • john says:
    23 June 2011 at 8:51 pm

    This summary was very well put together given the instructions seem to be scattered about everywhere this summarized what is needed quite nicely.

    Wondering if you have a solution for this… I have users folders like this

    /chrootfolder/userfolder

    now when users login, they can view all the folder names that are within the /chroot folder, they can not access them, but they can see them. I checked your solution above and setting 711 on /chrootfolder/ did not prevent usrees from seeing the other folders in that directory? any thoughts?

  • sbeam says:
    23 June 2011 at 10:02 pm

    Glad you enjoyed the article! could be the lack of a ‘read’ bit on the main jail dir (/chrootfolder) is not respected because that is read by the sshd process (root), not the sub-shell (user). Try putting the users’ folders in another sub-directory under the jail, like /chrootfolder/home/username and doing chmod 711 /chrootfolder/home

  • john says:
    23 June 2011 at 10:34 pm

    thanks for the amazing fast reply! I would try that however it would be a real pain since these folders are all already setup (its a cpanel server) so inessence i just made the /home folder the chroot jail… and i dont want to screw anything up related to the cpanel etc so i may just live with it since I will only be givin git out selectively anyway if you have other thoughts thats great but looks like it might be the way it has to be…

  • john says:
    23 June 2011 at 10:55 pm

    oh and i followed the instructions on http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html so i did copy all those /etc/ files over instead of just the 2 you mentuioned above, could this make a difference?

  • sbeam says:
    24 June 2011 at 9:40 am

    I can’t see how it would make any difference, it’s just unnecessary.

Write a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">

chirp.syxyz.net

Essentials

A service of Onset Corps LLC, and your humble author and fellow journeyer Samuel Beam.

Wherein, we specialize in over-involved explanations of all types, especially as concerning the efficacious use of tools and processes to maintain simplicity in an irreducibly complex world.

Meta

Pages

Categories

© Onset Industries LLC 2008-2012
Design: TAKTEEKMEDIA

Free DNS - afraid.org
fancy clipart - nerfect.com
RSS Feed | CSS and XHTML