Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Chroot'ing All Users
#1

When you begin to actively give shell access, one of the things you worry about is that user stealing information, running services you don't want or even cracking your system (why did you give them access!). Of course this is also provides security to your users, as if a user password is cracked, the cracker only has access to the chroot!

 

The goal of this mini-howto is to provide you a method to lock each use in their own personal chroot home. Hopefully by doing this we will reduce the risk of the users exploiting some mistake/hole in your system configuration.

 

So on to the installation of the chroot. It might be an idea to use a separate partition for the chroot build, the reason for this is that you can alter the mount options on the chroot enviroment for securing it even further.

 



Code:
# mkdir -p /usr/chroot/system




 

Build the chroot environment in here (I will not go into this as it can be a long process). Ensure that you do not install SUID applications, as these can be used to exploit the system.

 

To allow the system to use one chroot environment for multiple users we need to use a clever automount trick (thanks to this page for this process!).

 

You will need autofs installed.

 



Code:
# mkdir /usr/chroot/mount




 

Edit the /etc/auto.master



Code:
/usr/chroot/mount    /etc/auto.chroot




 

Then make the new chroot autofs configuration file /etc/auto.chroot:



Code:
*     -fstype=bind     /               /usr/chroot/system \
                                  /home/&    /home/& \
                                  /tmp          /home/&/tmp \
                                  /dev/pts     /dev/pts




 

If you decided to make the chroot on a different partition then you can do:



Code:
/dev/CHROOTPARTITION     /usr/chroot     ext3     nosuid     1 2




 

Then you ensure that no SUID can be active, so even if a program has exploit it should allow the user to gain extra privileges.

 

Now you can setup how to chroot the user after they are logged in, the easiest method for this is mod_chroot.

 

Edit the file /etc/security/chroot.conf



Code:
znx   /usr/chroot/mount/znx




 

Now you just edit the corresponding PAM file for the service you want to chroot users.

 

Add into /etc/pam.d/sshd to enable this for sshd.



Code:
session     required     pam_chroot.so




 

You should ensure that you copy the /etc/passwd, /etc/group and /etc/shadow regularly (like everytime you bother to update the chroot environment) to the chroot.

 



Code:
cp /etc/passwd /etc/group /etc/shadow /usr/chroot/system/etc




 

Of course setting up a chroot is a complex process so I might be tempted into expanding this to demonstrate how!

 

Enjoy. Many thanks to [/url][url=http://sickadmin.wikiwall.org/OneChrootPerUser]http://sickadmin.wikiwall.org/OneChrootPerUser this site for the very cool technique!

Reply
#2
Excellent tutorial znx :)
Reply
#3

n1 znx !

 

pinned :)

Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)