Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Chroot'ing All Users

When you begin to actively give shell access, one of the things you worry about is that user stealing information, running services you don't want or even cracking your system (why did you give them access!). Of course this is also provides security to your users, as if a user password is cracked, the cracker only has access to the chroot!


The goal of this mini-howto is to provide you a method to lock each use in their own personal chroot home. Hopefully by doing this we will reduce the risk of the users exploiting some mistake/hole in your system configuration.


So on to the installation of the chroot. It might be an idea to use a separate partition for the chroot build, the reason for this is that you can alter the mount options on the chroot enviroment for securing it even further.


# mkdir -p /usr/chroot/system


Build the chroot environment in here (I will not go into this as it can be a long process). Ensure that you do not install SUID applications, as these can be used to exploit the system.


To allow the system to use one chroot environment for multiple users we need to use a clever automount trick (thanks to this page for this process!).


You will need autofs installed.


# mkdir /usr/chroot/mount


Edit the /etc/auto.master

/usr/chroot/mount    /etc/auto.chroot


Then make the new chroot autofs configuration file /etc/auto.chroot:

*     -fstype=bind     /               /usr/chroot/system \
                                  /home/&    /home/& \
                                  /tmp          /home/&/tmp \
                                  /dev/pts     /dev/pts


If you decided to make the chroot on a different partition then you can do:

/dev/CHROOTPARTITION     /usr/chroot     ext3     nosuid     1 2


Then you ensure that no SUID can be active, so even if a program has exploit it should allow the user to gain extra privileges.


Now you can setup how to chroot the user after they are logged in, the easiest method for this is mod_chroot.


Edit the file /etc/security/chroot.conf

znx   /usr/chroot/mount/znx


Now you just edit the corresponding PAM file for the service you want to chroot users.


Add into /etc/pam.d/sshd to enable this for sshd.

session     required


You should ensure that you copy the /etc/passwd, /etc/group and /etc/shadow regularly (like everytime you bother to update the chroot environment) to the chroot.


cp /etc/passwd /etc/group /etc/shadow /usr/chroot/system/etc


Of course setting up a chroot is a complex process so I might be tempted into expanding this to demonstrate how!


Enjoy. Many thanks to [/url][url=] this site for the very cool technique!

Excellent tutorial znx :)

n1 znx !


pinned :)


Forum Jump:

Users browsing this thread: 1 Guest(s)