Jump to content
Sign in to follow this  

Chroot'ing All Users

Recommended Posts

When you begin to actively give shell access, one of the things you worry about is that user stealing information, running services you don't want or even cracking your system (why did you give them access!). Of course this is also provides security to your users, as if a user password is cracked, the cracker only has access to the chroot!


The goal of this mini-howto is to provide you a method to lock each use in their own personal chroot home. Hopefully by doing this we will reduce the risk of the users exploiting some mistake/hole in your system configuration.


So on to the installation of the chroot. It might be an idea to use a separate partition for the chroot build, the reason for this is that you can alter the mount options on the chroot enviroment for securing it even further.


# mkdir -p /usr/chroot/system


Build the chroot environment in here (I will not go into this as it can be a long process). Ensure that you do not install SUID applications, as these can be used to exploit the system.


To allow the system to use one chroot environment for multiple users we need to use a clever automount trick (thanks to this page for this process!).


You will need autofs installed.


# mkdir /usr/chroot/mount


Edit the /etc/auto.master

/usr/chroot/mount	/etc/auto.chroot


Then make the new chroot autofs configuration file /etc/auto.chroot:

*	 -fstype=bind	 /			   /usr/chroot/system \
								  /home/&	/home/& \
								  /tmp		  /home/&/tmp \
								  /dev/pts	 /dev/pts


If you decided to make the chroot on a different partition then you can do:

/dev/CHROOTPARTITION	 /usr/chroot	 ext3	 nosuid	 1 2


Then you ensure that no SUID can be active, so even if a program has exploit it should allow the user to gain extra privileges.


Now you can setup how to chroot the user after they are logged in, the easiest method for this is mod_chroot.


Edit the file /etc/security/chroot.conf

znx   /usr/chroot/mount/znx


Now you just edit the corresponding PAM file for the service you want to chroot users.


Add into /etc/pam.d/sshd to enable this for sshd.

session	 required	 pam_chroot.so


You should ensure that you copy the /etc/passwd, /etc/group and /etc/shadow regularly (like everytime you bother to update the chroot environment) to the chroot.


cp /etc/passwd /etc/group /etc/shadow /usr/chroot/system/etc


Of course setting up a chroot is a complex process so I might be tempted into expanding this to demonstrate how!


Enjoy. Many thanks to http://sickadmin.wikiwall.org/OneChrootPerUser this site for the very cool technique!

Share this post

Link to post
Share on other sites

n1 znx !


pinned :)

Share this post

Link to post
Share on other sites
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...