Saturday 4 January 2014

Automatically Chroot Jail for SSH Access - #Linux_CentOS

Objective: User to be provided with a limited system environment.

Environment: CentOS-6.3 (32-bit)

I wanted to setup a way to allow SSH access to my machine but limit their abilities heavily. This can be achieved by jailing the user and providing limited access to the system.

Change plan:

1. List the user to be jailed, and gather details on his limitation for the system environment.
2. Creating basic "chroot" environment.
3. Create chroot user group.
4. Configure SSHd to chroot your users.

1. Create a test user and the group to be jailed for users.

#groupadd jailgroup
#useradd -g jailgroup jailuser


# tail  -1 /etc/passwd
jailuser:x:501:501::/home/jailuser:/bin/bash
# tail  -1 /etc/group

jailgroup:x:501:
#

2. Setting up the jail environment.

Create the directories, which needs to emulate the / directory to a bare minimum. That is we need a dev, etc, lib, usr, and bin directory as well as usr/bin/. The bash directory has to be owned by root.
#mkdir -p /chroot/{dev,etc,lib,usr,bin,home}
#mkdir -p  /chroot/usr/bin

We need a special file to disposing of unwanted output streams of a process, hence I would add "/dev/null" to my jail environment.
#mknod -m 666 /chroot/dev/null c 1 3

3. Copy few files to /chroot/etc directory.

# cp /etc/ld.so.cache /chroot/etc

# cp /etc/ld.so.conf /chroot/etc
# cp /etc/nsswitch.conf /chroot/etc

# cp /etc/hosts /chroot/etc
# cp /bin/ls /chroot/usr/bin
# cp /bin/bash /chroot/usr/bin/

Once done, you need to figure out what command you want accessible by your limited users. I want them to get into bash and list and write using 'vim' editor.
Location can be found as below 

#which cat vim ls
/bin/ls
/bin/cat
/usr/bin/vim
#

Now that you've got all the binaries in place, you need to add the proper shared libraries. To find out what libraries are as below 
# ldd /bin/ls
        linux-gate.so.1 =>  (0x008b3000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00101000)
        librt.so.1 => /lib/librt.so.1 (0x0012a000)
        libcap.so.2 => /lib/libcap.so.2 (0x0018e000)
        libacl.so.1 => /lib/libacl.so.1 (0x00183000)
        libc.so.6 => /lib/libc.so.6 (0x00af5000)
        libdl.so.2 => /lib/libdl.so.2 (0x00c89000)
        /lib/ld-linux.so.2 (0x00acf000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00a11000)
        libattr.so.1 => /lib/libattr.so.1 (0x00122000)
#

Since you need to manually copy each file, I had an piece of code from "linuxcareer.com". copy paste the below code and execute.

# cat chroot.sh
#!/bin/bash
CHROOT='/chroot'
for i in $( ldd $*  | grep -v dynamic |cut  -d" "  -f3  | sed  's/://' | sort | uniq )
do

#--parents - using full source file name under DIRECTORY.
cp --parents  $i  $CHROOT
done

# ARCH  i386
if  [ -f  /lib/ld-linux.so.2 ];  then
cp  --parents /lib/ld-linux.so.2 /$CHROOT
fi
echo   "Chroot jail is ready."
#

#chmod +x chroot.sh
#./chroot.sh /bin/{ls,cat,bash} /usr/bin/vim 

4. Configure SSHd to chroot your users.

Add the following line to /etc/ssh/sshd_config file
# tail -5 /etc/ssh/sshd_config
Match group jailgroup
          ChrootDirectory /chroot/./
          X11Forwarding no
          AllowTcpForwarding no
#

- Try to login to the server as the user.
# ssh jailuser@0 jailuser@0's password: Last login: Sat Jan 4 11:40:57 2014 from 192.168.56.1 [-bash-4.1:~]$ pwd /home/jailuser [-bash-4.1:~]$ ls [-bash-4.1:~]$ rm -bash: rm: command not found [-bash-4.1:~]$ touch -bash: touch: command not found [-bash-4.1:~]$    
NOTE:
If a user does not have its home user directory available in a chroot jail after login s/he will end up in /. You can create and further configure your chroot by creating a user home directory, defining bash environment i..e bashrc file which sets PS1 needs to be customized as your needs to look better. 
I hence conclude this article by providing a limited system environment to the user via SSH access.