[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] RE: Setting up a chroot ssh login



> Dear Thomas,
>
> doing a google search I found your post
>
> http://archives.neohapsis.com/archives/linux/suse/2004-q1/0393.html
>
> Because I'm interested in setting up a chroot ssh login, I'd like to know
> how you did it.
>
> Thank you in advance!
>
>
> Best regards,
>
> Martin

No probs... I hope you don't mind, but I'm also sending it to the list which
you found on Google.
To those on the list who helped me get this set up - thanks!!

As it happens, I've now moved away from the chroot login, but it did work
very well (as far as I could tell). Here's what I had:

I installed the "compart" (or was it "compartment"?) package from Yast.

/etc/passwd contained:
	update:x:5000:65534:Update User:/home/update:/bin/compart.jail
I used /home/update/JAIL not /home/update as
/home/update/.ssh/authorised_keys contained the stuff to enable a
passwordless login.

/bin/compart.jail contained:
	#!/bin/bash
	sudo /usr/sbin/compartment --user update --group nogroup --chroot
/home/update/JAIL /bin/bash "$@"

/etc/sudoers contained:
	update  ALL= NOPASSWD: /usr/sbin/compartment --user update --group
nogroup --chroot /home/update/JAIL /bin/bash*

The directory /home/update/JAIL ($JAIL) contained the full set of files that
the update user required. `ldd` gave me the libraries that the programs all
required, thus:

.:
total 1
   0 drwxr-xr-x    8 root     root          192 2004-01-27 09:54 .
   0 drwxr-xr-x    4 root     root          160 2004-01-29 16:03 ..
   0 drwxr-xr-x    2 root     root          192 2004-01-26 09:57 bin
   0 drwxr-xr-x    2 root     root           96 2004-01-23 14:08 dev
   0 drwxr-xr-x    2 root     root          128 2004-01-27 11:23 etc
   1 drwxr-xr-x    3 root     root          664 2004-01-26 09:55 lib
   0 drwxr-xr-x    4 root     root          112 2004-01-22 09:33 upload
   0 drwxr-xr-x    4 root     root           96 2004-01-22 14:50 usr

./bin:
total 645
   0 drwxr-xr-x    2 root     root          192 2004-01-26 09:57 .
   0 drwxr-xr-x    8 root     root          192 2004-01-27 09:54 ..
 469 -rwxr-xr-x    1 root     root       477132 2004-01-20 15:02 bash
  68 -rwxr-xr-x    1 root     root        68460 2004-01-20 15:02 ls
  20 -rwxr-xr-x    1 root     root        18928 2004-01-20 15:02 mkdir
  52 -rwxr-xr-x    1 root     root        52184 2004-01-20 15:02 mv
   8 -rwxr-xr-x    1 root     root         6096 2004-01-20 15:02 pwd
  28 -rwxr-xr-x    1 root     root        26656 2004-01-20 15:02 rm

./dev:
total 0
   0 drwxr-xr-x    2 root     root           96 2004-01-23 14:08 .
   0 drwxr-xr-x    8 root     root          192 2004-01-27 09:54 ..
   0 crw-rw-rw-    1 root     root       5,   0 2004-01-22 14:39 tty
   0 crw-r--r--    1 root     root       1,   9 2004-01-20 16:00 urandom

./etc:
total 12
   0 drwxr-xr-x    2 root     root          128 2004-01-27 11:23 .
   0 drwxr-xr-x    8 root     root          192 2004-01-27 09:54 ..
   4 -r--------    1 root     root           27 2004-01-22 16:11 group
   4 -rw-r--r--    1 root     root         1722 2004-01-21 09:08 ld.so.cache
   4 -r--------    1 root     root           65 2004-01-22 16:12 passwd

./lib:
total 1789
   1 drwxr-xr-x    3 root     root          664 2004-01-26 09:55 .
   0 drwxr-xr-x    8 root     root          192 2004-01-27 09:54 ..
   0 drwxr-xr-x    2 root     root          112 2004-01-23 14:08 i686
  92 -rwxr-xr-x    1 root     root        91085 2004-01-22 14:47
ld-linux.so.2
  28 -rwxr-xr-x    1 root     root        25416 2004-01-20 15:02 libacl.so.1
  16 -rwxr-xr-x    1 root     root        13974 2004-01-20 15:02
libattr.so.1
   8 -rwxr-xr-x    1 root     root         7518 2004-01-22 16:05
libcom_err.so.2
  44 -rwxr-xr-x    1 root     root        43395 2004-01-22 14:47
libcrypt.so.1
  12 -rwxr-xr-x    1 root     root        11856 2004-01-20 15:02 libdl.so.2
 104 -rwxr-xr-x    1 root     root       104452 2004-01-22 16:05
libext2fs.so.2
 124 -rwxr-xr-x    1 root     root       122891 2004-01-20 15:02
libhistory.so.4
 304 -rwxr-xr-x    1 root     root       307598 2004-01-20 15:02
libncurses.so.5
  88 -rwxr-xr-x    1 root     root        87717 2004-01-22 14:47 libnsl.so.1
  52 -rwxr-xr-x    1 root     root        50541 2004-01-21 09:11
libnss_compat.so.2
  44 -rwxr-xr-x    1 root     root        44639 2004-01-21 09:13
libnss_files.so.2
 637 -rwxr-xr-x    1 root     root       650278 2004-01-20 15:02
libreadline.so.4
  72 -rwxr-xr-x    1 root     root        70056 2004-01-22 14:47
libresolv.so.2
  36 -rwxr-xr-x    1 root     root        34085 2004-01-20 15:02 librt.so.1
  12 -rwxr-xr-x    1 root     root        10600 2004-01-22 14:47
libutil.so.1
  52 -rwxr-xr-x    1 root     root        52751 2004-01-21 11:35
libxcrypt.so.1
  64 -rwxr-xr-x    1 root     root        61850 2004-01-22 14:47 libz.so.1

./lib/i686:
total 1390
   0 drwxr-xr-x    2 root     root          112 2004-01-23 14:08 .
   1 drwxr-xr-x    3 root     root          664 2004-01-26 09:55 ..
1289 -rwxr-xr-x    1 root     root      1315242 2004-01-20 15:02 libc.so.6
 100 -rwxr-xr-x    1 root     root        98628 2004-01-20 15:02
libpthread.so.0

./usr:
total 0
   0 drwxr-xr-x    4 root     root           96 2004-01-22 14:50 .
   0 drwxr-xr-x    8 root     root          192 2004-01-27 09:54 ..
   0 drwxr-xr-x    2 root     root          192 2004-01-26 09:56 bin
   0 drwxr-xr-x    2 root     root          280 2004-01-23 14:08 lib

./usr/bin:
total 504
   0 drwxr-xr-x    2 root     root          192 2004-01-26 09:56 .
   0 drwxr-xr-x    4 root     root           96 2004-01-22 14:50 ..
   8 -rwxr-xr-x    1 root     root         6056 2004-01-22 16:03 env
   4 -rw-r--r--    1 root     root           19 2004-01-20 15:00 groups
  12 -rwxr-xr-x    1 root     root         9400 2004-01-20 15:02 id
 192 -rwxr-xr-x    1 root     root       196256 2004-01-20 15:02 rsync
  32 -rwxr-xr-x    1 root     root        28772 2004-01-22 14:33 scp
 256 -rwxr-xr-x    1 root     root       260976 2004-01-20 15:02 ssh

./usr/lib:
total 2221
   0 drwxr-xr-x    2 root     root          280 2004-01-23 14:08 .
   0 drwxr-xr-x    4 root     root           96 2004-01-22 14:50 ..
 148 -rwxr-xr-x    1 root     root       147873 2004-01-22 14:48
libasn1.so.5
   8 -rwxr-xr-x    1 root     root         7801 2004-01-22 14:48
libcom_err.so.1
 941 -r-xr-xr-x    1 root     root       961852 2004-01-22 14:47
libcrypto.so.0.9.6
 729 -rwxr-xr-x    1 root     root       744626 2004-01-22 14:48
libdb-4.0.so
  52 -rwxr-xr-x    1 root     root        53230 2004-01-22 14:48
libgssapi.so.1
 260 -rwxr-xr-x    1 root     root       263374 2004-01-22 14:48
libkrb5.so.17
  84 -rwxr-xr-x    1 root     root        84253 2004-01-22 14:48
libroken.so.9

upload/:
total 0
   0 drwxr-xr-x    4 root     root          112 2004-01-22 09:33 .
   0 drwxr-xr-x    8 root     root          192 2004-01-27 09:54 ..
   0 drwxr-xr-x    7 update   nogroup       256 2004-02-09 23:04 catalogue
   0 drwxrwxrwx    2 update   nogroup        48 2004-01-30 08:35 publicsite

$JAIL/etc/passwd contained:
	root:x:0:0:root:/root:/bin/bash
	update:x:5000:65534::/:/bin/bash

$JAIL/etc/group contained:
	root:x:0:
	nogroup:x:65534:

I think my biggest problem was tweaking the sudoers and the conmpart.jail
files to work properly together.

Possible improvements and other security thoughts:

1. I think to make it more secure I'd put it in a separate partition, with
appropriate security options set. The only problem is that given that this
user would be allowed to upload files (to $JAIL/upload/catalogue and
$JAIL/upload/publicsite), I wouldn't be able to make it readonly.

2. PAM was to be used to limit upload's logon times to certain times of day,
and to only allow root@other_host to login as update. This wouyld mean that
the other machine would have to be root-compromised to let an unauthorised
user log in to the chroot jail.

3. A cron job that performs and compares checksums on files in $JAIL,
replacing them if required (and reporting if this happens).

4. The files uploaded by the update user are copied out of the jail undergo
a set of sanity checks and are _then_ put in place of the current website
and catalogue.

5. I though about using `chattr` to make files really difficult to modify,
but I find out much about it before I discovered that it's not so available
for ReiserFS.

The reason I'm not using this system now is that I couldn't get rsync to
work, and if I'm reduced to having all files uploaded I may as well use sftp
and have no direct shell access whatsoever. Hell, it's only bandwidth!



Tom.


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here