Suppose
/home/close/ is having
some script/software located folder and you may need to give access
to some users with restricted commands. So he cannot see other files
and folders on the server
So here /home/close is our chroot
directory.
Here I would like to provide “ls”
and “echo” commands only for the user. So I need to copy these command's binary
as well as libraries to this folder.
My computer is 32 bit based. So I will
use lib , for 64 bit computers you need to use lib64.
That is , /lib/ld-linux.so.2 means your
machine is 32 bit
How to check your cpu and OS is 32bit or 64bit:
1. [root@localhost ajeesh]# getconf LONG_BIT
32
2. [root@localhost ajeesh]# uname -m
i686
3. [root@localhost ajeesh]# grep flags /proc/cpuinfo
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm xsave lahf_lm dtherm
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm xsave lahf_lm dtherm
rm ==> 16-bit processor
tm ==> 32-bit processor
lm ==> 64-bit processor
4. [root@localhost ajeesh]# ldd /bin/echo
linux-gate.so.1 => (0xb77e9000)
libc.so.6 => /lib/libc.so.6 (0x41d4e000)
/lib/ld-linux.so.2 (0x41d29000) =======> for 32 bit
===
For echo.
Binary
[root@localhost ~]# which echo
/bin/echo
Libraries :
[root@localhost ~]# ldd /bin/echo
linux-gate.so.1 =>
(0xb773d000)
libc.so.6 => /lib/libc.so.6
(0x41d4e000)
/lib/ld-linux.so.2 (0x41d29000)
[root@localhost ~]# cp /bin/echo
/home/close/bin/
now copying libraries
[root@localhost ~]# cp /lib/libc.so.6
/home/close/lib/
cp
/lib/ld-linux.so.2 /home/close/lib/
For ls
[root@localhost ~]# /bin/ls
/home/close/bin/
library
cp /lib/libselinux.so.1
/home/close/lib/
cp /lib/librt.so.1 /home/close/lib/
cp /lib/libcap.so.2 /home/close/lib/
cp /lib/libacl.so.1 /home/close/lib/
cp /lib/libc.so.6 /home/close/lib/
cp /lib/libdl.so.2 /home/close/lib/
cp /lib/libpthread.so.0
/home/close/lib/
cp /lib/libattr.so.1 /home/close/lib/
/bin/bash : otherwise users can not
login to to this directory.
cp /bin/bash /home/close/bin/
cp /lib/libtinfo.so.5 /home/close/lib/
cp /lib/libdl.so.2 /home/close/lib/
cp /lib/libgcc_s.so.1 /home/close/lib/
cp /lib/libc.so.6 /home/close/lib/
Now we can test and confirm by using
the following steps:
[root@localhost ~]# chroot /home/close/
bash-4.2# passwd
bash: passwd: command not found
bash-4.2# ls
bin lib
bash-4.2# pwd
/ ====> user will think that he
is in the root directory.
bash-4.2#
Now adding an user with as jailed
permission
[root@localhost ~]# groupadd jail
[root@localhost ~]# useradd -G jail
fahad
[root@localhost ~]# passwd fahad
[root@localhost ~]# su - fahad
[fahad@localhost ~]$ ls
[fahad@localhost ~]$ pwd
/home/fahad
Now I need to add the following lines in
/etc/ssh/sshd_config
Match Group jail
ChrootDirectory /home/close
#service sshd restart
Now we can test and confirm:
[root@localhost ~]# ssh fahad@localhost
fahad@localhost's password:
Last login: Wed Aug 14 22:01:08 2013
from localhost
-bash-4.2$ ls
bin lib
-bash-4.2$ cd /home/
-bash: cd: /home/: No such file or
directory
-bash-4.2$ rm -rf *
-bash: rm: command not found
