Monday, October 7, 2013

Creating jailed user


Suppose /home/close/ is having some script/software located folder and you may need to give access to some users with restricted commands. So he cannot see other files and folders on the server


So here /home/close is our chroot directory.

Here I would like to provide “ls” and “echo” commands only for the user. So I need to copy these command's binary as well as libraries to this folder.

My computer is 32 bit based. So I will use lib , for 64 bit computers you need to use lib64.
That is , /lib/ld-linux.so.2 means your machine is 32 bit

How to check your cpu and OS is 32bit or 64bit: 
1. [root@localhost ajeesh]# getconf LONG_BIT
32
2. [root@localhost ajeesh]# uname -m
i686
3. [root@localhost ajeesh]# grep flags /proc/cpuinfo
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm xsave lahf_lm dtherm
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl est tm2 ssse3 cx16 xtpr pdcm xsave lahf_lm dtherm

rm ==> 16-bit processor
tm ==> 32-bit processor
lm ==> 64-bit processor


4. [root@localhost ajeesh]# ldd /bin/echo
        linux-gate.so.1 =>  (0xb77e9000)
        libc.so.6 => /lib/libc.so.6 (0x41d4e000)
        /lib/ld-linux.so.2 (0x41d29000) =======> for 32 bit
===
For echo.
Binary
[root@localhost ~]# which echo
/bin/echo
Libraries :
[root@localhost ~]# ldd /bin/echo
linux-gate.so.1 => (0xb773d000)
libc.so.6 => /lib/libc.so.6 (0x41d4e000)
/lib/ld-linux.so.2 (0x41d29000)

[root@localhost ~]# cp /bin/echo /home/close/bin/
now copying libraries
[root@localhost ~]# cp /lib/libc.so.6 /home/close/lib/
cp /lib/ld-linux.so.2 /home/close/lib/

For ls
[root@localhost ~]# /bin/ls /home/close/bin/
library
cp /lib/libselinux.so.1 /home/close/lib/
cp /lib/librt.so.1 /home/close/lib/
cp /lib/libcap.so.2 /home/close/lib/
cp /lib/libacl.so.1 /home/close/lib/
cp /lib/libc.so.6 /home/close/lib/
cp /lib/libdl.so.2 /home/close/lib/
cp /lib/libpthread.so.0 /home/close/lib/
cp /lib/libattr.so.1 /home/close/lib/

/bin/bash : otherwise users can not login to to this directory.
cp /bin/bash /home/close/bin/
cp /lib/libtinfo.so.5 /home/close/lib/
cp /lib/libdl.so.2 /home/close/lib/
cp /lib/libgcc_s.so.1 /home/close/lib/
cp /lib/libc.so.6 /home/close/lib/


Now we can test and confirm by using the following steps:
[root@localhost ~]# chroot /home/close/
bash-4.2# passwd
bash: passwd: command not found
bash-4.2# ls
bin lib
bash-4.2# pwd
/ ====> user will think that he is in the root directory.
bash-4.2#

Now adding an user with as jailed permission
[root@localhost ~]# groupadd jail
[root@localhost ~]# useradd -G jail fahad
[root@localhost ~]# passwd fahad

[root@localhost ~]# su - fahad
[fahad@localhost ~]$ ls
[fahad@localhost ~]$ pwd
/home/fahad

Now I need to add the following lines in /etc/ssh/sshd_config

Match Group jail
ChrootDirectory /home/close

#service sshd restart


Now we can test and confirm:

[root@localhost ~]# ssh fahad@localhost
fahad@localhost's password:
Last login: Wed Aug 14 22:01:08 2013 from localhost

-bash-4.2$ ls
bin lib

-bash-4.2$ cd /home/
-bash: cd: /home/: No such file or directory

-bash-4.2$ rm -rf *
-bash: rm: command not found












No comments:

Post a Comment