Chroot User Environment

From: David E. Meier (dev_at_eth0.ch)
Date: 12/21/04

  • Next message: MBuselli_at_cccis.com: "Re: Chroot User Environment" 
    Date: Tue, 21 Dec 2004 19:05:27 +0100 (CET)
To: secureshell@securityfocus.com

    I have installed the openssh-portable version with the chroot patch
    enabled. Since I want to give only a limited set of commands to the
    account I copied the required binaries and libs to the chroot dir. I can
    login and execute whatever binary I have included into the chroot
    environment. However, I am facing several undesired side effects:

    -) The numeric uid's do not get mapped to their login names, but gid's do:
      $ pwd
      /
      $ ls -al
      total 96
      drwxr-xr-x 8 0 wheel 512 Dec 21 17:41 .
      drwxr-xr-x 8 0 wheel 512 Dec 21 17:41 ..
      dr-x--x--x 2 0 wheel 512 Dec 21 16:53 bin
      drwxr-xr-x 2 0 wheel 512 Dec 21 17:42 dev
      dr-xr-xr-x 2 0 wheel 512 Dec 21 16:54 etc
      drwxr-xr-x 4 1003 mygroup 512 Dec 21 16:47 home
      dr-x--x--x 2 0 wheel 512 Dec 21 16:47 lib
      dr-x--x--x 2 0 wheel 512 Dec 21 16:47 libexec

      I have included modified versions of passwd and group in the chroot /etc
    dir:
      /etc/passwd:
      root:*:0:0:Root User:/:/dev/null
      myuser:*:1003:1001:Chroot User:/home:/bin/sh

      /etc/group:
      wheel:*:0:root
      mygroup:*1001:

    -) I do get funny characters printed when typing a backspce, hitting
    delete or entering CTRL-D to exit the shell.

    Here's how I set up the chroot environment (OS is FreeBSD 5.3):

    dr-x--x--x bin
    -r-x--x--x bin/chmod
    -r-x--x--x bin/ls
    -r-x--x--x bin/sh
    drwxr-xr-x dev
    crwxr-xr-x 2,2 dev/null
    dr-xr-xr-x etc
    -rw-r--r-- etc/group
    -rw-r--r-- etc/passwd
    dr-x--x--x lib
    -r--r--r-- lib/libc.so.5
    -r--r--r-- lib/libedit.so.4
    -r--r--r-- lib/libncurses.so.5
    dr-x--x--x libexec
    -r--r--r-- libexec/ld-elf.so.1

    I assume both observations are connected to each other. What am I missing
    here to build a minimal but fully functional environment? Any comments are
    greatly appreciated. Dave.

  • Next message: MBuselli_at_cccis.com: "Re: Chroot User Environment"

    Relevant Pages

    • Re: CHROOT Tutorial?
      ... I followed that with a few modifications to make the chroot ... environment look a little bit more like the natural environment. ... One change I made was to put the jailed shell in ... login: pajaro ...
      (Fedora)
    • Re: CHROOT Tutorial?
      ... environment look a little bit more like the natural environment. ... One change I made was to put the jailed shell in ... login: pajaro ... once for the user and once for sudo to execute the chroot. ...
      (Fedora)
    • Re: CHROOT Tutorial?
      ... I followed that with a few modifications to make the chroot ... environment look a little bit more like the natural environment. ... login: pajaro ... bash-2.05b# pwd ...
      (Fedora)
    • Re: CHROOT Tutorial?
      ... environment look a little bit more like the natural environment. ... One change I made was to put the jailed shell in ... login: pajaro ... once for the user and once for sudo to execute the chroot. ...
      (Fedora)
    • Re: To chroot or not to chroot?
      ... > webserver, which should have an http server, webmail, php support, ... > dns, ftp, remote login and a couple more things. ... My understanding of chroot, is that if the service is compromised, then the ... As for login, use sshd and only allow key-based authentication. ...
      (Security-Basics)