Chroot User Environment

From: David E. Meier (dev_at_eth0.ch)
Date: 12/21/04

  • Next message: MBuselli_at_cccis.com: "Re: Chroot User Environment"
    Date: Tue, 21 Dec 2004 19:05:27 +0100 (CET)
    To: secureshell@securityfocus.com
    
    

    I have installed the openssh-portable version with the chroot patch
    enabled. Since I want to give only a limited set of commands to the
    account I copied the required binaries and libs to the chroot dir. I can
    login and execute whatever binary I have included into the chroot
    environment. However, I am facing several undesired side effects:

    -) The numeric uid's do not get mapped to their login names, but gid's do:
      $ pwd
      /
      $ ls -al
      total 96
      drwxr-xr-x 8 0 wheel 512 Dec 21 17:41 .
      drwxr-xr-x 8 0 wheel 512 Dec 21 17:41 ..
      dr-x--x--x 2 0 wheel 512 Dec 21 16:53 bin
      drwxr-xr-x 2 0 wheel 512 Dec 21 17:42 dev
      dr-xr-xr-x 2 0 wheel 512 Dec 21 16:54 etc
      drwxr-xr-x 4 1003 mygroup 512 Dec 21 16:47 home
      dr-x--x--x 2 0 wheel 512 Dec 21 16:47 lib
      dr-x--x--x 2 0 wheel 512 Dec 21 16:47 libexec

      I have included modified versions of passwd and group in the chroot /etc
    dir:
      /etc/passwd:
      root:*:0:0:Root User:/:/dev/null
      myuser:*:1003:1001:Chroot User:/home:/bin/sh

      /etc/group:
      wheel:*:0:root
      mygroup:*1001:

    -) I do get funny characters printed when typing a backspce, hitting
    delete or entering CTRL-D to exit the shell.

    Here's how I set up the chroot environment (OS is FreeBSD 5.3):

    dr-x--x--x bin
    -r-x--x--x bin/chmod
    -r-x--x--x bin/ls
    -r-x--x--x bin/sh
    drwxr-xr-x dev
    crwxr-xr-x 2,2 dev/null
    dr-xr-xr-x etc
    -rw-r--r-- etc/group
    -rw-r--r-- etc/passwd
    dr-x--x--x lib
    -r--r--r-- lib/libc.so.5
    -r--r--r-- lib/libedit.so.4
    -r--r--r-- lib/libncurses.so.5
    dr-x--x--x libexec
    -r--r--r-- libexec/ld-elf.so.1

    I assume both observations are connected to each other. What am I missing
    here to build a minimal but fully functional environment? Any comments are
    greatly appreciated. Dave.


  • Next message: MBuselli_at_cccis.com: "Re: Chroot User Environment"

    Relevant Pages

    • Re: CHROOT Tutorial?
      ... I followed that with a few modifications to make the chroot ... environment look a little bit more like the natural environment. ... One change I made was to put the jailed shell in ... login: pajaro ...
      (Fedora)
    • Re: CHROOT Tutorial?
      ... environment look a little bit more like the natural environment. ... One change I made was to put the jailed shell in ... login: pajaro ... once for the user and once for sudo to execute the chroot. ...
      (Fedora)
    • Re: CHROOT Tutorial?
      ... I followed that with a few modifications to make the chroot ... environment look a little bit more like the natural environment. ... login: pajaro ... bash-2.05b# pwd ...
      (Fedora)
    • Re: CHROOT Tutorial?
      ... environment look a little bit more like the natural environment. ... One change I made was to put the jailed shell in ... login: pajaro ... once for the user and once for sudo to execute the chroot. ...
      (Fedora)
    • Re: Sandbox
      ... I want to use sandbox for my site's security. ... has not been updated for seven years and will not compile with PHP ... development environment, anyway. ... If we start with running the apache in a chroot, we eliminate the access to system files. ...
      (comp.lang.php)