{ REMINDER:
I HAVE CREATED THIS POST LONG TIME AGO, BUT YOU MIGHT ENCOUNTER SOME ISSUE/PROBLEM WHEN REPRODUCE THIS. FEEL FREE TO UPDATE ABOUT IT. THANKS }
First create user and group that need to be assigned as jailed user.
CREATE USER
let use this.
username: normies
groupname: jailedusers
now create group first
$ groupadd jailedusers
now create user normies and assign it to jailedusers group
$ useradd -m normies -G jailedusers
SETUP JAIL DIRECTORY
this is to emulate root / directory to a bare minimum. That is we need a dev, etc, lib, usr, and bin directory as well as usr/bin/. The base directory has to be owned by root
$ mkdir -p /var/jail/{dev,etc,lib,lib64,usr,bin,var,home}
$ mkdir -p /var/jail/usr/bin
$ chown root.root /var/jail
you also need dev null file
$ mknod -m 666 /var/jail/dev/null c 1 3
fill up directory to minimum files.
$ cd /var/jail/etc
$ cp /etc/ld.so.cache .
$ cp /etc/ld.so.conf .
$ cp /etc/nsswitch.conf .
$ cp /etc/hosts .
once this done, you need to configure which command your user need. for example I want my user to use touch. first you need to know where the binary is located.
$ which touch
$ /usr/bin/touch
so you know where it is located. now time to copy it to /var/jail/usr/bin
$ cd /var/jail/usr/bin
$ cp /usr/bin/touch .
but, this is not settled yet. each of this binary have their own library. so you have to copy it to /var/jail. it so pain to do this since it has many library. let just see first what it need for /bin/bash binary.
$ ldd /usr/bin/touch
linux-vdso.so.1 (0x00007ffdcfc66000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f69c19bc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f69c17b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f69c13c7000)
/lib64/ld-linux-x86-64.so.2 (0x00007f69c1f00000)
I found easy way to do this. Lets download it.
$ cd /sbin
$ wget -O l2chroot https://gist.githubusercontent.com/Tester2009/114871b6e272071d733d53488ef387a6/raw/9888e8f68a1cc60f0cec248274450316c34d22fa/l2chroot.txt
$ chmod +x l2chroot
Ok now you have it ready to go. lets say you already copy /bin/bash and /bin/ls into /var/jail/usr/bin.
now time to copy the required libraries for this.
$ l2chroot /usr/bin/touch
Shell for jailed user
Now set which shell to use for your jailed user. I prefer to use /bin/bash as it has what I need which is backspace, and arrow key. Now set the shell for you user
$ chsh -s /bin/bash normies
$ cp /bin/bash /var/jail/bin
$ l2chroot /bin/bash
$ mkdir -p /var/jail/home/normies
$ chown -R normies:normies /var/jail/home/normies
Now your user will use bash shell.
CONFIGURE SSHd to Chroot your users
Modify /etc/ssh/sshd_config
$ nano /etc/ssh/sshd_config
Find 'Subsystem sftp /usr/lib/openssh/sftp-server' and comment it out.
Go to bottom of the line and add following code.
Match group jailedusers
ChrootDirectory /var/jail
X11Forwarding no
AllowTcpForwarding no
Now save it.
Restart ssh by using following command.
$ /etc/init.d/ssh restart
Now you have jailed your users.
ISSUE 1
You might face issue where, when you logged in jailed user, you cannot use backspace key. To fix this issue is very easy. Login as your user which is normies.
run command below
$ stty -a
speed 9600 baud; rows 30; columns 120; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q;
stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc
Your backspace value is erase=^?
Now check what your backspace value is. You can check it by pressing CTRL + V and press backspace. It should return like this
^H
so now set it back to ^H
$ stty erase ^H
Note that you have to press CTRL + V and press backspace to get ^H value, not by entering it.
Now you've fixed this issue.
ISSUE 2
You shell might be using sh, which not yet complete for me, because it don't have backspace key, arrow key, and other things. So you have to change your shell from /bin/sh to /bin/bash
To change this is very easy. Login as root.
$ cd /var/jail/usr/bin
$ chsh -s /bin/
ISSUE 3
You will not have apt-get like usual. You have to setup a bit to get this function.
First you have to copy /usr/bin/dpkg to /var/jail/usr/bin. Then you copy all /usr/bin/apt* to /var/jail/usr/bin.
$ cp /usr/bin/dpkg /var/jail/usr/bin
$ cp /usr/bin/apt* /var/jail/usr/bin
The issue is not settle yet. You have to copy all files inside /usr/share/dpkg to /var/jail/usr/share.
$ cp -R /usr/share/dpkg /var/jail/usr/share
Now you can use the apt program. But yet, still no repo. You have to copy this.
$ cp -R /etc/apt /var/jail/etc/
Now copy all inside /var/lib/apt to /var/jail/var/lib/apt
$ cp -R /var/lib/apt /var/jail/var/lib/
Source:
https://allanfeid.com/content/creating-chroot-jail-ssh-access
https://gist.github.com/kmddevdani/b7687a74dacb250eda7b8e2f65f1c906
https://unix.stackexchange.com/a/43107
https://puppylinux.org/wikka/Debianization (E: Unable to determine a suitable packaging system type)
https://stackoverflow.com/a/47964813 (E: Error reading the CPU table)
Comments
Post a Comment