CHROOT Tutorial?

kalinix calin.kalinix.cosma at gmail.com
Tue Sep 18 21:09:18 UTC 2007 

On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:
> Manuel Arostegui Ramirez wrote:
> > 
> > http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485
> > 
> 
> I followed that with a few modifications to make the chroot
> environment look a little bit more like the natural environment.
> One change I made was to put the jailed shell in
> 
> 	/usr/local/bin/jail_shells/pajaro
> 
> rather than in /bin/jail. This allows easy setup of different
> users with jailed shells named for them. Another was to add
> /home/pajaro/home/pajaro, so that the "home" directory shows
> up in the chroot environment.
> 
> I see some consequences which are somewhat different from the
> "normal" environment.
> 
> (1) I found that
> 
> 	$ su - pajaro
> 
> worked to log in, but not
> 
> 	$ login
> 	login: pajaro
> 	Password:
> 	Login incorrect
> 
> (2) The user must enter his password twice when logging in,
> once for the user and once for sudo to execute the chroot.
> 
> (3) The user, though jailed, runs as root in the chroot
> environment, not as himself
> 
> 	bash-2.05b# whoami
> 	whoami: cannot find username for UID 0
> 
> (4) After the initial login, the current directory is
> /, not $HOME.
> 
> 	bash-2.05b# pwd
> 	/
> 	bash-2.05b# ls
> 	bin  home  lib  usr
> 	bash-2.05b# cd
> 	bash-2.05b# pwd
> 	/home/pajaro
> 	bash-2.05b#
> 
> Mike
> -- 
> p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> Oppose globalization and One World Governments like the UN.
> This message made from 100% recycled bits.
> You have found the bank of Larn.
> I can explain it for you, but I can't understand it for you.
> I speak only for myself, and I am unanimous in that!
> 
(just trying to be wiseguy :) )

(1) I tested with same setup as in document ad worked for me, of course
with

(2) two time password :) But I think you can override the sudo password
with NOPASSWD in sudoers

(3) this is intended to, since you *sudo* chroot.

(4) actually you don't have a true login shell so the home directory
in /etc/passwd means nothing. The PWD will be the one you chrooted to

Not to mention that you can easily break out from that jail.

On the other hand I have noticed /etc/security/chroot.conf but never
found an RH/Fedora/CentOS document about how to set it up. It looks like
is using a pam module, pam_chroot.so



In the meanwhile there is another chroot howto. Sorry again guys that is
not Fedora related :D This time is debian.

http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html

You might be interested in the link it provides: chroot section of the
Debian Reference


Calin

=================================================
"Help Mr. Wizard!" -- Tennessee Tuxedo

More information about the users mailing list