CHROOT Tutorial?
Mike McCarty
Mike.McCarty at sbcglobal.net
Tue Sep 18 21:31:23 UTC 2007
kalinix wrote:
> On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:
>
>>Manuel Arostegui Ramirez wrote:
>>
>>>http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485
>>>
>>
>>I followed that with a few modifications to make the chroot
>>environment look a little bit more like the natural environment.
>>One change I made was to put the jailed shell in
>>
>> /usr/local/bin/jail_shells/pajaro
>>
>>rather than in /bin/jail. This allows easy setup of different
>>users with jailed shells named for them. Another was to add
>>/home/pajaro/home/pajaro, so that the "home" directory shows
>>up in the chroot environment.
>>
>>I see some consequences which are somewhat different from the
>>"normal" environment.
>>
>>(1) I found that
>>
>> $ su - pajaro
>>
>>worked to log in, but not
>>
>> $ login
>> login: pajaro
>> Password:
>> Login incorrect
>>
>>(2) The user must enter his password twice when logging in,
>>once for the user and once for sudo to execute the chroot.
>>
>>(3) The user, though jailed, runs as root in the chroot
>>environment, not as himself
>>
>> bash-2.05b# whoami
>> whoami: cannot find username for UID 0
>>
>>(4) After the initial login, the current directory is
>>/, not $HOME.
>>
>> bash-2.05b# pwd
>> /
>> bash-2.05b# ls
>> bin home lib usr
>> bash-2.05b# cd
>> bash-2.05b# pwd
>> /home/pajaro
>> bash-2.05b#
>>
>>Mike
>>--
>>p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
>>Oppose globalization and One World Governments like the UN.
>>This message made from 100% recycled bits.
>>You have found the bank of Larn.
>>I can explain it for you, but I can't understand it for you.
>>I speak only for myself, and I am unanimous in that!
>>
>
> (just trying to be wiseguy :) )
I'd rather be a wise guy than a dumb guy.
I wasn't complaining, I was noting differences between the
environments. I had, perhaps naively, supposed that one could
create a chroot environment in which the user was jailed, but
couldn't otherwise tell the difference. Always running as a
user other than the login name is a pretty significant difference,
especially if the effective user is root.
> (1) I tested with same setup as in document ad worked for me, of course
> with
Hmm. I wonder what the difference may be? I didn't log out
at any time, but I don't see how that would make any difference.
I also don't see how the modifications I made would cause "su -"
and "login" to behave differently.
> (2) two time password :) But I think you can override the sudo password
> with NOPASSWD in sudoers
I believe you are correct.
> (3) this is intended to, since you *sudo* chroot.
Hmm. Are you sure that this is the "intended effect". I understand
why it happened.
> (4) actually you don't have a true login shell so the home directory
> in /etc/passwd means nothing. The PWD will be the one you chrooted to
It should be a login shell, if one uses login or su -. Also,
if you note, the cd I did transferred me to the $HOME directory
in the chroot'ed environment. So, it does mean SOMETHING.
> Not to mention that you can easily break out from that jail.
Would you care to elucidate?
> On the other hand I have noticed /etc/security/chroot.conf but never
> found an RH/Fedora/CentOS document about how to set it up. It looks like
> is using a pam module, pam_chroot.so
Hmm. I have one like this...
$ cat /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username_regex chroot_dir
#matthew /home
I know next to nothing about chroot and PAM.
> In the meanwhile there is another chroot howto. Sorry again guys that is
> not Fedora related :D This time is debian.
I don't have a problem with information from whatever source.
> http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
>
> You might be interested in the link it provides: chroot section of the
> Debian Reference
Thanks!
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the users
mailing list