CHROOT Tutorial?

Mike McCarty Mike.McCarty at sbcglobal.net
Tue Sep 18 21:31:23 UTC 2007 

kalinix wrote:
> On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:
> 
>>Manuel Arostegui Ramirez wrote:
>>
>>>http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485
>>>
>>
>>I followed that with a few modifications to make the chroot
>>environment look a little bit more like the natural environment.
>>One change I made was to put the jailed shell in
>>
>>	/usr/local/bin/jail_shells/pajaro
>>
>>rather than in /bin/jail. This allows easy setup of different
>>users with jailed shells named for them. Another was to add
>>/home/pajaro/home/pajaro, so that the "home" directory shows
>>up in the chroot environment.
>>
>>I see some consequences which are somewhat different from the
>>"normal" environment.
>>
>>(1) I found that
>>
>>	$ su - pajaro
>>
>>worked to log in, but not
>>
>>	$ login
>>	login: pajaro
>>	Password:
>>	Login incorrect
>>
>>(2) The user must enter his password twice when logging in,
>>once for the user and once for sudo to execute the chroot.
>>
>>(3) The user, though jailed, runs as root in the chroot
>>environment, not as himself
>>
>>	bash-2.05b# whoami
>>	whoami: cannot find username for UID 0
>>
>>(4) After the initial login, the current directory is
>>/, not $HOME.
>>
>>	bash-2.05b# pwd
>>	/
>>	bash-2.05b# ls
>>	bin  home  lib  usr
>>	bash-2.05b# cd
>>	bash-2.05b# pwd
>>	/home/pajaro
>>	bash-2.05b#
>>
>>Mike
>>-- 
>>p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
>>Oppose globalization and One World Governments like the UN.
>>This message made from 100% recycled bits.
>>You have found the bank of Larn.
>>I can explain it for you, but I can't understand it for you.
>>I speak only for myself, and I am unanimous in that!
>>
> 
> (just trying to be wiseguy :) )

I'd rather be a wise guy than a dumb guy.

I wasn't complaining, I was noting differences between the
environments. I had, perhaps naively, supposed that one could
create a chroot environment in which the user was jailed, but
couldn't otherwise tell the difference. Always running as a
user other than the login name is a pretty significant difference,
especially if the effective user is root.

> (1) I tested with same setup as in document ad worked for me, of course
> with

Hmm. I wonder what the difference may be? I didn't log out
at any time, but I don't see how that would make any difference.
I also don't see how the modifications I made would cause "su -"
and "login" to behave differently.

> (2) two time password :) But I think you can override the sudo password
> with NOPASSWD in sudoers

I believe you are correct.

> (3) this is intended to, since you *sudo* chroot.

Hmm. Are you sure that this is the "intended effect". I understand
why it happened.

> (4) actually you don't have a true login shell so the home directory
> in /etc/passwd means nothing. The PWD will be the one you chrooted to

It should be a login shell, if one uses login or su -.  Also,
if you note, the cd I did transferred me to the $HOME directory
in the chroot'ed environment. So, it does mean SOMETHING.

> Not to mention that you can easily break out from that jail.

Would you care to elucidate?

> On the other hand I have noticed /etc/security/chroot.conf but never
> found an RH/Fedora/CentOS document about how to set it up. It looks like
> is using a pam module, pam_chroot.so

Hmm. I have one like this...

$ cat /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home

I know next to nothing about chroot and PAM.

> In the meanwhile there is another chroot howto. Sorry again guys that is
> not Fedora related :D This time is debian.

I don't have a problem with information from whatever source.

> http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
> 
> You might be interested in the link it provides: chroot section of the
> Debian Reference

Thanks!

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!

More information about the users mailing list