[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CHROOT Tutorial?



kalinix wrote:
On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:

Manuel Arostegui Ramirez wrote:

http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485


I followed that with a few modifications to make the chroot
environment look a little bit more like the natural environment.
One change I made was to put the jailed shell in

	/usr/local/bin/jail_shells/pajaro

rather than in /bin/jail. This allows easy setup of different
users with jailed shells named for them. Another was to add
/home/pajaro/home/pajaro, so that the "home" directory shows
up in the chroot environment.

I see some consequences which are somewhat different from the
"normal" environment.

(1) I found that

	$ su - pajaro

worked to log in, but not

	$ login
	login: pajaro
	Password:
	Login incorrect

(2) The user must enter his password twice when logging in,
once for the user and once for sudo to execute the chroot.

(3) The user, though jailed, runs as root in the chroot
environment, not as himself

	bash-2.05b# whoami
	whoami: cannot find username for UID 0

(4) After the initial login, the current directory is
/, not $HOME.

	bash-2.05b# pwd
	/
	bash-2.05b# ls
	bin  home  lib  usr
	bash-2.05b# cd
	bash-2.05b# pwd
	/home/pajaro
	bash-2.05b#

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


(just trying to be wiseguy :) )

I'd rather be a wise guy than a dumb guy.

I wasn't complaining, I was noting differences between the
environments. I had, perhaps naively, supposed that one could
create a chroot environment in which the user was jailed, but
couldn't otherwise tell the difference. Always running as a
user other than the login name is a pretty significant difference,
especially if the effective user is root.

(1) I tested with same setup as in document ad worked for me, of course
with

Hmm. I wonder what the difference may be? I didn't log out
at any time, but I don't see how that would make any difference.
I also don't see how the modifications I made would cause "su -"
and "login" to behave differently.

(2) two time password :) But I think you can override the sudo password
with NOPASSWD in sudoers

I believe you are correct.

(3) this is intended to, since you *sudo* chroot.

Hmm. Are you sure that this is the "intended effect". I understand
why it happened.

(4) actually you don't have a true login shell so the home directory
in /etc/passwd means nothing. The PWD will be the one you chrooted to

It should be a login shell, if one uses login or su -.  Also,
if you note, the cd I did transferred me to the $HOME directory
in the chroot'ed environment. So, it does mean SOMETHING.

Not to mention that you can easily break out from that jail.

Would you care to elucidate?

On the other hand I have noticed /etc/security/chroot.conf but never
found an RH/Fedora/CentOS document about how to set it up. It looks like
is using a pam module, pam_chroot.so

Hmm. I have one like this...

$ cat /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home

I know next to nothing about chroot and PAM.

In the meanwhile there is another chroot howto. Sorry again guys that is
not Fedora related :D This time is debian.

I don't have a problem with information from whatever source.

http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html

You might be interested in the link it provides: chroot section of the
Debian Reference

Thanks!

Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]