[NCLUG] chroot login

Mon Feb 3 02:52:40 MST 2003

I'd like to constrain certain users to their home directories.  I've
tried several different methods, none are great/easy.  Maybe I'm missing
an obvious tool.  If so, please help!  :)

Here's what I've come up with.  Is this safe?  If not, how can it be
compromised?  TIA!

---

1.  Create a fake shell script (/bin/chrt-shell):

	#!/bin/bash
	#
	/usr/sbin/chroot /home/$USER /usr/bin/env -i HOME=/home \ 		/bin/bash
--login

2.  Make script executable:  chmod 755 /bin/chrt-shell

3.  Create a chroot group:  groupadd chrtgrp

4.  Make chroot SUID root for the chrtgrp:

	chgrp chrtgrp /usr/sbin/chroot
	chmod 4750 /usr/sbin/chroot

5.  Create user's home directory:

	mkdir /home/myuser
	mkdir /home/myuser/etc
	mkdir /home/myuser/dev
	mkdir /home/myuser/bin
	mkdir /home/myuser/lib
	mkdir /home/myuser/usr
	mkdir /home/myuser/usr/bin
	mkdir /home/myuser/home
	(etc., etc.)

6.  Add user, add to chrtgrp, set password, take ownership of home
directory:

	useradd -d /home/myuser -G chrtgrp -M -s /bin/chrt-shell myuser
	passwd myuser
	chown myuser:myuser /home/myuser/home

7.  Copy necessary binaries and libraries.  Example:

	(bash):		cp /bin/bash /home/myuser/bin/
			ldd /bin/bash  (and cp libs to /home/myuser/lib)

	(utilities):	cd /bin
			cp ls cp mv rm grep more /home/myuser/bin/
			cd /usr/bin
			cp less
			ldd <util>  (and copy libs to /home/myuser/lib)
			(etc., etc.)

	(env):		cp /usr/bin/env /home/myuser/usr/bin/
			ldd /usr/bin/env  (cp libs to /home/myuser/lib)

---

I can probably save time in Step 5 by using the /etc/skel dir, but I'm
not familiar with that yet.

Thanks again for any help.

Patrick