[NCLUG] chroot login

M Butcher mbutcher at aleph-null.tv
Mon Feb 3 09:12:22 MST 2003


Have you looked at running bash in restricted mode? It is built for the
sort of thing that I think you are trying to do. I've used it in the
bast to give operators the ability to log in and use (only) the tools in
their home directories.

See the section RESTRICTED SHELL in the bash man page.

Matt

On Mon, 2003-02-03 at 02:52, Patrick Riedel wrote:
> I'd like to constrain certain users to their home directories.  I've
> tried several different methods, none are great/easy.  Maybe I'm missing
> an obvious tool.  If so, please help!  :)
> 
> Here's what I've come up with.  Is this safe?  If not, how can it be
> compromised?  TIA!
> 
> ---
> 
> 1.  Create a fake shell script (/bin/chrt-shell):
> 
> 	#!/bin/bash
> 	#
> 	/usr/sbin/chroot /home/$USER /usr/bin/env -i HOME=/home \ 		/bin/bash
> --login
> 
> 2.  Make script executable:  chmod 755 /bin/chrt-shell
> 
> 3.  Create a chroot group:  groupadd chrtgrp
> 
> 4.  Make chroot SUID root for the chrtgrp:
> 
> 	chgrp chrtgrp /usr/sbin/chroot
> 	chmod 4750 /usr/sbin/chroot
> 
> 5.  Create user's home directory:
> 
> 	mkdir /home/myuser
> 	mkdir /home/myuser/etc
> 	mkdir /home/myuser/dev
> 	mkdir /home/myuser/bin
> 	mkdir /home/myuser/lib
> 	mkdir /home/myuser/usr
> 	mkdir /home/myuser/usr/bin
> 	mkdir /home/myuser/home
> 	(etc., etc.)
> 
> 6.  Add user, add to chrtgrp, set password, take ownership of home
> directory:
> 
> 	useradd -d /home/myuser -G chrtgrp -M -s /bin/chrt-shell myuser
> 	passwd myuser
> 	chown myuser:myuser /home/myuser/home
> 	
> 7.  Copy necessary binaries and libraries.  Example:
> 
> 	(bash):		cp /bin/bash /home/myuser/bin/
> 			ldd /bin/bash  (and cp libs to /home/myuser/lib)
> 
> 	(utilities):	cd /bin
> 			cp ls cp mv rm grep more /home/myuser/bin/
> 			cd /usr/bin
> 			cp less
> 			ldd <util>  (and copy libs to /home/myuser/lib)
> 			(etc., etc.)
> 
> 	(env):		cp /usr/bin/env /home/myuser/usr/bin/
> 			ldd /usr/bin/env  (cp libs to /home/myuser/lib)
> 
> ---
> 
> I can probably save time in Step 5 by using the /etc/skel dir, but I'm
> not familiar with that yet.
> 
> Thanks again for any help.
> 
> 
> Patrick
> 
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug





More information about the NCLUG mailing list