In previous articles in the Intermediate Linux Skills series, we started looking at how we could create a limited jail using chroot to limit the applications that a user can run once they log into your server. In part 1, we looked at how to set up the applications to use the chroot environment In part 2, we performed the configuration required for the chroot environment to work. In this part, we’ll be covering how to set users up to for the chroot environment by default when logging in.
The first thing we need to do is create a script that puts the user in the chroot jail when they log in. We’ll call this jailshell and we’ll be putting it in /bin:
sudo nano /bin/jailshell
Paste the following lines in:
username=$(id -u -n)
sudo chroot /fakeroot /bin/su $username
Superuser And New Environment For Root User
Let’s have a quick look at what this command does. The chroot command needs to be run as superuser which is why the command starts with sudo. We are actually using chroot to make /fakeroot our new root directory. Unfortunately, chroot puts us in the new environment as the root user, so we then need to use the su command to change user to the username of the logged in user. We get the username of the user by using the id command on the line above. Save and exit the file once done, then you will need to make it executable:
sudo chmod 755 /bin/jailshell
Using The Jailshell
Now we need to make the user use this jailshell when they log in rather than being given a normal shell. This is done by editing the user’s entry in the /etc/passwd file. So we’ll open the file for editing:
sudo nano /etc/passwd
Now find the user’s entry in the file and change the end of the line from /bin/bash to /bin/jailshell, it should look something like this:
This means that when bob logs in, Linux will run /bin/jailshell for his shell and he’ll be placed within the chroot environment that we created. With the change made you can save and exit the file. Do note this needs to be done on the main system /etc/passwd, not on the /fakeroot directory.
Copying Files To The chroot Environment
Finally, we need to make sure that any files in the user’s home directory are copied over to their new home directory in the chroot environment:
sudo cp -fa /home/bob/ /fakeroot/home/bob/
With this done, it’s time to test that the chroot environment works by logging in as your jailed user. Once you log in you should see /bin has the limited number of applications that you have supplied and other commands should not be able to run.
We’ll finish with some final notes about this jail chroot environment. While this limits the applications that the user can run, it is possible for the user to use the applications they are given where possible to perform privilege escalation attacks and then gain access to the real filesystem root. For this reason you are best making sure that you only provide applications that the user definitely needs in order to use the shell rather than allowing most applications and just removing ones you don’t wish them to access. So it’s best to see the jailshell as a way of preventing the average user from doing anything stupid rather than a method of protecting user accounts from being used against your server if the user becomes compromised by a hacker.