Intermediate Linux Skills – Creating A Jail Using chroot Part 2

15th November, 2016 by
In the previous part, we considered how we would use chroot to put a user in a shell with limited available applications. We got as far as configuring bash to run in our chroot jail. But another important command necessary for the chroot environment to work properly is su. So, to get started you’ll need to repeat the process used for bash and more.

Once you have repeated the process you will see:

sudo cp /bin/su /fakeroot/bin/su

sudo cp /lib/x86_64-linux-gnu/libpam.so.0 /fakeroot/lib/x86_64-linux-gnu/libpam.so.0

sudo cp /lib/x86_64-linux-gnu/libpam_misc.so.0 /fakeroot/lib/x86_64-linux-gnu/libpam_misc.so.0

sudo cp /lib/x86_64-linux-gnu/libaudit.so.1 /fakeroot/lib/x86_64-linux-gnu/libaudit.so.1

You’ll find that su relies on more libraries than the ones we copy here. This is because the others it requires have already been copied over for bash to work. So there’s no need to copy them over again.

Jailing Users

Next we need to decide which users are going in this jail. For this example we’ll create a user named Bob.

sudo useradd bob

Now for the chroot shell to work, the user will need sudo access. So you’ll need to add them to the wheel group on CentOS/Red Hat or admin on Debian/Ubuntu systems:

sudo useradd -G admin bob

Once finished, we can complete building the rest of the chroot environment.

Copying Information to New Environments

We’ll need to copy the user’s information in /etc/passwd, /etc/group and /etc/shadow to our new environment, and ensure root’s user and group are in there too.

sudo cat /etc/passwd | grep bob > /fakeroot/etc/passwd

sudo cat /etc/passwd | grep root >> /fakeroot/etc/passwd

sudo cat /etc/group | grep bob > /fakeroot/etc/group

sudo cat /etc/group | grep root >> /fakeroot/etc/group

sudo cat /etc/shadow | grep bob > /fakeroot/etc/shadow

You’ll need to replicate the Bob steps for each user you are putting in the chroot environment.

Next, we’ll create his new home directory:

sudo mkdir /fakeroot/home/bob

Now, we need to configure nsswitch.conf for the user, so we’ll start with copying the standard file over:

sudo cp /etc/nsswitch.conf /fakeroot/etc/nsswitch.conf

Next, you’ll need to edit the file where there are a number of lines in there with different settings, such as “compat”, “db”, “files”, etc.  You’ll need to make sure all the following options are set to “files”:

passwd

group

shadow

hosts

networks

protocols

services

ethers

rpc

netgroup

Save your changes and exit the file.

Pluggable Authentication Modules

Now we need to copy over configuration files that pam (Pluggable Authentication Module) requires to authenticate our user:

sudo cp /etc/pam.d/common-account /fakeroot/etc/pam.d/

sudo cp /etc/pam.d/common-auth /fakeroot/etc/pam.d/

sudo cp /etc/pam.d/common-session /fakeroot/etc/pam.d/

sudp cp /etc/pam.d/su /fakeroot/etc/pam.d/

Now for some files that nsswitch and pam need to run:

sudo cp /lib/x86_64-linux-gnu/libnss_files.so.2 /fakeroot/lib/x86_64-linux-gnu/libnss_files.so.2

sudo cp /lib/x86_64-linux-gnu/libnss_compat.so.2 /fakeroot/lib/x86_64-linux-gnu/libnss_compat.so.2

sudo cp /lib/x86_64-linux-gnu/libnsl.so.1 /fakeroot/lib/x86_64-linux-gnu/libnsl.so.1

sudo cp -fa /lib/x86_64-linux-gnu/security /fakeroot/lib/x86_64-linux-gnu/security

Su Logins

Next, we need to set the log file for su logins, we’ll put the logs to a log file for the chroot jail rather than having them go to syslog:

sudo nano /chroot/etc/login.defs

Now paste in the following line:

SULOG_FILE /var/log/sulog

Finally, save and exit the file and the configuring of the chroot environment is done. All that remains is to configure the user to log into the chroot environment, which we’ll be looking at in our next part.

(Visited 82 times, 1 visits today)