CHROOT Tutorial?

kalinix calin.kalinix.cosma at gmail.com
Tue Sep 18 23:04:07 UTC 2007 

On Tue, 2007-09-18 at 16:31 -0500, Mike McCarty wrote:
> kalinix wrote:
> > On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:
> > 
> >>Manuel Arostegui Ramirez wrote:
> >>
> >>>http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485
> >>>
> >>
> >>I followed that with a few modifications to make the chroot
> >>environment look a little bit more like the natural environment.
> >>One change I made was to put the jailed shell in
> >>
> >>	/usr/local/bin/jail_shells/pajaro
> >>
> >>rather than in /bin/jail. This allows easy setup of different
> >>users with jailed shells named for them. Another was to add
> >>/home/pajaro/home/pajaro, so that the "home" directory shows
> >>up in the chroot environment.
> >>
> >>I see some consequences which are somewhat different from the
> >>"normal" environment.
> >>
> >>(1) I found that
> >>
> >>	$ su - pajaro
> >>
> >>worked to log in, but not
> >>
> >>	$ login
> >>	login: pajaro
> >>	Password:
> >>	Login incorrect
> >>
> >>(2) The user must enter his password twice when logging in,
> >>once for the user and once for sudo to execute the chroot.
> >>
> >>(3) The user, though jailed, runs as root in the chroot
> >>environment, not as himself
> >>
> >>	bash-2.05b# whoami
> >>	whoami: cannot find username for UID 0
> >>
> >>(4) After the initial login, the current directory is
> >>/, not $HOME.
> >>
> >>	bash-2.05b# pwd
> >>	/
> >>	bash-2.05b# ls
> >>	bin  home  lib  usr
> >>	bash-2.05b# cd
> >>	bash-2.05b# pwd
> >>	/home/pajaro
> >>	bash-2.05b#
> >>
> >>Mike
> >>-- 
> >>p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> >>Oppose globalization and One World Governments like the UN.
> >>This message made from 100% recycled bits.
> >>You have found the bank of Larn.
> >>I can explain it for you, but I can't understand it for you.
> >>I speak only for myself, and I am unanimous in that!
> >>
> > 
> > (just trying to be wiseguy :) )
> 
> I'd rather be a wise guy than a dumb guy.
> 
> I wasn't complaining, I was noting differences between the
> environments. I had, perhaps naively, supposed that one could
> create a chroot environment in which the user was jailed, but
> couldn't otherwise tell the difference. Always running as a
> user other than the login name is a pretty significant difference,
> especially if the effective user is root.
> 
> > (1) I tested with same setup as in document ad worked for me, of course
> > with
> 
> Hmm. I wonder what the difference may be? I didn't log out
> at any time, but I don't see how that would make any difference.
> I also don't see how the modifications I made would cause "su -"
> and "login" to behave differently.
> 
> > (2) two time password :) But I think you can override the sudo password
> > with NOPASSWD in sudoers
> 
> I believe you are correct.
> 
> > (3) this is intended to, since you *sudo* chroot.
> 
> Hmm. Are you sure that this is the "intended effect". I understand
> why it happened.
> 
> > (4) actually you don't have a true login shell so the home directory
> > in /etc/passwd means nothing. The PWD will be the one you chrooted to
> 
> It should be a login shell, if one uses login or su -.  Also,
> if you note, the cd I did transferred me to the $HOME directory
> in the chroot'ed environment. So, it does mean SOMETHING.

It's a long debate... the simplest way to check is 'shopt'. If
login_shell is on then you are in a login shell... Mine is off.
As for $HOME I guess you're right, although if I try cd I get an error.
Maybe I should have an /etc/passwd in chrooted env.

> 
> > Not to mention that you can easily break out from that jail.
> 
> Would you care to elucidate?
> 

It's not trivial, but still, a skilled person could do


http://www.unixwiz.net/techtips/chroot-practices.html


http://www.bpfh.net/simes/computing/chroot-break.html

a little bit outdated but I'm pretty sure there are many howtos out
there waiting to be read :D

> > On the other hand I have noticed /etc/security/chroot.conf but never
> > found an RH/Fedora/CentOS document about how to set it up. It looks like
> > is using a pam module, pam_chroot.so
> 
> Hmm. I have one like this...
> 
> $ cat /etc/security/chroot.conf
> # /etc/security/chroot.conf
> # format:
> # username_regex        chroot_dir
> #matthew                /home
> 
> I know next to nothing about chroot and PAM.
> 
> > In the meanwhile there is another chroot howto. Sorry again guys that is
> > not Fedora related :D This time is debian.
> 
> I don't have a problem with information from whatever source.
> 
> > http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
> > 
> > You might be interested in the link it provides: chroot section of the
> > Debian Reference
> 
> Thanks!
> 
> Mike
> -- 
> p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> Oppose globalization and One World Governments like the UN.
> This message made from 100% recycled bits.
> You have found the bank of Larn.
> I can explain it for you, but I can't understand it for you.
> I speak only for myself, and I am unanimous in that!
> 




Calin

=================================================
The price of seeking to force our beliefs on others is that someday they
might force their beliefs on us. -- Mario Cuomo

More information about the fedora-list mailing list