CHROOT Tutorial?
kalinix
calin.kalinix.cosma at gmail.com
Tue Sep 18 23:04:07 UTC 2007
On Tue, 2007-09-18 at 16:31 -0500, Mike McCarty wrote:
> kalinix wrote:
> > On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:
> >
> >>Manuel Arostegui Ramirez wrote:
> >>
> >>>http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485
> >>>
> >>
> >>I followed that with a few modifications to make the chroot
> >>environment look a little bit more like the natural environment.
> >>One change I made was to put the jailed shell in
> >>
> >> /usr/local/bin/jail_shells/pajaro
> >>
> >>rather than in /bin/jail. This allows easy setup of different
> >>users with jailed shells named for them. Another was to add
> >>/home/pajaro/home/pajaro, so that the "home" directory shows
> >>up in the chroot environment.
> >>
> >>I see some consequences which are somewhat different from the
> >>"normal" environment.
> >>
> >>(1) I found that
> >>
> >> $ su - pajaro
> >>
> >>worked to log in, but not
> >>
> >> $ login
> >> login: pajaro
> >> Password:
> >> Login incorrect
> >>
> >>(2) The user must enter his password twice when logging in,
> >>once for the user and once for sudo to execute the chroot.
> >>
> >>(3) The user, though jailed, runs as root in the chroot
> >>environment, not as himself
> >>
> >> bash-2.05b# whoami
> >> whoami: cannot find username for UID 0
> >>
> >>(4) After the initial login, the current directory is
> >>/, not $HOME.
> >>
> >> bash-2.05b# pwd
> >> /
> >> bash-2.05b# ls
> >> bin home lib usr
> >> bash-2.05b# cd
> >> bash-2.05b# pwd
> >> /home/pajaro
> >> bash-2.05b#
> >>
> >>Mike
> >>--
> >>p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> >>Oppose globalization and One World Governments like the UN.
> >>This message made from 100% recycled bits.
> >>You have found the bank of Larn.
> >>I can explain it for you, but I can't understand it for you.
> >>I speak only for myself, and I am unanimous in that!
> >>
> >
> > (just trying to be wiseguy :) )
>
> I'd rather be a wise guy than a dumb guy.
>
> I wasn't complaining, I was noting differences between the
> environments. I had, perhaps naively, supposed that one could
> create a chroot environment in which the user was jailed, but
> couldn't otherwise tell the difference. Always running as a
> user other than the login name is a pretty significant difference,
> especially if the effective user is root.
>
> > (1) I tested with same setup as in document ad worked for me, of course
> > with
>
> Hmm. I wonder what the difference may be? I didn't log out
> at any time, but I don't see how that would make any difference.
> I also don't see how the modifications I made would cause "su -"
> and "login" to behave differently.
>
> > (2) two time password :) But I think you can override the sudo password
> > with NOPASSWD in sudoers
>
> I believe you are correct.
>
> > (3) this is intended to, since you *sudo* chroot.
>
> Hmm. Are you sure that this is the "intended effect". I understand
> why it happened.
>
> > (4) actually you don't have a true login shell so the home directory
> > in /etc/passwd means nothing. The PWD will be the one you chrooted to
>
> It should be a login shell, if one uses login or su -. Also,
> if you note, the cd I did transferred me to the $HOME directory
> in the chroot'ed environment. So, it does mean SOMETHING.
It's a long debate... the simplest way to check is 'shopt'. If
login_shell is on then you are in a login shell... Mine is off.
As for $HOME I guess you're right, although if I try cd I get an error.
Maybe I should have an /etc/passwd in chrooted env.
>
> > Not to mention that you can easily break out from that jail.
>
> Would you care to elucidate?
>
It's not trivial, but still, a skilled person could do
http://www.unixwiz.net/techtips/chroot-practices.html
http://www.bpfh.net/simes/computing/chroot-break.html
a little bit outdated but I'm pretty sure there are many howtos out
there waiting to be read :D
> > On the other hand I have noticed /etc/security/chroot.conf but never
> > found an RH/Fedora/CentOS document about how to set it up. It looks like
> > is using a pam module, pam_chroot.so
>
> Hmm. I have one like this...
>
> $ cat /etc/security/chroot.conf
> # /etc/security/chroot.conf
> # format:
> # username_regex chroot_dir
> #matthew /home
>
> I know next to nothing about chroot and PAM.
>
> > In the meanwhile there is another chroot howto. Sorry again guys that is
> > not Fedora related :D This time is debian.
>
> I don't have a problem with information from whatever source.
>
> > http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
> >
> > You might be interested in the link it provides: chroot section of the
> > Debian Reference
>
> Thanks!
>
> Mike
> --
> p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> Oppose globalization and One World Governments like the UN.
> This message made from 100% recycled bits.
> You have found the bank of Larn.
> I can explain it for you, but I can't understand it for you.
> I speak only for myself, and I am unanimous in that!
>
Calin
=================================================
The price of seeking to force our beliefs on others is that someday they
might force their beliefs on us. -- Mario Cuomo
More information about the fedora-list
mailing list