Home / ubuntu / Questions / 547737
In Process
Melab
Asked: 2014-11-10 18:28:31 +0800 CST

Jailing particular users on login

  • 772

This whole deal with jails and chroot is a bit confusing to me. They are used to run possibly risky programs securely, but this has to be initiated by the user. I'm looking for how to jail users like how Android and iOS do it. This can be setup for remote logins, but how can this be set for home logins?

Assume that I have Ubuntu installed on a desktop PC. There are four users: administrator, user1, user2, and guest. The first logs in like an account normally does. The second and third login to a jail. The fourth logs into a more restrictive jail than the second and third. Do these jailed accounts have access to a virtualized environment of sorts? Do these include copies of core binaries or are they built into the all's interface? Are these accomplished with initialization scripts or something else?

chroot

1 Answers

  1. Chroot jail setup

    Create user to be jailed.

    $sudo adduser acer

    For setting chroot we need to set sudo privilage to the users.

    Add the user in sudo group

        $sudo adduser acer sudo

    Create folder to setup a user in jail

        $sudo mkdir /chroot

    The jail user can access only whatever inside the /chroot folder

    This means we need to provide something in there,unless the user only can see empty folder

    Just create basic necessary things

        $cd /chroot

    $ sudo mkdir bin dev etc home lib usr var

    $sudo mkdir etc/pam.d home/acer lib/security var/log usr/bin

    We want to copy the software to /chroot that the jail user can able to use

    Bash command 

        $which bash 
    /bin/bash
    $sudo cp /bin/bash /chroot/bin
    $ldd /bin/bash
    #This ldd command is used to list the library function  
    linux-gate.so.1 =>  (0xb772d000)
            libtinfo.so.5 => /lib/i386-linux-gnu/libtinfo.so.5 (0xb76f0000)
            libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb76eb000)
            libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb753c000)
            /lib/ld-linux.so.2 (0xb772e000)

Copy this lib file to chroot lib directory

$sudo cp  /lib/i386-linux-gnu/libtinfo.so.5 /chroot/lib
    $sudo cp /lib/i386-linux-gnu/libdl.so.2 /chroot/lib
    $sudo cp /lib/i386-linux-gnu/libc.so.6 /chroot/lib
    $sudo cp /lib/ld-linux.so.2 /chroot/lib

    ls command

    $which ls
    /bin/ls
    $sudo cp /bin/ls /chroot/bin
    $ldd /bin/ls
    linux-gate.so.1 =>  (0xb771f000)
            libselinux.so.1 => /lib/i386-linux-gnu/libselinux.so.1 (0xb76e1000)
            libacl.so.1 => /lib/i386-linux-gnu/libacl.so.1 (0xb76d8000)
            libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7529000)
            libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb74eb000)
            libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb74e6000)
            /lib/ld-linux.so.2 (0xb7720000)
            libattr.so.1 => /lib/i386-linux-gnu/libattr.so.1 (0xb74e0000)

    Copy this lib file to chroot lib directory

        $sudo cp /lib/i386-linux-gnu/libselinux.so.1 /chroot/lib
    $sudo cp /lib/i386-linux-gnu/libacl.so.1  /chroot/lib
    $sudo cp  /lib/i386-linux-gnu/libc.so.6 /chroot/lib
    $sudo cp  /lib/i386-linux-gnu/libpcre.so.3 /chroot/lib
    $sudo cp   /lib/i386-linux-gnu/libdl.so.2  /chroot/lib
    $sudo cp  lib/i386-linux-gnu/libattr.so.1 /chroot/lib
    $sudo cp /lib/ld-linux.so.2 /chroot/lib

    su command

        $which su
    /bin/su 
    $sudo cp /bin/su /chroot/su
    $ldd /bin/su
    linux-gate.so.1 =>  (0xb7737000)
            libpam.so.0 => /lib/i386-linux-gnu/libpam.so.0 (0xb770d000)
            libpam_misc.so.0 => /lib/i386-linux-gnu/libpam_misc.so.0 (0xb7709000)
            libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb755a000)
            libaudit.so.1 => /lib/i386-linux-gnu/libaudit.so.1 (0xb7535000)
            libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb7530000)
            /lib/ld-linux.so.2 (0xb7738000)

Copy this lib file to chroot lib directory

    $sudo cp /lib/i386-linux-gnu/libpam.so.0 /chroot/lib
    $sudo cp  /lib/i386-linux-gnu/libpam_misc.so.0 /chroot/lib
    $sudo cp /lib/i386-linux-gnu/libc.so.6  /chroot/lib
    $sudo cp /lib/i386-linux-gnu/libaudit.so.1 /chroot/lib
    $sudo cp /lib/i386-linux-gnu/libdl.so.2 /chroot/lib
    $sudo cp /lib/ld-linux.so.2 /chroot/lib

    Add some system configuration files and additional libraries to the chroot

        $cat /etc/passwd | grep acer > /chroot/etc/passwd
    $cat /etc/passwd | grep root >> /chroot/etc/passwd
    $cat /etc/group | grep acer > /chroot/etc/group
    $cat /etc/group | grep root >> /chroot/etc/group
    $cat /etc/shadow | grep acer > /chroot/etc/shadow

    Copy nsswitch.conf file to /chroot

        $sudo cp /etc/nsswitch.conf /chroot/etc/nsswitch.conf

    Inside the nsswitch it should looks like the follow

        passwd: files
    group: files
    shadow: files
    hosts: files
    networks: files
    protocols: files
    services: files
    ethers: files
    rpc: files
    netgroup: files

    We copy the configuration files necessary for the PAM system to operate so that the authorization in the jail can work 

        $sudo cp /etc/pam.d/common-account /chroot/etc/pam.d/
    $sudo cp /etc/pam.d/common-auth /chroot/etc/pam.d/
    $sudo cp /etc/pam.d/common-session /chroot/etc/pam.d/
    $sudo cp /etc/pam.d/su /chroot/etc/pam.d/

    We add some additional libraries required by the PAM and the name service switch facilities

        $sudo cp /lib/libnss_files.so.2 /chroot/lib
    $sudo cp /lib/libnss_compat.so.2 /chroot/lib
    $sudo cp /lib/libnsl.so.1 /chroot/lib
    $sudo cp -fa /lib/security/ /chroot/lib

    We need to create login.defs file in /chroot/etc/ directory.This file defines some setting for the login process

        $sudo vim /chroot/etc/login.defs

    Add the following line in to the login.defs file 

        SULOG_FILE /var/log/sulog

    If we did not do this the su command would attempt to use the syslog utility,which is not available in the jail setup and the entire process would fail.

    Create the script that will put our user in jail,whenever he login in to the system

    Create file jailshell in /bin directory,outside the jail

        $sudo vim /bin/jailshell

    Add the following script in to that file

        #!/bin/bash
    sudo chroot /chroot /bin/su acer

    Make it executable

        $sudo chmod  +x  /bin/jailshell

    To put script in action,we need to edit the /etc/passwd file (which is outside of the jail).

    Change /bin/bash to /bin/jailshell in user acer

        $sudo vim /etc/passwd
    acer:x:1003:1003:,,,:/home/acer:/bin/jailshell

    Set user acer in jail's home directory

        $cd /home/acer
    $sudo cp -fa ./ /chroot/home/acer

    The following could also be useful

        $sudo cp /etc/bash.bashrc /chroot/etc/  
    $sudo cp /etc/localtime /chroot/etc/
    $sudo cp /etc/services /chroot/etc/
    $sudo cp /etc/protocols /chroot/etc/
    $sudo cp /usr/bin/dircolors /chroot/usr/bin/
    $sudo cp /usr/bin/groups/ /chroot/usr/bin/

    Everything done.Now test the login

        $su – acer
    password:xxxx
    [sudo]password for acer:xxxx
    acer@Snovabits:/$ ls
    bin dev etc home lib    usr var
    • 3