Simple & easy way to jail users

Jailkit is a set of utilities that can limit user accounts to a specific directory tree and to specific commands. Setting up a jail is much easier using the Jailkit utilities that doing so 'by hand'. A jail is a directory tree that you create within your file system; the user cannot see any directories or files that are outside the jail directory. The user is jailed in that directory and it subdirectories.

Download & Install:

http://olivier.sessink.nl/jailkit/index.html#download

VERSION=2.20 # from November 2018
cd /tmp
wget https://olivier.sessink.nl/jailkit/jailkit-$VERSION.tar.gz
tar -zxvf jailkit-$VERSION.tar.gz
cd jailkit-$VERSION/
./configure
make
su -
make install

Setting up the jail

Now it’s time to set up the jail directory. Jailed users will see this directory as the root directory of the server. I chose to use /home/jail:

mkdir /home/jail
chown root:root /home/jail

jk_init can be used to quickly create a jail with several files or directories needed for a specific task or profile, (click on it & read full detail ).

jk_init -v /home/jail basicshell
jk_init -v /home/jail netutils
jk_init -v /home/jail ssh
jk_init -v /home/jail jk_lsh

Add a user

Add a new user with a home directory and bash shell, and set the password:

useradd -d /home/jailtest -m jailtest -s /bin/bash
passwd jailtest

Now it’s time to jail this user

use the following command:

jk_jailuser -m -j /home/jail jailtest

Your /etc/passwd should contain something like this now:

jailtest:x:1001:1001::/home/jail/./home/jailtest:/usr/sbin/jk_chrootsh

Enable bash

By using jk_cp the bash libraries are copied to the jail:

jk_cp -v -f /home/jail /bin/bash

Edit /home/jail/etc/passwd

replace this line:

jailtest:x:1001:1001::test:/usr/sbin/jk_lsh

with this:

jailtest:x:1001:1001::/home/jailtest:/bin/bash

Maintenance

By using jk_update updates on the real system can be updated in the jail.

A dry-run will show what’s going on:

jk_update -j /home/jail -d

Without the -d argument the real update is performed. More maintenance operations can be found here.

(In case /home/jail/opt is missing, create it with mkdir -p /home/jail/opt/ And run jk_update -j /home/jail again)

Give access to other directories

You can mount special folders, that the jail user may acces now. E.g.:

mount --bind /media/$USER/Data/ /home/jail/home/jailtest/test/

Help Taken

http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html

http://olivier.sessink.nl/jailkit/index.html#intro ( a very good help )

This one also

This is been checked & verified , Working Properly

You can not confine them to /home as they need access to the system binaries and bash and configuration files in /etc

IMO the easiest method of securing users is to use apparmor.

You make a hard link

ln /bin/bash /usr/local/bin/jailbash

You add jailbash to /etc/shells

You then assign jailbash to the users shell, and then write an apparmor profile for jailbash allowing minimal access.

sudo chsh -s /usr/local/bin/jailbash user_to_confine

You will have to write an apparmor profile yourself, but I have a profile you could potentially start with

http://bodhizazen.com/aa-profiles/bodhizazen/ubuntu-10.04/usr.local.bin.jailbash

It's difficult to guess what purpose you might want to accomplish. If it is to deny ssh/sftp while providing jailed access via FTP... easy:

Add to /etc/shells a new shell:

sudo -e /etc/shells

Add one line:

/bin/false

Save. For each user you want to deny ssh/sftp, change the user's shell:

sudo chsh -s /bin/false userx

Now userx cannot log in via ssh/sftp.

Install vsftpd:

sudo apt-get install vsftpd

Edit the config file:

sudo -e /etc/vsftpd.conf

And some changes....

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES

Save. Restart vsftpd:

sudo /etc/init.d/vsftpd restart

You could check out rbash as a shell for your users.

man bash

Search for RESTRICTED SHELL section

Or look on this page http://linux.die.net/man/1/bash