Thread: Chrooted Userland
View Single Post
  #4   (View Single Post)  
Old 23rd December 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,983
Default
Quote:
Originally Posted by Tommahawk View Post
...trying jailedkit but it seems the issue is with jkchrootsh...
Quote:
Originally Posted by jggimi View Post
I have not used it, and can't answer any questions about it.
Quote:
Originally Posted by Tommahawk View Post
just one jailed user for the moment that can login get a shell and nothing much else.
To improve your understanding of chrooted environments, please read FAQ 10.16. It describes how one would make a single application with dynamically loaded libraries available to a chrooted Apache server.

Since you want a "shell" environment, you'll have to determine and define in advance exactly what you want your user to be able to do within that shell. /bin/sh or /usr/local/bin/tcsh will not be enough. And not just your executables -- those found typically in /bin, /usr/bin, /usr/local/bin you think of as commands -- but all libraries and library tools called by each, usually /usr/lib and /usr/local/lib, and in the case of shells that interact with consoles/ttys, you'll need nodes from /dev as well.

Since you will need device nodes in your virtual filesystem, you'll need to permit them in whichever real filesystem houses your virtual /dev. This means you will need to check your mount options for that filesystem, and perhaps change them.

-----

For example, to chroot into a statically linked (no libraries) /bin/sh, you'll need a virtual filesystem containing your "jailed" user's $HOME, /bin/sh, and /dev/tty, on a real filesystem that is not mounted nodev. That shell won't be able to execute any external commands except "sh". It can execute internal shell commands only. Not very useful.

FAQ 10.16 will help you understand what is needed to enable a single executable program with dynamic libraries.

When I set up virtual filesystems, it was for development and testing of administrative tools so it was easy -- I replicated everything I might need: /bin, /sbin, /usr/bin, /usr/sbin, /user/local/bin, /usr/lib, /usr/local/lib, and /dev. I also needed bits of /var, and those directories were put in place and filled with test data.
Reply With Quote