DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th May 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Thanked 7 Times in 7 Posts
Default chroot/jailing users

So I wanna do a little work to up the security of my FreeBSD 6 machine. Specifically, I want to prevent users who are using SCP/SFTP from wandering outside of their home directories. What are my options? Is there a way to chroot them?
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
  #2   (View Single Post)  
Old 16th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Have a look at at scponly http://sublimation.org/scponly/wiki/index.php/Features. Never used it myself though

scp is in the FreeBSD ports (shell category).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 16th May 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Thanked 7 Times in 7 Posts
Default

I have installed scponly and given it a shot. It's odd. Not really what I'm looking for. It creates all kind of strange directories, like a miniature filesystem, and can't be applied to pre-existing users. I really just want to make them not be able to jump up a directory.

I guess this would be alright if it were possible to chdir the user into some nice clean directory where they didn't have all that excess stuff?My users are simple folk and all that mess will cause me phonecalls I don't want.
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.

Last edited by Weaseal; 16th May 2008 at 11:51 PM. Reason: I felt like it
Reply With Quote
  #4   (View Single Post)  
Old 17th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by Weaseal
Specifically, I want to prevent users who are using SCP/SFTP from wandering outside of their home directories. What are my options? Is there a way to chroot them?
There is not a really good solution to this precise problem that I am aware of.

The way I currently handle this is I build a FBSD jail specifically for the shell users, and I give them scponly shells. Finally, I "chmod go-rwx" each of their home directories. The worst they can do is navigate around the jail, and they can't access any home directory apart from their own.
__________________
Kill your t.v.
Reply With Quote
  #5   (View Single Post)  
Old 17th May 2008
coppermine's Avatar
coppermine coppermine is offline
Port Guard
 
Join Date: May 2008
Posts: 40
Thanked 0 Times in 0 Posts
Default

Hmmm.. what the users are supposed to do after login? If all they can is just to take and put the files, I would restrict the shell at all.
You can make a try for /etc/ttys file configuration. You can put the shell script or one program that will be launched after the login.
Some time ago I saw the script proposed by one book. This script was made as a menu and meant to run after the login. This menu contained just few apps - no shells.

After all, if you have good enough secured the sensitive information by means of groups and permissions, it should be ok for users to walk around. They will find nothing interesting for them.
Reply With Quote
  #6   (View Single Post)  
Old 18th May 2008
NaDa NaDa is offline
New User
 
Join Date: May 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default

Hello, I'd suggest the built-in chroot() functionality in openssh-portable-5.0.p1 - I don't think there is better solution.
Reply With Quote
  #7   (View Single Post)  
Old 18th May 2008
kazcor kazcor is offline
Real Name: Registreed Usre
Port Guard
 
Join Date: May 2008
Location: bliner, erg
Posts: 20
Thanked 1 Time in 1 Post
Default

I don't know about the internals of scp, but I assume on a connection attempt the usual user shell is executed before any access to files is granted?
However, you might want to consider using bash's restricted option (rbash), which disallows changing directory at all and additionaly adds some other nice possibilities. Another idea would be shells/ibsh:
Quote:
Iron Bars Shell is a restricted Unix shell. The user can not step out of, nor
access files outside the home directory. It is written in C for Linux. No
libraries used. It is small, fast, secure. Two ascii configuration files for
more control.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot web-browsing Oko OpenBSD Security 1 29th December 2008 01:37 PM
read & modify files out side chroot jail Dr_Death_UAE FreeBSD Security 5 6th November 2008 09:20 PM
apache 2.2.8 , is it on chroot by default? superslot OpenBSD Security 9 30th June 2008 11:56 AM
Can't use bash on chroot'd openssh environment jploh FreeBSD General 2 18th June 2008 02:12 AM
scponly not working with chroot hamba FreeBSD Security 3 15th May 2008 05:18 PM


All times are GMT. The time now is 01:26 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick