SUMMARY : chroot question

From: Arthur de Ruyter (Arthur.DeRuyter@gdi.cs.minvrom.nl)
Date: Tue Mar 25 1997 - 06:19:57 CST


My question:

> I need to create a user account that restricts that user to his own directories. This user shouldn't be able to acces files that are other directories.
> I know this can be accomplished by using 'chroot'; but the manual
  doesn't tell me how to do it.
> (We run SunOS 4.1.3 on a Sparc 20)

Thank you,

Matthew Stier, Robin Marquis, Sophia S. Corsava, Jay Lessert, James Ashton,
and Rich Snyder.

SUMMARY

-The man pages for ftp / ftpd discribes how to make a 'chroot' filesystem.

-You can deny acces to directories by limiting their eXecute permissions.

-Use a wrapper :

Arthur,

Please wrap your lines to 72 characters, or so, as I've done for you here.

You write a C wrapper (say jailsh) that does something like:

    #include<stdio.h>
    #include<pwd.h>
    char *shell = "/bin/sh";
    argv++; argc--;
    struct passwd *pw;
    int uid;
    uid = getuid(); /* this is running euid=0, find the real uid */
    pw = getpwuid(uid); /* get the pw entry for the home directory */
    chroot(pw->pw_dir); /* chroot there /*
    setuid(uid); /* Change uid back to the login user */
    execv(shell, argv); /* locked in */

(this is untested, and you need to do error checking on the returns
 of getuid, getpwuid, and chroot. /bin/jailsh becomes the user's
 login shell. Oh, yeah, chroot only works for root, so the C wrapper
 must be setuid root. Let's see, you probably want to only allow
 your jailed user to exec the wrapper, also, otherwise anybody
 could get into his jail).

In the home directory, you need to supply a copy of all executables
the user will ever need, his own /tmp (if they'll be running vi
or sort, or anything else that needs /tmp). Unless you can
arrange for all these executables to be static, you also need to
supply local copies of /dev and /usr/lib. The home directory
might look like:

jailuser:
total 4
   1 bin/ 1 tmp/
   1 dev/ 1 usr/

bin:
total 159
   7 cat* 16 echo* 40 sed* 96 sh*

dev:
total 0
   0 zero

usr/lib:
total 552
  40 ld.so* 512 libc.so.1.6*

Jay Lessert jay_lessert@latticesemi.com

-Some remarks about chroot :

I'm fairly sure that you don't really want to use chroot. If you do,
no files will be accessable to the user. Consider that most Unix
commands (like sh, tcsh, ls, cat, more, etc.) are executables stored as
files. If you chroot such that these files are unreadable then the
user will be unable to use these programmes. Most of these executables
use shared libraries so you need access to much of /lib/*.so.* for
commands to work. Also, mail is usually stored in /usr/spool/mail and
a swath of other useful files (like /dev/null) will be missing.

It is possible to have copies of the required files within the user's
area, indeed the ftp daemon does just this so that a limited set of
commands are available to it when it handles anonymous ftp requests.
Try `man ftpd' for some helpful details on doing this.

If you do want to use chroot despite the hassles pointed out above, you
need to proceed as follows. Alternatively you might want to
investigate some of the restricted shells available which might do what
you need to do with fewer difficulties.

First write a small C programme that calls chroot as desired. The
programme will have to run setuid root since chroot is only permitted
if your effective uid is root. After the chroot has been successful
the programme should then change the effective uid to match the real
uid which will be the uid of the invoker of the command. Only if the
call to seteuid succeeds should the programme exec a command
interpreter, passing on all the arguments and environment it received.
If you want to be nice, you should probably change the $SHELL
environment variable to the user's desired shell (command interpreter)
before execing the shell. Oh, and you'll need to change $HOME to `/'
as well since, having chrooted to $HOME, the user will now see his home
directory as the root directory.

Once you have this programme working to your satisfaction you should
install it somewhere (setuid root as discussed above) and make it the
user's login shell. You should also add it to /etc/shells. Now it
will be the first process run when the user logs in.

I'm sure there are a couple of other surprises but the above procedure
should work. Be very careful writing that programme as it has to run
setuid root.

--
James Ashton      VK1XJA      System Administrator

-Edit the source code of a shell:

Arthur,

I just recently posted a similar question. Basically, the consensus was that you need to setup an environment similar to that described in "man ftpd" and then get the source code for tcsh, bash, etc and add chroot() to the shell. The drawback is that you have to put all the binaries in the bin directory that you create. I was looking at doing this for Solaris, but I guess that SunOS is similar. Let me know if you have any questions.

Rich Snyder

Arthur de Ruijter Arthur.DeRuyter@GDI.CS.minvrom.nl ! ! ! ! ! ! ! ! ! !



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:49 CDT