Re: [Bastille-linux-discuss] chroot'ing telnet

[Fredrik S. <fre...@hp...>]

On Wed, 11 Oct 2000, Bruce D. Meyer wrote:

> A fellow admin and I were discussing chroot'ing, and he mentioned he has
> provided shell access for his dialup users for three years. He is not very
> happy that he can't provide chroot'ed telnet or ssh, similar to how wu-ftpd
> will prevent users from escaping our of there home directory to meddle or
> snoop around in other people's directories. Is this possible, or what
> alternatives are there for providing shell access to people while still
> restricting there access to there home account. I detest telnet, but do feel
> we should be able to provide chroot'ing to folks we allow in via ssh.

it's rather trivial, but tedious. i'll use hp-ux as an example, but it could
be adapted to linux, freebsd et al:

(as root :)

mkdir /var/jail/ssh
chmod 555 /var/jail/ssh
cd /var/jail/ssh

# create neccesary directories
mkdir -p etc usr/sbin usr/lib usr/lbin dev tmp var/tmp
chmod 555 etc usr/sbin usr/lib usr/lbin dev

# fix /etc
cp /etc/passwd /etc/hosts /etc/group /etc/services /etc/nsswitch.conf etc
cp /etc/sshd_config /etc/ssh_host_key* etc

# fix /dev
mknod dev/null c 3 0x000002
mkfifo -p -m 666 dev/log

# fix pty stuff in /dev
mknod tty c 207 0x000000
mknod dev/ptmx c 72 0x00009c
insf -D /var/jail/ssh/dev -d pts

# fix /usr/lib
cp /usr/lib/dld.sl /usr/lib/libdld.2 /usr/lib/libc.2 /usr/lib/tztab usr/lib
cp /usr/lib/libnsl.1 /usr/lib/libsec.2 /usr/lib/librpcsvc.1 usr/lib
cp /usr/lib/libm.2 /usr/lib/libxti.2 /usr/lib/libnss_files.1 usr/lib

# fix /usr/lbin
cp /usr/lbin/chgpt usr/lbin

# fix /home/<user>
mkdir -p home/froo
chown froo:users home/froo

# fix sticky bit
chmod 1777 tmp var/tmp

# fire it up
chroot /var/jail/ssh /usr/sbin/sshd

fredrik