1. Creating basic chroot environment
First we need to create a simple chroot environment. Our chroot environment will consist of a bash shell. To do this, first, we need to create a chroot directory:
# mkdir /var/chroot
In the next step, we need to copy the bash binary and its all shared library dependencies.
You can see the bash's shared library dependencies by executing the ldd command:
# ldd /bin/bash
linux-vdso.so.1 => (0x00007fff9a373000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f24d57af000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f24d55ab000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f24d51eb000)
/lib64/ld-linux-x86-64.so.2 (0x00007f24d59f8000)
Now, we need to manually create all necessary directories and copy /bin/bash and all libraries to the new chroot directory into an appropriate location:
# cd /var/chroot/
# mkdir bin/ lib64/ lib/
# cp /lib/x86_64-linux-gnu/libtinfo.so.5 lib/
# cp /lib/x86_64-linux-gnu/libdl.so.2 lib/
# cp /lib/x86_64-linux-gnu/libc.so.6 lib/
# cp /lib64/ld-linux-x86-64.so.2 lib64/
# cp /bin/bash bin/
At this point all is ready and we can chroot
# chroot /vat/chroot
bash-4.2# ls /
bash: ls: command not found
From the above you can see that bash is ready but there is not much to do as not even ls command is available. Rather then manually copy all commands and required libraries I have created a simple bash script to aid with this purpose. Create a script with the following content:
#!/bin/bash
# This script can be used to create simple chroot environment
# Written by LinuxCareer.com
# (c) 2013 LinuxCareer under GNU GPL v3.0+
#!/bin/bash
CHROOT='/var/chroot'
mkdir $CHROOT
for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
do
cp --parents $i $CHROOT
done
# ARCH amd64
if [ -f /lib64/ld-linux-x86-64.so.2 ]; then
cp --parents /lib64/ld-linux-x86-64.so.2 /$CHROOT
fi
# ARCH i386
if [ -f /lib/ld-linux.so.2 ]; then
cp --parents /lib/ld-linux.so.2 /$CHROOT
fi
echo "Chroot jail is ready. To access it execute: chroot $CHROOT"
By default the above script will create chroot in /var/chroot as defined by the $CHROOT variable. Feel free to change this variable according to your needs. When ready, make the script executable and run it with the file full path to your executables and files you wish to include. For example, if you need: ls, cat, echo, rm, bash, vi then use the which command to get a full path and supply it as an argument to the above chroot.sh script:
# ./chroot.sh /bin/{ls,cat,echo,rm,bash} /usr/bin/vi /etc/hosts
Chroot jail is ready. To access it execute: chroot /var/chroot
Now, you can access your new chroot jail with:
# chroot /var/chroot
bash-4.2# echo linuxcareer.com > file
bash-4.2# cat file
linuxcareer.com
bash-4.2# rm file
bash-4.2# vi --version
VIM - Vi IMproved 7.3 (2010 Aug 15, compiled May 4 2012 04:25:35)
2. Create chroot usergroup
A this point, we need to create a separate usergourp, which will be used by sshd to redirect all users belonging to this usergroup to the chroot jail.
$ sudo groupadd chrootjail
Now, add any existing users to this group. For example, to add user tester we will execute:
$ sudo adduser tester chrootjail
Adding user `tester' to group `chrootjail' ...
Adding user tester to group chrootjail
Done.
3. Configure sshd for chroot jail
All what remains is to configure sshd to automaticaly redirect all users from the chrootjail usergroup to the chroot jail at /var/chroot. This can be easily done be editing the sshd configuration file /etc/ssh/sshd_config. Add the following to /etc/ssh/sshd_config:
Match group chrootjail
ChrootDirectory /var/chroot/
and restarting ssh:
$ sudo service ssh restart
ssh stop/waiting
ssh start/running, process 17175
4. Login to chroot jail using ssh
At this point you can test your settings by log in to you server with configured sshd:
$ ssh tester@localhost
tester@localhost's password:
-bash-4.2$ ls
bin lib lib64 usr
-bash-4.2$