chroot environment on debian

First of all, you need to decide, where to build this chroot environment, since you will later install a separated little system in it. The first step is to create this directory, to begin the basic operations of the build of the chroot. As you may know chroot effectively changes the root directory of a user (or process, daemon, etc…) to a specified environment by the root user. Any other resource outside of this kind of jail would and should be inaccessible to the user, who has been chrooted. The most relevant thing in the new chroot environment is, that you don’t create a superuser (root, uid=0). If the chrooted user gains root access he can break out of this little cage. That is why we want to build a chrooted ambience, to protect our system from attackers. The attacker won’t gain root access, if there is no such user. So, enough of the jaw, let’s begin:

We’ll build now the directory (for example /chroot), where the new environment should be installed:

osiris:~# mkdir /chroot
osiris:~# cd /chroot
osiris:/chroot#

Here you have two choices. Either you have to compile all the recommended programs (like libc, bash, fileutils, shellutils) statically, or you can download the debian package of it and install it with dpkg-deb (this is the method i used). The second method is the “dynamic” one. Here you can either choose to download each package and then extract it to the specified chroot directory or you can use debootstrap for this task. I propose we should make this step with debootstrap, it’s easier:

osiris:~# debootstrap woody /chroot
I: Retrieving http://ftp.debian.org/debian/dists/woody/Release
I: Validating /chroot/var/lib/apt/lists/debootstrap.invalid_dists_woody_Release
I: Retrieving http://ftp.debian.org/debian/dists/woody/main/binary-i386/Packages.gz
I: Validating /chroot/var/lib/apt/lists/debootstrap.invalid_dists_woody_main_binary-i386_Packages.gz
I: Retrieving http://ftp.debian.org/debian/pool/main/a/adduser/adduser_3.47_all.deb
I: Validating /chroot/var/cache/apt/archives/adduser_3.47_all.deb
I: Retrieving http://ftp.debian.org/debian/pool/main/a/apt/apt_0.5.4_i386.deb
[..]

Debootstrap is a very useful utility. You can choose instead of “debootstrap woody /chroot” of course “debootstrap sid /chroot” if you want to install packages from sid (or from other codenames, like slink, potato, etc…). Probably you want to install the packages yourself, or maybe you want to install required packages later, then you can do that as well. You have to download the packages from the debian mirrors or from your debian cds, put them to your chroot directory and extract them with the dpkg-deb tool:

osiris:/chroot# wget -q http://ftp.us.debian.org/debian/pool/main/g/glibc/libc6_2.2.5-14_i386.deb
osiris:/chroot# ls -l
-rw-rw-r– 1 root root 3348878 Aug 16 18:02 libc6_2.2.5-14_i386.deb

osiris:/chroot# dpkg-deb -x libc6_2.2.5-14_i386.deb .
osiris:/chroot# ls
etc lib libc6_2.2.5-14_i386.deb sbin usr

Here we go! Now we have setted up libc6 easily, thanks to the great dpkg-deb tool. You can add right now the other packages, that are recommended, like ldso, libncurses5, bash. The proceeding of this packages is the same as above. I would suggest to install fileutils, too, to see later if the chrooted environment works fine. After you extracted the packages with dpkg-deb, you can delete them. So, i guess you have now installed the fileutils, bash, libncurses5, libc6, ldso and base-files packages. The base-files package should put some basic files to your new system, and create the basic directories. Change the directory to /chroot/bin and let’s see what’s in it now:

osiris:/chroot/bin# ls
bash chmod cp df ln mkdir mv rm sh touch
chgrp chown dd dir ls mknod rbash rmdir sync vdir

The next step is to download and install the libpam-chroot package on your default (!) system. Simply apt-get install libpam-chroot. After the installation you can read some examples under (/usr/share/doc/libpam-chroot/examples). But i’ll explain the functionality of this pam tool. We have to add a user to our system, let’s call it “test”:

osiris:~# useradd -c “Chrooted User” -d /home/test -s /bin/bash test osiris:~# grep ^test: /etc/passwd
test:x:1041:100:Chrooted User:/home/test:/bin/bash

Well, you have to add this line to the passwd file on the chrooted environment, too, because ssh will not read the default system’s /etc/passwd, but from the chrooted environment’s passwd file. So let’s do the following for our test user:

osiris:~# grep ^test: /etc/passwd &>/chroot/etc/passwd

Lets edit /etc/security/chroot.conf as the documents describe. Your chroot.conf should look like this:

osiris:~# cat /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username chroot_dir
test /chroot

We have to add now a new line to /etc/pam.d/[operation]. Operation means something like login, ssh, su, ftp, etc… So if you would to ssh into your chroot, you have to add this line to /etc/pam.d/ssh, if you want to login localy, then to /etc/pam.d/login etc…

osiris:~# tail -1 /etc/pam.d/ssh
session required pam_chroot.so debug

Now, you should be able to login locally or to do a `su - test`. If you use ssh, there is another problem. The ssh user will be handled of the /dev/ptmx device file. That file recommends a “devpts” called filesystem to be mounted on your system. Since you don’t have so far devices under your chroot environment, we should create them. Make a dev directory (if base-files package doesn’t create it already) in your environment and copy /dev/MAKEDEV to /chroot/dev and then make some device files:

osiris:/chroot# cp /dev/MAKEDEV dev/; cd dev/
osiris:/chroot/dev# ./MAKEDEV generic

You should wait now, until the devices are generated. This may take few minutes… :) But we hadn’t finish yet. Since ssh will put the sessions to /dev/pts we have to create a pts directory under /chroot/dev, that means:

osiris:/chroot/dev# mkdir pts
osiris:/chroot/dev# mount -t devpts devpts /chroot/dev/pts

Attention! If you want to access the chroot with ssh, you have to look what ssh version you’re running. Since chroot need to be run with root privileges, you have to check, if the ssh daemon runs with this privileges. The newer ssh versions (3.4 or newer) have an option “UsePrivilegeSeparation yes”, that means, that the ssh daemon runs as the sshd user. You have to change the configuration and disable this option, otherwise you wont be able to get into the chroot environment with the chrooted user, you’ll become the following message:

linux:~$ ssh -l test osiris
test@osiris’s password:
Connection to osiris closed by remote host.
Connection to osiris closed.

This happens, because the ssh daemon was started with the “UsePrivilegeSeparation yes” option and the daemon is running as a user, but this user has no permission to chroot the other user to /chroot. The same thing would be in the logs, since just root is able to chroot the chrooted user into the /chroot directory. I just put the “UsePrivilegeSeparation no” option into the sshd configuration file and it worked. You can now try to log in with ssh (if you use ssh…). And you get the bash prompt of the chrooted environment. You can try now to run basic commands like ls, cd, rm, mv, etc.. (since you have installed fileutils..)

test@osiris:~$ touch testfile
test@osiris:~$ ls
testfile

You can add now other packages you need to your own chroot environment, as described above.

Related posts

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 4.33 out of 5)
Loading ... Loading ...
Posted in debian, howto, linux | | 17,316 views

4 Responses

  1. You could update some information in your blog because make a howto with woody in 2008 is kind of weird :)

    Debiban on January 31, 2008 at 20:50

  2. i’ve written this howto many years ago, but if you read carefully:

    You can choose instead of “debootstrap woody /chroot” of course “debootstrap sid /chroot” if you want to install packages from sid

    sid is an alias to unstable…

    So if you’d have read this howto, you wouldn’t have written such a comment.

    István on February 1, 2008 at 2:15

  3. Great instructions and thank you very much for writing this tutorial! I believe it shows the “best way” to tackle this issue by creating a jail that can be used for almost anything, and is a great first step toward “virtualizing” a server.

    It worked for me with Debian “etch”. I was able to SSH to my “jailed” folder with my “jailed” user.

    One problem though …

    When I SFTP with the “jailed user” that successfully “SSH’ed”, I get the following error messages:

    1. “Error: Fatal: unable to initialise SFTP on server: could not connect”
    2. “Error: Could not connect to server”

    NOTE: SFTP works successfully with a “standard” user.

    Correct me if I am wrong, but it appears that the “jailed user” is trying to “access” an app that is outside the “jail”, namely SFTP. Assuming this was the case, I copied over my configs for SSH “/etc/ssh/*” and openSSH “/usr/lib/openssh/*”, however this doesn’t appear to work yet.

    My questions are:
    1. When I login with my “jailed user” I am assuming that SSH “outside the jail” is authenticating the user and “chroot’ing” the user into his jail. (So, technically the jailed user is using an app outside his jail, namely SSH.

    2. So if I try and SFTP, am I doing a similar thing?

    3. Or, is there a way to run SFTP inside the jail? If so, how will that work because isn’t SFTP just FTP tunneled via SSH?

    Thanks in advance.

    Bill

    Bill on February 25, 2008 at 22:27

  4. Hey there, to your questions:

    1. Yes, you’re using an external app to authenticate your chrooted users. But this can’t be done within the chroot, you can’t run an SSH server in your chroot environment (and it wouldn’t be as secure anymore) because the chroot is on the same machine. Thus, the libpam-chroot is handling the SSH authentication and is passing it to your chroot environment.

    2. Of course you can try to edit /etc/pam.d/sftp maybe it works, I can’t figure it out right now, because I’m currently not running a chroot on my machine, but if you can solve this problem, let me know :)

    3. No, inside the jail you won’t be able to run SFTP, but you can try like I explained above, to run SFTP outside and hacking with libpam, let me know if this works, I’m curious :)

    István on February 26, 2008 at 2:36

Zahnarzt Ungarn, Zahnbehandlung Ungarn : Zahnimplantat Ungarn, Zahnimplantate Ungarn : Zahnersatz Ungarn