Difference between revisions of "Chroot Debian users"

pt:Usuários Debian chroot es:Usuarios de Debian chroot fr:Chrooter ses utilisateurs Debian

This article has been created by an automatic translation software. You can view the article source here.

Introduction

It may be useful to chroot its users to limit their freedom of movement within its system.

Prerequisi

One of the prerequisite essential is to preserve its system as up-to-date as possible

 apt-get update
 apt-get upgrade 

Keeping your Debian system up-to-date, make sure you have a list of the official repositories. You can find a list of the available at Ikoula repositories and installation instructions at this address.

Implementati

Create the chroot

One of the ways to implement a prison is to create a group whose all imprisoned users depend on.

Create Group

 groupadd chrootgrp 

Create our new user

 adduser -g chrootgrp notre_utilisateur 

Create the directories

We must now implement the home directories of our prison chroot to simulate the presence of the root directory /

Create all directories

 # la syntaxe { } nous permet de définir un répertoire et plusieurs sous-répertoires en une commande
 mkdir -p /var/jail/{dev,etc,lib,usr,bin}
 mkdir -p /var/jail/usr/bin

Assign permissions to the directories create in order to change the owner by root

 chown root.root /var/jail 

Also create the file /dev/null

 mknod -m 666 /var/jail/dev/null c 1 3 

Configuration files /etc/

The configuration file /etc/ requires some vital files to work correctly, so let's copy them to our prison.

Copy configuration files to prison

 # Se déplacer dans le dossier /etc/ de la prison
 cd /var/jail/etc
 # Copier les fichiers de configuration vers le répertoire courant . (/var/jail/etc/)
 cp /etc/ld.so.cache .
 cp /etc/ld.so.conf .
 cp /etc/nsswitch.conf .
 cp /etc/hosts .

Determine the commands

We must now determine the commands that will be accessible to our user, for example the command ls, cat, and bash.

For this, we must copy the executables to our prison

 # Se déplacer dans le dossier /usr/bin de la prison
 cd /var/jail/usr/bin
 # Copier les exécutables souhaités vers le répertoire courant (/var/jail/usr/bin)
 cp /usr/bin/ls .
 cp /usr/bin/cat .
 cp /usr/bin/bash .

Don't forget to add the shared libraries for executables

 # on cherche les bibliothèques de ls grâce à la commande ldd
 ldd /bin/ls
 # La commande retourne un résultat similaire:
    linux-gate.so.1 =>    (0xb7f2b000)
    librt.so.1 => /lib/librt.so.1 (0xb7f1d000)
    libacl.so.1 => /lib/libacl.so.1 (0xb7f16000)
    libc.so.6 => /lib/libc.so.6 (0xb7dcf000)
    libpthread.so.0 => /lib/libpthread.so.0 (0xb7db7000)
    /lib/ld-linux.so.2 (0xb7f2c000)
    libattr.so.1 => /lib/libattr.so.1 (0xb7db2000)

Configure the SSH servic

Now that our prison is in place we must configure the SSH service to redirect our user group chroote to its new location secured.

Edit the ssh configuration file

 vi /etc/ssh/sshd_config 

Add the following content at the end of fil

 # Ajout du groupe chroot
 Match group chrootgrp
          ChrootDirectory /var/jail/
          X11Forwarding no
          AllowTcpForwarding no

Restart the ssh service

 /etc/init.d/ssh restart 

This configuration also disables the redirection X 11 and redirection of TCP ports. In some cases, including the establishment of a secure tunnel, it may be necessary to review the configuration and remove this prohibition.

Option: Change the prompt

This step is optional, if you test the connection to your prison you from out a prompt similar to this :

 bash-2-5$ 

If you want to use a prompt less general simply to perform the following procedure:

 # copier le contenu de /etc/skel vers /var/jail/home/votre_utilisateur
 cp /etc/skel/* /var/jail/home/notre_utilisateur/

 # Vous avez à présent quelque chose comme ceci
 notre_utilisateur:->