Discussion:
chroot ssh users
sektorNBA
2003-01-18 14:48:23 UTC
Permalink
Hi all
I am using oBSD 3.2
How can I chroot ssh users on their OWN home?

thanks
Telent
2003-01-18 14:13:39 UTC
Permalink
Post by sektorNBA
Hi all
I am using oBSD 3.2
How can I chroot ssh users on their OWN home?
I suggest you investigate chroot(8). Bear in mind, however, that you'll
have to put whatever tools (cd, pwd, sh/csh, ftp, vi, ls, ping, any of
the standard Unix utilities) that you want them to have in the chroot
with them.

-Sunny Raspet
Telent
2003-01-19 01:35:18 UTC
Permalink
OpenBSD 3.1 March 16, 1991
Well, first of all, you said you were running 3.2. But I'll let it
pass...
I don´t undestand it!
could u give an example?
Assuming that I really wanted to go about chrooting a user, I'd set up a
small shell script in /usr/bin. Call it /usr/bin/chrootlogin.

/usr/bin/chrootlogin:
#!/bin/sh
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh

Replace csh with your shell of choice, of course.

Now, make a group called chroot. Add all the users who will be chrooted
into it. Now, you need to add a permission declaration line for sudo.
use "visudo" as root and add this:

%chroot ALL = NOPASSWD: /usr/sbin/chroot

Then, you'll need to add whatever utilities you want your shell users to
have into a directory called bin in their home dirs. Don't forget the
things like ls and pwd and cd and echo, the stuff that you use every
day, as well as their shell of choice.

Then, add your users. Put them in the "chroot" group, as well as their
personal groups. Set /usr/bin/chrootlogin as their shell. Make sure to
add that to /etc/shells if you want them to have ftp access.

And that's how you go about setting up a basic chroot environment on 3.2
or 3.1.

3.2-current has lots more features in it that make things easier.

But IMHO, you'd be better served by keeping the box patched. chroots
look pretty, but for users, they're more trouble than they're worth. If
you don't want them reading each other's files, set a umask of 600 or
some such.

-Sunny Raspet
David Wollmann
2003-01-19 02:03:14 UTC
Permalink
On Saturday 18 January 2003 19:35, Telent wrote:
[snip]
If you don't want them reading each other's files, set a umask of 600 or
some such.
Don't you mean umask of 0277?

- --
D. Wollmann
gpg 58A7 2C9A FCBC 8B4A 6F76 1BF1 9BE0 FB93 34C8 8A21
Markus Friedl
2003-01-19 10:34:21 UTC
Permalink
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Hannah Schroeter
2003-01-19 12:52:44 UTC
Permalink
Hello!
Post by Markus Friedl
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Now I'm curious: Why?

Kind regards,

Hannah.
l***@zbit.pt
2003-01-19 14:09:02 UTC
Permalink
Post by Hannah Schroeter
Post by Markus Friedl
chroot to a directory owned by the user is dangerous.
Now I'm curious: Why?
The user can modify it's chroot environment. There must be other
details, which I can't grasp; but see below for an example:

http://packetstormsecurity.nl/0001-exploits/mi009en.htm
--
I'm frequently appalled by the low regard you Earthmen have for life.
-- Spock, "The Galileo Seven", stardate 2822.3
Dom De Vitto
2003-01-19 14:00:29 UTC
Permalink
Because they will have permissions to modify permissions and
create files in that directory, and any below it.

Consequently they can scp other binaries into the jail, and start
doing things (running servers, resource attacks etc) that the admin
didn't want.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto Tel. 07855 805 271
http://www.devitto.com mailto:***@devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -




-----Original Message-----
From: owner-***@openbsd.org [mailto:owner-***@openbsd.org] On Behalf
Of Hannah Schroeter
Sent: Sunday, January 19, 2003 12:53 PM
To: ***@openbsd.org
Subject: Re: chroot ssh users


Hello!
Post by Markus Friedl
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Now I'm curious: Why?

Kind regards,

Hannah.
Telent
2003-01-20 00:36:53 UTC
Permalink
Post by Markus Friedl
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Yes, it is, but no more dangerous than giving them any writable area at
all to upload binaries... or am I missing something, and it is?
Theo de Raadt
2003-01-20 17:29:26 UTC
Permalink
Post by Telent
Post by Markus Friedl
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Yes, it is, but no more dangerous than giving them any writable area at
all to upload binaries... or am I missing something, and it is?
It is largely pointless. I've been saying this for years, and people
don't listen.

I'm sorry. But if you don't understand where chroot is weak, why do
your type of people keep trying to ask us to include this balony code?
Chuck Yerkes
2003-01-20 17:36:24 UTC
Permalink
That administration of it is near impossible, complexity is radically
increased, and mistakes are much more likely on the administrators'
part. If you want to restrict as user, give the user a restricted
shell.
Post by Telent
Post by Markus Friedl
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Yes, it is, but no more dangerous than giving them any writable area at
all to upload binaries... or am I missing something, and it is?
Ted Unangst
2003-01-20 18:10:00 UTC
Permalink
Post by Telent
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
Yes, it is, but no more dangerous than giving them any writable area at
all to upload binaries... or am I missing something, and it is?
you just ran, AS ROOT, a file owned by the user.


--
"The brave men who died in Vietnam, more than 100% of which were
black, were the ultimate sacrifice."
- M. Barry, Mayor of Washington, DC
sektorNBA
2003-01-19 20:17:24 UTC
Permalink
I did this and it works.
but user got root powers.
They can kill root´s process
I just need to LOCK USERS on their OWN home.
not create an JAIL structure.

Thanks
----- Original Message -----
From: "Telent" <***@mordac.info>
To: "sektorNBA" <***@sektornba.org>
Cc: <***@openbsd.org>
Sent: Saturday, January 18, 2003 10:35 PM
Subject: Re: chroot ssh users
Post by Telent
OpenBSD 3.1 March 16, 1991
Well, first of all, you said you were running 3.2. But I'll let it
pass...
I don´t undestand it!
could u give an example?
Assuming that I really wanted to go about chrooting a user, I'd set up a
small shell script in /usr/bin. Call it /usr/bin/chrootlogin.
#!/bin/sh
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
Replace csh with your shell of choice, of course.
Now, make a group called chroot. Add all the users who will be chrooted
into it. Now, you need to add a permission declaration line for sudo.
%chroot ALL = NOPASSWD: /usr/sbin/chroot
Then, you'll need to add whatever utilities you want your shell users to
have into a directory called bin in their home dirs. Don't forget the
things like ls and pwd and cd and echo, the stuff that you use every
day, as well as their shell of choice.
Then, add your users. Put them in the "chroot" group, as well as their
personal groups. Set /usr/bin/chrootlogin as their shell. Make sure to
add that to /etc/shells if you want them to have ftp access.
And that's how you go about setting up a basic chroot environment on 3.2
or 3.1.
3.2-current has lots more features in it that make things easier.
But IMHO, you'd be better served by keeping the box patched. chroots
look pretty, but for users, they're more trouble than they're worth. If
you don't want them reading each other's files, set a umask of 600 or
some such.
-Sunny Raspet
Eduardo Augusto Alvarenga
2003-01-20 11:49:19 UTC
Permalink
Post by sektorNBA
I did this and it works.
but user got root powers.
They can kill root´s process
I just need to LOCK USERS on their OWN home.
not create an JAIL structure.
So use Aaron Grifford's chrsh. If you don't mind, please search @misc
archives for a message posted by myself. If explains very well the
chroot process and scripting.


Best Regards,

- --
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Eduardo A. Alvarenga - Analista de Suporte #179653
Centro Estratégico Integrado - SEGUP-PA
Belém - Pará - (91) 259-0555
eduardo@{thrx.dyndns.org,cei.pa.gov.br}
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
OpenBSD Consultant: www.openbsd.org/support.html
Hannah Schroeter
2003-01-20 14:05:00 UTC
Permalink
Hello!
Post by sektorNBA
I did this and it works.
but user got root powers.
They can kill root´s process
I just need to LOCK USERS on their OWN home.
not create an JAIL structure.
See below.
Post by sektorNBA
[...]
Post by Telent
Assuming that I really wanted to go about chrooting a user, I'd set up a
small shell script in /usr/bin. Call it /usr/bin/chrootlogin.
#!/bin/sh
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
Use something like the -U option of chroot(8).
Post by sektorNBA
[...]
Kind regards,

Hannah.
Ted Unangst
2003-01-20 19:24:33 UTC
Permalink
Post by Hannah Schroeter
Use something like the -U option of chroot(8).
chroot has no -U option. or any other option.

--
"First, it was not a strip bar, it was an erotic club. And second,
what can I say? I'm a night owl."
- M. Barry, Mayor of Washington, DC
Dries Schellekens
2003-01-21 09:43:47 UTC
Permalink
Post by Ted Unangst
Post by Hannah Schroeter
Use something like the -U option of chroot(8).
chroot has no -U option. or any other option.
It was added by millert a time ago. So it only exists in -current.


Cheers,

Dries
--
Dries Schellekens
email: ***@ulyssis.org
Andre Lucas
2003-01-21 07:24:36 UTC
Permalink
Post by Ted Unangst
chroot has no -U option. or any other option.
It does in -current:

http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html
Hannah Schroeter
2003-01-21 12:59:45 UTC
Permalink
Hello!
Post by Ted Unangst
Post by Hannah Schroeter
Use something like the -U option of chroot(8).
chroot has no -U option. or any other option.
RCS file: /cvs/src/usr.sbin/chroot/chroot.c,v
Working file: chroot.c
head: 1.8
[...]
revision 1.8
date: 2002/12/22 22:25:20; author: millert; state: Exp; lines: +14 -10
o check for empty $SHELL and add missing __dead (Andrey Matveev)
o call setlogin() if the -U flag was specified and we either are the session
leader or are able to become it.
----------------------------
revision 1.7
date: 2002/10/29 23:12:06; author: millert; state: Exp; lines: +37 -12
Add -U option to set uid, gid, and group vector based on password database.
----------------------------
revision 1.6
date: 2002/10/25 19:23:48; author: millert; state: Exp; lines: +138 -24
Add options to set the uid, gid, and group vector after the chroot;
adapted from NetBSD. OK markus@ and previously discussed with Theo.
[...]

Seems you have to use current though, as OPENBSD_3_2 is revision 1.5.

Kind regards,

Hannah.
sektorNBA
2003-01-24 00:14:57 UTC
Permalink
I am using 3.2 -current.
-u is only available to -current
----- Original Message -----
From: "Hannah Schroeter" <***@schlund.de>
To: "sektorNBA" <***@sektornba.org>
Cc: <***@openbsd.org>
Sent: Monday, January 20, 2003 11:05 AM
Subject: Re: chroot ssh users
Post by Hannah Schroeter
Hello!
Post by sektorNBA
I did this and it works.
but user got root powers.
They can kill root´s process
I just need to LOCK USERS on their OWN home.
not create an JAIL structure.
See below.
Post by sektorNBA
[...]
Post by Telent
Assuming that I really wanted to go about chrooting a user, I'd set up a
small shell script in /usr/bin. Call it /usr/bin/chrootlogin.
#!/bin/sh
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
Use something like the -U option of chroot(8).
Post by sektorNBA
[...]
Kind regards,
Hannah.
sektorNBA
2003-01-19 14:10:57 UTC
Permalink
so, what´s the best way to chroot a ssh user in their OWN directory.
----- Original Message -----
Sent: Sunday, January 19, 2003 9:52 AM
Subject: Re: chroot ssh users
Post by Hannah Schroeter
Hello!
Post by Markus Friedl
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Now I'm curious: Why?
Kind regards,
Hannah.
Chuck Yerkes
2003-01-20 06:16:54 UTC
Permalink
Put all the binaries they need in there directory and
then.... Oh wait, now there's no real point.

If you need a restricted SHELL, take a look for those.

If you want to describe what you'd like to end up
with rather than ask how you think it should be done,
you'll get useful answers.

When you chroot, NO PROGRAMS OUTSIDE THAT CHROOT are available.
Further, chroot is quite often not very useful. It's well
documented for a decade on a festival of firewall lists.

You can restrict SOME by having a separate partition for the
chroot and mounting right. But for home directories, you
have many problems you run into, so it's considered not
to work.
so, what?s the best way to chroot a ssh user in their OWN directory.
----- Original Message -----
Sent: Sunday, January 19, 2003 9:52 AM
Subject: Re: chroot ssh users
Post by Hannah Schroeter
Hello!
Post by Markus Friedl
Post by Telent
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
chroot to a directory owned by the user is dangerous.
Now I'm curious: Why?
Kind regards,
Hannah.
Søren Thing Andersen
2003-01-19 15:56:59 UTC
Permalink
Post by sektorNBA
I am using oBSD 3.2
How can I chroot ssh users on their OWN home?
You could take a look at http://turquoise.thing.dk/#create_chroot_home
It says:
create_chroot_home is a shell script I wrote to make it easier
(and less error prone) for me to set up a chroot login on my
OpenBSD machine.
I have included so much in the chroot, that the user can run the vi
editor and use scp, sftp or rsync over ssh to transfer files into
and out of the chroot. While working inside the chroot shell the
following commands are available: bash cat chmod cp date du echo
grep groups head hostname id less ln ls md5 mkdir more mv ps pwd
rm rmdir rsync scp sh tail tar vi wc.

TEsted on 3.1 but should work on 3.2.

/Thing
Chris Timmons
2003-01-20 14:09:33 UTC
Permalink
Check this out. Might lead you in the right direction. Chrooting ssh is a pain to do. And even harder to do it right.

http://www.aarongifford.com/computers/chrsh.html

-----Original Message-----
From: sektorNBA [mailto:***@sektornba.org]
Sent: Sunday, January 19, 2003 3:17 PM
To: Telent
Cc: ***@openbsd.org
Subject: Re: chroot ssh users


I did this and it works.
but user got root powers.
They can kill root´s process
I just need to LOCK USERS on their OWN home.
not create an JAIL structure.

Thanks
----- Original Message -----
From: "Telent" <***@mordac.info>
To: "sektorNBA" <***@sektornba.org>
Cc: <***@openbsd.org>
Sent: Saturday, January 18, 2003 10:35 PM
Subject: Re: chroot ssh users
Post by Telent
OpenBSD 3.1 March 16, 1991
Well, first of all, you said you were running 3.2. But I'll let it
pass...
I don´t undestand it!
could u give an example?
Assuming that I really wanted to go about chrooting a user, I'd set up
a small shell script in /usr/bin. Call it /usr/bin/chrootlogin.
#!/bin/sh
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh
Replace csh with your shell of choice, of course.
Now, make a group called chroot. Add all the users who will be
chrooted into it. Now, you need to add a permission declaration line
%chroot ALL = NOPASSWD: /usr/sbin/chroot
Then, you'll need to add whatever utilities you want your shell users
to have into a directory called bin in their home dirs. Don't forget
the things like ls and pwd and cd and echo, the stuff that you use
every day, as well as their shell of choice.
Then, add your users. Put them in the "chroot" group, as well as
their personal groups. Set /usr/bin/chrootlogin as their shell. Make
sure to add that to /etc/shells if you want them to have ftp access.
And that's how you go about setting up a basic chroot environment on
3.2 or 3.1.
3.2-current has lots more features in it that make things easier.
But IMHO, you'd be better served by keeping the box patched. chroots
look pretty, but for users, they're more trouble than they're worth.
If you don't want them reading each other's files, set a umask of 600
or some such.
-Sunny Raspet
Telent
2003-01-20 14:25:17 UTC
Permalink
Post by Theo de Raadt
Post by Telent
Yes, it is, but no more dangerous than giving them any writable
area at
Post by Theo de Raadt
Post by Telent
all to upload binaries... or am I missing something, and it is?
It is largely pointless. I've been saying this for years, and people
don't listen.
I'm sorry. But if you don't understand where chroot is weak, why do
your type of people keep trying to ask us to include this balony code?
I personally could care less about chrooting users, and never will on
any of my own boxes - as you said, it's pointless. As I said in a
previous mail on this subject, one is much better served by spending
the time on keeping one's system patched.

I was looking at it as a n issue for my own enlightenment, which is why
I asked Markus the quoted question: is chroot pointless if the user has
any writable area inside?

Seems like the answer is yes.

And as an aside, I know the project's credo of "Shut up and hack" far
too well to ever make a feature request without diffs to back it up. ;)
Hannah Schroeter
2003-01-26 15:56:14 UTC
Permalink
Hello!
Post by Telent
[...]
I asked Markus the quoted question: is chroot pointless if the user has
any writable area inside?
Seems like the answer is yes.
I would still say "depends".

The user at least cannot access other data on your machine (even if
he gets root inside the chroot, he can't mknod devices for your
system disks, as mknod is blocked, etc.).

It *might* be an additional layer of defense for some, in combination
with restricted shells etc.
Post by Telent
[...]
Kind regards,

Hannah.

Loading...