I’ve toyed around with chrooting a shell account to a directory before, but never really done it before. Today a customer wanted it done, so I had a chance to figure it all out. I’ve considered the using chrooted ssh before, but that requires a patch to SSH. Today I came across jailkit which leaves SSH alone, but implements the chroot as the users shell. It seemed pretty straightforward, plus provides some utilities for creating the jail.
cd /usr/local/src wget http://olivier.sessink.nl/jailkit/jailkit-2.4.tar.gz tar -xvzf jailkit-2.4.tar.gz cd jailkit-2.4 ./configure && make && make install
The tools were then available. Their examples said to put the jail environment, but I figured I might want to create per-user jails, so I created it in /home/jail-someuser like this:
jk_init -v -j /home/jail-someuser basicshell editors extendedshell netutils ssh sftp scp
That creates the directory and copies all of the specified programs into place inside the jail. In addition, it also copies all of necessary libraries as well – which is much easier than finding them with ldd.
Now, just create the actual user account and some directories for inside the jail:
mkdir /home/jail-someuser/home/someuser
useradd -d /home/jail-someuser/./home/someuser -s /usr/sbin/jk_chrootsh
chown someuser:someuser home/jail-someuser/./home/someuser
mkdir /home/jail-someuser/tmp
chmod a+rwx /home/jail-someuser/tmp
I was then able to log in by SSHing to the box as someuser. Upon logging in, I noticed that the default debian bash login script had some problems because the ‘id’ command wasn’t available. Also, vi wasn’t available, so I copied both of those programs those into the jail (fortunately their required libraries seem to already be there)
Overall it was pretty painless to install and get working. I’m quite impressed.
I installed 2.5 and found a few more things that are helpful – not sure if they are there in 2.4.
There is a jk_cp command that will copy a file into the jail along with any related libraries. If the library already exists in the jail it leaves it alone:
jk_cp -v -j /home/jail-someuser /bin/hostname
Also, “editors” installs vim and all related libraries, you just need to create an alias for vi to vim.
You also need to setup the /etc/passwd and /etc/group files inside the jail with the user’s information and group (all paths relative to within the jail). I had a problem where the user would login, but then immediately exit and it was due to the /etc/group file not being updated.