I’ve toyed around with chrooting a shell account to a directory before, but never really done it before. Today a customer wanted it done, so I had a chance to figure it all out. I’ve considered the using chrooted ssh before, but that requires a patch to SSH. Today I came across jailkit which leaves SSH alone, but implements the chroot as the users shell. It seemed pretty straightforward, plus provides some utilities for creating the jail.
cd /usr/local/src wget http://olivier.sessink.nl/jailkit/jailkit-2.4.tar.gz tar -xvzf jailkit-2.4.tar.gz cd jailkit-2.4 ./configure && make && make install
The tools were then available. Their examples said to put the jail environment, but I figured I might want to create per-user jails, so I created it in /home/jail-someuser like this:
jk_init -v -j /home/jail-someuser basicshell editors extendedshell netutils ssh sftp scp
That creates the directory and copies all of the specified programs into place inside the jail. In addition, it also copies all of necessary libraries as well – which is much easier than finding them with ldd.
Now, just create the actual user account and some directories for inside the jail:
useradd -d /home/jail-someuser/./home/someuser -s /usr/sbin/jk_chrootsh
chown someuser:someuser home/jail-someuser/./home/someuser
chmod a+rwx /home/jail-someuser/tmp
I was then able to log in by SSHing to the box as someuser. Upon logging in, I noticed that the default debian bash login script had some problems because the ‘id’ command wasn’t available. Also, vi wasn’t available, so I copied both of those programs those into the jail (fortunately their required libraries seem to already be there)
Overall it was pretty painless to install and get working. I’m quite impressed.