3

I have a user who is jailed.

sshd_config:

Subsystem sftp internal-sftp

Match user matt
     ChrootDirectory %h
     X11Forwarding no
     AllowTcpForwarding no

passwd:

matt:x:1001:5006:Matt Ryan,,,:/home/matt:/home/matt/bin/bash

This works perfectly for sftp. The user is limited to his home folder, and whatever mounts are there.

But, I'd like to also give this use shell access. This is what happens when they attempt to log in:

$ ssh matt@server.com
Linux devnode 2.6.38-linode31 #1 SMP Mon Mar 21 21:22:33 UTC 2011 i686 GNU/Linux
Ubuntu 10.04.2 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/
Last login: Thu Mar 31 13:04:29 2011 from abc.nyc.res.rr.com
/home/matt/bin/bash: No such file or directory
Connection to server.com closed.

Via fstab, the bin folder is mounted to the home directory and is present.

Why am I getting this error.. and how can I solve this?

Thanks for the help!

Matt Ryan
  • 175
  • 1
  • 2
  • 9

1 Answers1

5

When you chroot, the named directory becomes /. The correct shell path inside the chroot is then /bin/bash, not /home/matt/bin/bash.

You will also need to make sure there's enough other stuff inside the chroot for the system to work. You can test this with sudo chroot /home/matt /bin/bash and see what works and what doesn't; at the very least, you will probably want a dummy /etc, a bind mount of /proc, and much of /lib inside the chroot.

geekosaur
  • 7,175
  • 1
  • 20
  • 19
  • @geekosaur, thanks a lot... i just mounted the entire `/proc` and `/lib` folders to his home to test and it was successful. another question though, are bind mounts costly in anyway? – Matt Ryan Mar 31 '11 at 17:45
  • Bind mounts are essentially free. – geekosaur Mar 31 '11 at 17:46
  • great. one more for bonus: how can i enable color support for this user's shell – Matt Ryan Mar 31 '11 at 18:14
  • GNU `ls` wants some setup done by scripts in `/etc/profile.d`. Some programs may also want to see `/usr/share/terminfo/*/*`. – geekosaur Mar 31 '11 at 18:19
  • seriously, thanks for you help. i'm having trouble bind mounting the /usr/bin here though. is there a better way to enable access to that? – Matt Ryan Mar 31 '11 at 18:24
  • If it's on the same filesystem then you can use `cp -lr /usr/bin /home/matt/usr/bin`; that also lets you remove anything you don't want to be available. – geekosaur Mar 31 '11 at 18:29
  • if new packages are added to /usr/bin will that require me to run this command again? – Matt Ryan Mar 31 '11 at 18:35
  • Yes. You need the bind mount to get a direct image of it. What's the error with the bind mount? – geekosaur Mar 31 '11 at 18:40
  • `mount point /home/matt/usr/bin does not exist` – Matt Ryan Mar 31 '11 at 18:46
  • Well, yes, you need to create a directory for the mount to bind to. It doesn't need to have anything in it (in fact, better if it's empty as anything in it would be inaccessible after the bind mount). – geekosaur Mar 31 '11 at 18:49