1

How do I restrict the user to his current directory only?

I tried the steps mentioned on this page to configure rssh chroot jail to lock users to their home directories only, but this looks too complicated. Is there an easier way?

Caleb
  • 11,813
  • 4
  • 36
  • 49
shantanuo
  • 3,579
  • 8
  • 49
  • 66

4 Answers4

1

No. A user environment requires certain files to exist, and that article makes sure that they are present.

Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84
  • # the article says # Open /usres/group and /users/passwd file and remove root and all other accounts. # I have not such file using centos # – shantanuo May 26 '11 at 06:56
  • Excerpt from article above: 'Note: The files need to be placed in the jail directory (such as /users) in directories that mimic their placement in the root (/) file system. So you need to copy all required files. For example, /usr/bin/rssh is located on / file system. If your jail is located at /users, then copy /usr/bin/rssh to /users/usr/bin/rssh.' – AlexD May 26 '11 at 07:10
  • I have /users/etc/passwd and /users/etc/groups should I remove all the account from there? – shantanuo May 26 '11 at 07:23
1

I use Jailkit at $work, and it takes only a few commands. They even provide a chroot shell howto. The hardest part about maintaining a chroot for your users is copying in the libraries and binaries they need to run programs. The jk_cp command takes care of copying in dependencies.

Fanatic
  • 526
  • 2
  • 6
1

I'm inclined to think that you're confusing outcome with method. What are you actually trying to achieve by locking users into their homedirs? Running a secure yet functional non-trivial chroot is somewhere between "not worth it" and "impossible"; the chances are whatever you want to accomplish can be done some other, better, way.

womble
  • 96,255
  • 29
  • 175
  • 230
1

The easiest to do this is to set the user's shell to /bin/rbash. This puts bash into "restricted" mode. From the bash man page:

It behaves identically to bash with the exception that the following are disallowed or not performed:

  • changing directories with cd
  • setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
  • specifying command names containing /
  • specifying a file name containing a / as an argument to the . builtin command
  • specifying a filename containing a slash as an argument to the -p option to the hash builtin command
  • importing function definitions from the shell environment at startup
  • parsing the value of SHELLOPTS from the shell environment at startup
  • redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
  • using the exec builtin command to replace the shell with another command
  • adding or deleting builtin commands with the -f and -d options to the enable builtin command
  • using the enable builtin command to enable disabled shell builtins
  • specifying the -p option to the command builtin command
  • turning off restricted mode with set +r or set +o restricted.

These restrictions are enforced after any startup files are read.

Note: rbash is not an impenetrable fortress. It is still possible to leave gaping holes, and a sufficiently skilled "attacker" (i.e., one who knows more than you) will probably be able to do plenty that you won't want (or circumvent your restrictions entirely).

It is still possible to read any world readable file on the system.

Also ensure that /bin/rbash is NOT in /etc/shells otherwise he will be able to change his own shell to something unrestricted using chsh.

bahamat
  • 6,263
  • 24
  • 28