0

How to properly create chroot jail (on Ubuntu, or some some other Linux if not applicable) to make user able to edit system settings (eg. with ifconfig) and be able to communicate with external scripts?

The use case would be to enable user to authenticate using SSH and then be able to perform very limited set of actions from command line. Unfortunately the tricky part is the access to system settings.

I have considered multiple options and the alternative is to setup fake SSH server (eg. with Twisted), try to use restricted shell (however, I seem to need chroot still), or write a script on top of the shell (?).

Tadeck
  • 119
  • 7

1 Answers1

3

Assuming you mean ifconfig, this is in my opinion not a scenario for which chroot is well-suited. You would do better to allow the user a normal login, relying on the normal system protections (which are pretty mature on UNIX/Linux) to prevent them being accidentally-destructive, and then use sudo to give fine-grained access to the relevant system commands. The audit trail will be better if they do stuff up, too. This can usefully be combined with a restricted shell if you're really feeling paranoid.

From a threat-analysis standpoint, I can't think of any kind of attacker that could reasonably be protected against by giving them chroot+fully-privileged-ifconfig.

Edit: if I were you, I'd be pushing back on that constraint; I can't see that it makes much sense. Trying to hide system details from people who can perform system-level tasks is probably not going to work against any intelligent attacker.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Yes, I meant `ifconfig` (it was a typo). Can I somehow utilize links (http://serverfault.com/a/350888/82201) or bind mounts (http://docs.1h.com/Bind_mounts) to get ability to call fully privileged `ifconfig` from inside `chroot`? I do not know why exactly `chroot` is required here either, but I think it is in order to hide real system and apps within it. (The requirement did not come from me.) – Tadeck Oct 22 '13 at 08:53
  • I second MadHatter. (The only system I can think of that will actually achieve this is HP-UX with security containments. It is most definitely not free or inexpensive.) – Jenny D Oct 22 '13 at 10:20
  • @JennyD & MadHatter: What about using restricted shell + chroot + linking commands (that you could identify by `type -a {command}`) to be callable from inside chroot? What about AppArmor? I am really confused and nothing really meets my needs :( – Tadeck Oct 23 '13 at 07:00
  • 1
    I submit that that is because your needs make no sense. It is often the case that an arbitrarily-contructed but self-defeating set of constraints is difficult to satisfy; reality is boringly inflexible like that. – MadHatter Oct 23 '13 at 07:15
  • 1
    @Tadeck Once you allow the user to run commands requiring root privileges from inside the chroot, you've essentially given them the key to the chroot jail. It makes no sense at all. – Jenny D Oct 23 '13 at 07:29
  • 1
    I strongly suggest taking a step back. You're asking us how to do a particular thing that you think would solve your problem. Instead, consider the actual problem and what it is you're trying to do. There may be some very simple answers that you're not seeing because you're focused on this one impossible idea. – Jenny D Oct 23 '13 at 07:31
  • As ever, JennyD is spot on the money. I wish I'd put it that tersely! – MadHatter Oct 23 '13 at 07:31
  • @JennyD & MadHatter: I think I get your point, but one question, though... There is a way to actually restrict users to executing only part of `sudo` commands (eg. allow `sudo service apache2 restart`, but deny `sudo service apache2 stop`). Assuming similar restrictions would still be applied, does that mean they can be used to gain full access to the system outside chroot? The use case scenario is to make user able to make some configuration changes, read the logs, start and stop the app etc., but not allow him to see the hosted application code. Is there anything easier / out-of-the-box? – Tadeck Oct 23 '13 at 08:03
  • 1
    Firstly, yes, `sudo` can be used like that. Secondly, deny him read privileges on the application code! Your whole question seems predicated on the assumption that `chmod o-rwx` doesn't work, but it does. – MadHatter Oct 23 '13 at 08:22
  • @MadHatter: Yeah, I really see several options outside of `chroot` and I really want to avoid `chroot` as it creates only problems and is rejected by people more advanced by myself. On the other hand, AppArmor looks like meeting the requirements: http://askubuntu.com/a/93413/18697 – Tadeck Oct 23 '13 at 09:29
  • @Tadeck, that link shows how to jail people within their homedir but it doesn't allow them to execute outside commands as root. I'd really go with sudo - or else, don't allow them on the system at all, and instead implement e.g. puppet to push out configuration changes and restart that way. – Jenny D Oct 23 '13 at 10:30