0

I created a chrooted user on a directory /home/jail, Inside my /home/jail are the bin,dev,etc,home,lib,lib64 and usr directories. /home/jail/ {bin,dev,etc,home,lib,lib64,usr} are all owned by root:root I set my user's home directory to /home/jail/home/user as shown on my /etc/passwd and on my sshd_config i have these entries:

Match Group jail
 ChrootDirectory /home/jail

Of course user is under the jail group

The chrooted user can login but the bin,dev,etc,home,lib,lib64,usr directories can be seen by the user, is this normal for chrooted environment?

If i change the ChrootDirectory to /home/jail/home the shell closes right after putting my password without any trace of error on /var/log/auth.log

By the way, i use putty and the server is running debian wheezy.

Jm Cruz
  • 1
  • 2

1 Answers1

0

A chrooted process can see everything inside the chroot. That is perfectly normal, and it couldn't work any other way, if you want to be able to run a normal shell within the chroot.

The point is, you shouldn't put all the normal contents of /bin, /dev, /etc etc. inside the chroot. Instead you should restrict it to only those absolutely needed by the things you intend to run inside the chroot. In particular suid executables are important to keep out of the chroot, because they are the most likely to have exploitable weaknesses.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • Hey thanks, now that clarifies my problem. But i have /home/user on /home/jail also, i was expecting that the user's home directory would be on /home/jail/home/user, how would i do that? Thanks again. – Jm Cruz Dec 09 '14 at 06:13
  • @user2547024 Once inside a chroot, everything is specified relative to the chroot. So inside the chroot you need to have files in `/etc` specifying users and groups, and inside those any home directory is specified relative to the chroot. – kasperd Dec 09 '14 at 11:38