Secure Shell
openssh-5.3p1 chroot selinux error on CentOS-5.4 Feb 02 2010 09:25PM
James B. Byrne (byrnejb harte-lyne ca) (1 replies)
Re: openssh-5.3p1 chroot selinux error on CentOS-5.4 Feb 14 2010 08:09AM
Jon Kibler (Jon Kibler aset com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/2/10 4:25 PM, James B. Byrne wrote:
> I built and installed openssh-5.3p1 on an x86_64 host running
> CentOs-5.4. These are the build options:
>

I have it working on CentOS 5.4. It was a PITA to get to work. Most
likely you are getting bit by selinux. Here is some stuff that may be of
help:

BUILD SCRIPT
============
[root@FOO openssh-5.3p1]# more run-config
#/bin/bash
PFX='/usr/local'
./configure --prefix=${PFX} --sysconfdir=${PFX}/etc/ssh --with-pam --with-lastlog --with-tcp-wrappers --with-md5-passwords --with-selinux --with-kerberos5
exit

CHANGES TO /etc/init.d/sshd
===========================
...
# pull in sysconfig settings
[ -f /usr/local/etc/sysconfig/sshd ] && . /usr/local/etc/sysconfig/sshd

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh/ssh_host_key
RSA_KEY=/usr/local/etc/ssh/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh/ssh_host_dsa_key
...

SSHD PAM STACK
==============
[root@FOO pam.d]# cat sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

ADDITIONS TO /etc/fstab
=======================
/selinux /PATH2CHROOT/chroot/selinux none bind,ro 0 0
/etc/selinux /PATH2CHROOT/chroot/etc/selinux none bind,ro 0 0
proc /PATH2CHROOT/chroot/proc proc defaults 0 0
sysfs /PATH2CHROOT/chroot/sys sysfs defaults 0 0
tmpfs /PATH2CHROOT/chroot/tmp tmpfs
noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M 0 0

CHROOT DIRECTORY REQUIREMENTS
=============================
[root@FOO chroot]# ll
drwxr-x--x 2 root root 4096 Jan 24 21:40 bin
drwxr-x--x 2 root root 4096 Jan 24 15:10 dev
drwxr-x--x 3 root root 4096 Jan 25 10:55 etc
drwxr-x--x 4 root root 4096 Jan 25 10:47 home
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64
dr-xr-xr-x 117 root root 0 Jan 24 01:12 proc
drwxr-xr-x 4 root root 0 Jan 24 01:12 selinux
drwxr-xr-x 11 root root 0 Jan 24 01:12 sys
drwxrwxrwt 2 root root 40 Jan 24 14:04 tmp
drwxr-x--x 5 root root 4096 Jan 24 15:35 usr
drwxr-x--x 3 root root 4096 Jan 24 16:14 var

[root@FOO chroot]# ll bin
total 2128
- -r-xr-xr-x 1 root root 801512 Jan 22 2009 bash
(and other stuff that you may want users to use)

[root@FOO chroot]# ll dev
crw-rw-rw- 1 root root 1, 3 Jan 24 15:02 null
crw-rw-rw- 1 root root 1, 8 Jan 24 15:07 random
lrwxrwxrwx 1 root root 15 Jan 24 15:09 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdout -> /proc/self/fd/1
cr--r--r-- 1 root root 1, 9 Jan 24 15:08 urandom
crw-rw-rw- 1 root root 1, 5 Jan 24 15:02 zero

# except for motd, all of the following is needed
# motd is needed if you have SSH display motd message
[root@FOO chroot]# ll etc
total 88
- -r--r--r-- 1 root root 80 Jan 24 21:39 bashrc
- -r--r--r-- 1 root root 266 Jan 25 10:50 group
- -r--r--r-- 1 root root 1257 Jan 24 20:52 hosts
- -r--r--r-- 1 root root 758 Sep 23 2004 inputrc
- -r--r--r-- 1 root root 118 May 8 2009 localtime
- -r--r--r-- 1 root root 2026 Jan 24 23:02 motd
- -r--r--r-- 1 root root 1696 Sep 23 2004 nsswitch.conf
- -r--r--r-- 1 root root 558 Jan 25 10:55 passwd
- -r--r--r-- 1 root root 739 Jan 24 22:16 profile
- -r--r--r-- 1 root root 149 Jan 24 20:55 resolv.conf
drwxr-x--x 3 root root 4096 Jan 22 11:00 selinux

# most lib + lib64 + /usr/lib + /usr/lib64
# exists so that name services works
# including making the bash command prompt work
[root@FOO chroot]# ll lib
- -rwxr-xr-x 1 root root 36348 Jan 20 22:11 libnss_compat-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root 824548 May 24 2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root 21876 Jan 20 22:11 libnss_dns-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root 46680 Jan 20 22:11 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root 22692 Jan 20 22:11 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3200212 Oct 27 14:01 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root 42372 Jan 20 22:11 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 51636 Jan 20 22:11 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so

[root@FOO chroot]# ll lib64
- -rwxr-xr-x 1 root root 139416 Jan 20 18:43 ld-2.5.so
lrwxrwxrwx 1 root root 9 Jan 24 15:59 ld-linux-x86-64.so.2 ->
ld-2.5.so
lrwxrwxrwx 1 root root 15 Jan 24 15:59 libacl.so.1 -> libacl.so.1.1.0
- -rwxr-xr-x 1 root root 28008 May 24 2008 libacl.so.1.1.0
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libattr.so.1 -> libattr.so.1.1.0
- -rwxr-xr-x 1 root root 17888 Jan 6 2007 libattr.so.1.1.0
- -rwxr-xr-x 1 root root 1717800 Jan 20 18:43 libc-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libcom_err.so.2 ->
libcom_err.so.2.1
- -rwxr-xr-x 1 root root 10000 Sep 3 19:53 libcom_err.so.2.1
- -rwxr-xr-x 1 root root 48600 Jan 20 18:43 libcrypt-2.5.so
- -rwxr-xr-x 1 root root 1366208 Jan 20 15:56 libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root 19 Jan 24 15:59 libcrypto.so.6 ->
libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root 15 Jan 24 15:59 libcrypt.so.1 -> libcrypt-2.5.so
lrwxrwxrwx 1 root root 11 Jan 24 15:59 libc.so.6 -> libc-2.5.so
- -rwxr-xr-x 1 root root 23360 Jan 20 18:43 libdl-2.5.so
lrwxrwxrwx 1 root root 12 Jan 24 15:59 libdl.so.2 -> libdl-2.5.so
- -rwxr-xr-x 1 root root 9472 Jan 6 2007 libkeyutils-1.2.so
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libkeyutils.so.1 ->
libkeyutils-1.2.so
- -rwxr-xr-x 1 root root 615136 Jan 20 18:43 libm-2.5.so
lrwxrwxrwx 1 root root 11 Jan 24 15:59 libm.so.6 -> libm-2.5.so
- -rwxr-xr-x 1 root root 43040 Jan 20 18:43 libnss_compat-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root 791456 May 24 2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root 23736 Jan 20 18:43 libnss_dns-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root 53880 Jan 20 18:43 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root 24736 Jan 20 18:43 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3165384 Oct 27 13:56 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root 53432 Jan 20 18:43 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 62944 Jan 20 18:43 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 145824 Jan 20 18:43 libpthread-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libpthread.so.0 ->
libpthread-2.5.so
- -rwxr-xr-x 1 root root 92736 Jan 20 18:43 libresolv-2.5.so
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libresolv.so.2 ->
libresolv-2.5.so
- -rwxr-xr-x 1 root root 53448 Jan 20 18:43 librt-2.5.so
lrwxrwxrwx 1 root root 12 Jan 24 15:59 librt.so.1 -> librt-2.5.so
- -rwxr-xr-x 1 root root 95464 Sep 3 23:00 libselinux.so.1
- -rwxr-xr-x 1 root root 247496 Sep 3 20:35 libsepol.so.1
- -rwxr-xr-x 1 root root 306568 Jan 20 15:56 libssl.so.0.9.8e
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libssl.so.6 -> libssl.so.0.9.8e
lrwxrwxrwx 1 root root 19 Jan 24 15:59 libtermcap.so.2 ->
libtermcap.so.2.0.8
- -rwxr-xr-x 1 root root 15584 Jan 6 2007 libtermcap.so.2.0.8

[root@FOO chroot]# ll usr
drwxr-x--x 2 root root 4096 Jan 24 16:40 bin
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64

[root@FOO chroot]# ll usr/lib
- -rwxr-xr-x 1 root root 1187124 Jul 27 2009 libnss3.so
- -rwxr-xr-x 1 root root 373992 Jul 27 2009 libnssckbi.so
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_compat.so ->
../../lib/libnss_compat.so.2
lrwxrwxrwx 1 root root 24 Jan 24 21:16 libnss_db.so ->
../../lib/libnss_db.so.2
lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_dns.so ->
../../lib/libnss_dns.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_files.so ->
../../lib/libnss_files.so.2
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_hesiod.so ->
../../lib/libnss_hesiod.so.2
lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_ldap.so ->
../../lib/libnss_ldap.so.2
lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_nisplus.so ->
../../lib/libnss_nisplus.so.2
lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_nis.so ->
../../lib/libnss_nis.so.2
- -rwxr-xr-x 1 root root 96924 Jul 27 2009 libnssutil3.so

[root@FOO chroot]# ll usr/lib64
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libgssapi_krb5.so.2 ->
libgssapi_krb5.so.2.2
- -rwxr-xr-x 1 root root 190976 Jan 13 00:17 libgssapi_krb5.so.2.2
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libk5crypto.so.3 ->
libk5crypto.so.3.1
- -rwxr-xr-x 1 root root 153624 Jan 13 00:17 libk5crypto.so.3.1
lrwxrwxrwx 1 root root 14 Jan 24 15:59 libkrb5.so.3 -> libkrb5.so.3.3
- -rwxr-xr-x 1 root root 613896 Jan 13 00:17 libkrb5.so.3.3
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libkrb5support.so.0 ->
libkrb5support.so.0.1
- -rwxr-xr-x 1 root root 35728 Jan 13 00:17 libkrb5support.so.0.1
lrwxrwxrwx 1 root root 21 Jan 24 15:59 liblber-2.3.so.0 ->
liblber-2.3.so.0.2.31
- -rwxr-xr-x 1 root root 59040 Jan 21 2009 liblber-2.3.so.0.2.31
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libldap-2.3.so.0 ->
libldap-2.3.so.0.2.31
- -rwxr-xr-x 1 root root 241360 Jan 21 2009 libldap-2.3.so.0.2.31
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libncurses.so.5 ->
libncurses.so.5.5
- -rwxr-xr-x 1 root root 380336 Jan 6 2007 libncurses.so.5.5
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libncursesw.so.5 ->
libncursesw.so.5.5
- -rwxr-xr-x 1 root root 413488 Jan 6 2007 libncursesw.so.5.5
- -rwxr-xr-x 1 root root 1221496 Jul 27 2009 libnss3.so
- -rwxr-xr-x 1 root root 492960 Jul 27 2009 libnssckbi.so
lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_compat.so ->
../../lib64/libnss_compat.so.2
lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_db.so ->
../../lib64/libnss_db.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_dns.so ->
../../lib64/libnss_dns.so.2
lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_files.so ->
../../lib64/libnss_files.so.2
lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_hesiod.so ->
../../lib64/libnss_hesiod.so.2
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_ldap.so ->
../../lib64/libnss_ldap.so.2
lrwxrwxrwx 1 root root 31 Jan 24 21:16 libnss_nisplus.so ->
../../lib64/libnss_nisplus.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_nis.so ->
../../lib64/libnss_nis.so.2
- -rwxr-xr-x 1 root root 119696 Jul 27 2009 libnssutil3.so
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libsasl2.so.2 ->
libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root 105464 Sep 4 00:05 libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root 805656 Sep 20 02:26 libtcl8.4.so
lrwxrwxrwx 1 root root 13 Jan 24 15:59 libz.so.1 -> libz.so.1.2.3
- -rwxr-xr-x 1 root root 85608 Jan 9 2007 libz.so.1.2.3

PASSWD MUNGE
============
entry in /etc/passwd
footest:x:505:505:Chroot Test
Account:/PATH2CHROOT/chroot/home/footest:/bin/bash

entry in /PATH2CHROOT/chroot/etc/passwd
footest:x:505:505:Chroot Test Account:/home/footest:/bin/bash

Also, in chroot-ed passwd and group file, strip out all non-chroot-ed
users and groups, except for root.

PROFILE MUNGE
=============
copy /etc/profile to /PATH2CHROOT/chroot/etc/profile and add the
following code to the top of the file:

# CHROOT environment for login setup
# Special setup for chroot
HOME=$(echo ${HOME} | sed 's^/PATH2CHROOT/chroot^^')
export HOME
PWD=${HOME}
export PWD
cd ${HOME}
umask 002
# end chroot setup

FINAL NOTES
===========
1) I have not tried to make syslog work. It should be rather straight
forward, but I just have not had time to set it up.

2) I am attaching a template that can be used to build the chroot
environment. It has been tested exactly once. YMMV. (Assuming it makes
it past the mailing list filter!)

I hope this fixes your problem.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
e: Jon.Kibler (at) aset (dot) com [email concealed] or Jon.R.Kibler (at) gmail (dot) com [email concealed]
s: JonRKibler
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt3r9MACgkQUVxQRc85QlPmZACgmYQ9z3Ji9TrUY9Qq372SpwTq
9OEAnikPvbaPr9f1EPPt3u7q9Qe57872
=YOSg
-----END PGP SIGNATURE-----
#!/bin/sh
# Copyright (c) 2010 by Advanced Systems Engineering Technology, Inc. All Rights Reserved.
#
# You are free to use this script as you see fit.
# However, if you modify / copy / redistribute it, you must give
# attribution to its original source.
#
# Script is provided "as-is" and may or may not work in your
# environment. Please report bugs to: Jon.R.Kibler (at) gmail (dot) com [email concealed]
#
#
# create-chroot.sh -- create an SSH chroot environment for users
# that works with PAM and SELinux
# REQUIRES OpenSSH > 5.Xp1
#
# STOP!! Read and tailor this file!! Don't just blindly use it!!
# This file is a TEMPLATE -- NOT a real chroot creation script!
#
# You will also have to set up ssd_config to chroot the user.
# That step must include:
# -- adding pam_selinux.so to /etc/pam.d/sshd
# -- creating a unique chroot group for this chroot
# and adding to that chroot group all users that
# are to be chrooted (user's home directory must
# be ${CHROOT}/home/${USER})
# -- creating a "Match Group" section at the end of
# the sshd_config file for that chroot group, and
# explicitly setting the chroot path on the
# ChrootDirectory statement in the match group.
# You will probably want to also create an unique
# /etc/issue for and put the appropriate Banner
# pointer in that match group. Also, lock down
# the group to prevent creating tunnels, etc.
#
exit
#
# Create the chroot dir
#
# directory pathname MUST begin with a "/" and *not* end with a "/"
CHROOT=/var/www/chroot
mkdir ${CHROOT}
chown root:root ${CHROOT}
chmod 751 ${CHROOT}
chcon system_u:object_r:root_t ${CHROOT}
#
# Create required directories in ${CHROOT}
#
mkdir ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var
chown root:root ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var
chmod 751 ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var
chcon system_u:object_r:bin_t ${CHROOT}/bin
chcon system_u:object_r:device_t ${CHROOT}/dev
chcon system_u:object_r:etc_t ${CHROOT}/etc
chcon system_u:object_r:home_root_t ${CHROOT}/home
chcon system_u:object_r:lib_t ${CHROOT}/lib
chcon system_u:object_r:lib_t ${CHROOT}/lib64
chcon system_u:object_r:usr_t ${CHROOT}/usr
chcon system_u:object_r:bin_t ${CHROOT}/usr/bin
chcon system_u:object_r:lib_t ${CHROOT}/usr/lib
chcon system_u:object_r:lib_t ${CHROOT}/usr/lib64
chcon system_u:object_r:var_t ${CHROOT}/var
#
# create mount point within the mount point
# N.B. You *must* set appropriate permissions and
# SELinux context on each directory in this
# path under the initial ${CHROOT}.
# Also, you must adjust the path to create a
# symbolic link that points to the ${CHROOT}/home
# directory within ${CHROOT}${CHROOT}, and this
# must be a relative path.
mkdir -p ${CHROOT}${CHROOT}
# chown root:root ${CHROOT}${CHROOT}
# chmod 751 ${CHROOT}${CHROOT}
# chcon system_u:object_r:root_t ${CHROOT}${CHROOT}
# ln -s ../../../home ${CHROOT}${CHROOT}/home
# chown -h root:root ${CHROOT}${CHROOT}/home
# chcon -h system_u:object_r:root_t ${CHROOT}${CHROOT}/home
#
# create mount points
mkdir ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys ${CHROOT}/tmp
chown root:root ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys ${CHROOT}/tmp
chmod 751 ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys
chmod 1777 ${CHROOT}/tmp
chcon system_u:object_r:security_t ${CHROOT}/selinux
chcon system_u:object_r:selinux_config_t ${CHROOT}/etc/selinux
chcon system_u:object_r:proc_t ${CHROOT}/proc
chcon system_u:object_r:sysfs_t ${CHROOT}/sys
chcon user_u:object_r:tmpfs_t ${CHROOT}/tmp
#
# example of a web site project's directory
# mkdir ${CHROOT}/projects
# mkdir ${CHROOT}/projects/FOO
# mkdir ${CHROOT}/projects/FOO/cgi-bin
# mkdir ${CHROOT}/projects/FOO/htdocs
# mkdir ${CHROOT}/projects/FOO/logs
# chown root:root ${CHROOT}/projects
# chmod 751 ${CHROOT}/projects
# chown -R USER:GROUP ${CHROOT}/projects/FOO
# chmod -R 751 ${CHROOT}/projects/FOO
# chcon -R user_u:object_r:httpd_sys_content_t ${CHROOT}/projects
#
# you may also want to create a /var/tmp directory.
# if you do, be sure to give it 1777 perms and the correct security context.
#
#
# Mount file systems required to support chroot
#
cat >> /etc/fstab << _THE_END_
/selinux ${CHROOT}/selinux none bind,ro 0 0
/etc/selinux ${CHROOT}/etc/selinux none bind,ro 0 0
proc ${CHROOT}/proc proc defaults 0 0
sysfs ${CHROOT}/sys sysfs defaults 0 0
tmpfs ${CHROOT}/tmp tmpfs noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M 0 0
_THE_END_
#
# do not do mounts until all else is set up and you are ready to test.
# then be very careful that you do not accidentally change anything
# in the mounted file systems.
#mount ${CHROOT}/selinux
#mount ${CHROOT}/etc/selinux
#mount ${CHROOT}/proc
#mount ${CHROOT}/sys
#mount ${CHROOT}/tmp
#
# Copy in required files
# (Note: /etc/bashrc and /etc/profile are special and created later)
#
cp -p /bin/{ln,mv,bash,cp,mkdir,more,rmdir,cat,chmod,date,sed,ls,hostname,rm,v
i,echo} ${CHROOT}/bin/
cp -p /usr/bin/{w,who,id,pico,nano,less,clear} ${CHROOT}/usr/bin/
cp -p /lib/{libnss_nis-2.5.so,libnss_files-2.5.so,libnss_ldap-2.5.so,libnss_ni
splus-2.5.so,libnss_db-2.2.so,libnss_hesiod-2.5.so,libnss_dns-2.5.so,lib
nss_compat-2.5.so} ${CHROOT}/lib/
cp -p /lib64/{libc-2.5.so,libm-2.5.so,libkeyutils-1.2.so,libnss_nis-2.5.so,lib
nss_files-2.5.so,libpthread-2.5.so,libnss_ldap-2.5.so,libnss_nisplus-2.5
.so,libacl.so.1.1.0,libcom_err.so.2.1,libssl.so.0.9.8e,libnss_db-2.2.so,
libnss_hesiod-2.5.so,libselinux.so.1,libattr.so.1.1.0,libnss_dns-2.5.so,
libnss_compat-2.5.so,librt-2.5.so,libsepol.so.1,libresolv-2.5.so,libterm
cap.so.2.0.8,libcrypt-2.5.so,libdl-2.5.so,ld-2.5.so,libcrypto.so.0.9.8e}
${CHROOT}/lib64/
cp -p /usr/lib/{libnssckbi.so,libnssutil3.so,libnss3.so} ${CHROOT}/usr/lib/
cp -p /usr/lib64/{libtcl8.4.so,libk5crypto.so.3.1,libncursesw.so.5.5,libz.so.1
.2.3,libkrb5support.so.0.1,libncurses.so.5.5,libldap-2.3.so.0.2.31,libns
sckbi.so,libkrb5.so.3.3,libsasl2.so.2.0.22,libnssutil3.so,libnss3.so,lib
lber-2.3.so.0.2.31,libgssapi_krb5.so.2.2} ${CHROOT}/usr/lib64/
cp -p /etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd,localtim
e} ${CHROOT}/etc/
#
# Create required links
#
ln -s libssl.so.0.9.8e ${CHROOT}/lib64/libssl.so.6
ln -s libnss_db-2.2.so ${CHROOT}/lib64/libnss_db.so.2
ln -s libcom_err.so.2.1 ${CHROOT}/lib64/libcom_err.so.2
ln -s libkeyutils-1.2.so ${CHROOT}/lib64/libkeyutils.so.1
ln -s libnss_files-2.5.so ${CHROOT}/lib64/libnss_files.so.2
ln -s libm-2.5.so ${CHROOT}/lib64/libm.so.6
ln -s libnss_compat-2.5.so ${CHROOT}/lib64/libnss_compat.so.2
ln -s libresolv-2.5.so ${CHROOT}/lib64/libresolv.so.2
ln -s ld-2.5.so ${CHROOT}/lib64/ld-linux-x86-64.so.2
ln -s libcrypt-2.5.so ${CHROOT}/lib64/libcrypt.so.1
ln -s libnss_ldap-2.5.so ${CHROOT}/lib64/libnss_ldap.so.2
ln -s libattr.so.1.1.0 ${CHROOT}/lib64/libattr.so.1
ln -s libnss_hesiod-2.5.so ${CHROOT}/lib64/libnss_hesiod.so.2
ln -s libnss_nisplus-2.5.so ${CHROOT}/lib64/libnss_nisplus.so.2
ln -s libpthread-2.5.so ${CHROOT}/lib64/libpthread.so.0
ln -s libdl-2.5.so ${CHROOT}/lib64/libdl.so.2
ln -s libnss_dns-2.5.so ${CHROOT}/lib64/libnss_dns.so.2
ln -s libcrypto.so.0.9.8e ${CHROOT}/lib64/libcrypto.so.6
ln -s librt-2.5.so ${CHROOT}/lib64/librt.so.1
ln -s libnss_nis-2.5.so ${CHROOT}/lib64/libnss_nis.so.2
ln -s libc-2.5.so ${CHROOT}/lib64/libc.so.6
ln -s libtermcap.so.2.0.8 ${CHROOT}/lib64/libtermcap.so.2
ln -s libacl.so.1.1.0 ${CHROOT}/lib64/libacl.so.1
ln -s /proc/self/fd/0 ${CHROOT}/dev/stdin
ln -s /proc/self/fd/1 ${CHROOT}/dev/stdout
ln -s /proc/self/fd/2 ${CHROOT}/dev/stderr
ln -s ../../lib64/libnss_db.so.2 ${CHROOT}/usr/lib64/libnss_db.so
ln -s libz.so.1.2.3 ${CHROOT}/usr/lib64/libz.so.1
ln -s ../../lib64/libnss_nis.so.2 ${CHROOT}/usr/lib64/libnss_nis.so
ln -s libkrb5support.so.0.1 ${CHROOT}/usr/lib64/libkrb5support.so.0
ln -s ../../lib64/libnss_dns.so.2 ${CHROOT}/usr/lib64/libnss_dns.so
ln -s libgssapi_krb5.so.2.2 ${CHROOT}/usr/lib64/libgssapi_krb5.so.2
ln -s ../../lib64/libnss_compat.so.2 ${CHROOT}/usr/lib64/libnss_compat.so
ln -s libk5crypto.so.3.1 ${CHROOT}/usr/lib64/libk5crypto.so.3
ln -s ../../lib64/libnss_ldap.so.2 ${CHROOT}/usr/lib64/libnss_ldap.so
ln -s libldap-2.3.so.0.2.31 ${CHROOT}/usr/lib64/libldap-2.3.so.0
ln -s ../../lib64/libnss_hesiod.so.2 ${CHROOT}/usr/lib64/libnss_hesiod.so
ln -s libncurses.so.5.5 ${CHROOT}/usr/lib64/libncurses.so.5
ln -s ../../lib64/libnss_nisplus.so.2 ${CHROOT}/usr/lib64/libnss_nisplus.so
ln -s libsasl2.so.2.0.22 ${CHROOT}/usr/lib64/libsasl2.so.2
ln -s liblber-2.3.so.0.2.31 ${CHROOT}/usr/lib64/liblber-2.3.so.0
ln -s libkrb5.so.3.3 ${CHROOT}/usr/lib64/libkrb5.so.3
ln -s libncursesw.so.5.5 ${CHROOT}/usr/lib64/libncursesw.so.5
ln -s ../../lib64/libnss_files.so.2 ${CHROOT}/usr/lib64/libnss_files.so
ln -s ../../lib/libnss_db.so.2 ${CHROOT}/usr/lib/libnss_db.so
ln -s ../../lib/libnss_nis.so.2 ${CHROOT}/usr/lib/libnss_nis.so
ln -s ../../lib/libnss_dns.so.2 ${CHROOT}/usr/lib/libnss_dns.so
ln -s ../../lib/libnss_compat.so.2 ${CHROOT}/usr/lib/libnss_compat.so
ln -s ../../lib/libnss_ldap.so.2 ${CHROOT}/usr/lib/libnss_ldap.so
ln -s ../../lib/libnss_hesiod.so.2 ${CHROOT}/usr/lib/libnss_hesiod.so
ln -s ../../lib/libnss_nisplus.so.2 ${CHROOT}/usr/lib/libnss_nisplus.so
ln -s ../../lib/libnss_files.so.2 ${CHROOT}/usr/lib/libnss_files.so
ln -s ../../projects/csc ${CHROOT}/home/stameyjw/csc
ln -s libnss_db-2.2.so ${CHROOT}/lib/libnss_db.so.2
ln -s libnss_files-2.5.so ${CHROOT}/lib/libnss_files.so.2
ln -s libnss_compat-2.5.so ${CHROOT}/lib/libnss_compat.so.2
ln -s libnss_ldap-2.5.so ${CHROOT}/lib/libnss_ldap.so.2
ln -s libnss_hesiod-2.5.so ${CHROOT}/lib/libnss_hesiod.so.2
ln -s libnss_nisplus-2.5.so ${CHROOT}/lib/libnss_nisplus.so.2
ln -s libnss_dns-2.5.so ${CHROOT}/lib/libnss_dns.so.2
ln -s libnss_nis-2.5.so ${CHROOT}/lib/libnss_nis.so.2
#
# Make devices
#
mknod ${CHROOT}/dev/null c 1 3
mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8
mknod ${CHROOT}/dev/urandom c 1 9
#
# Create special /etc files
#
cat > ${CHROOT}/etc/profile << _THE_EHD_
# ${CHROOT}/etc/profile

# CHROOT environment for login setup
# Functions and aliases go in /etc/bashrc

# Special setup for chroot
HOME=\\$(echo \\${HOME} | sed 's^${CHROT}^^')
export HOME
PWD=\\${HOME}
export PWD
cd \\${HOME}
umask 002
# end chroot setup

# User specific environment and startup programs

PATH=\\$PATH:\\$HOME/bin

export PATH

# ksh workaround
if [ -z "\\$EUID" -a -x /usr/bin/id ]; then
EUID=`id -u`
UID=`id -ru`
fi

# No core files by default
ulimit -S -c 0 > /dev/null 2>&1

if [ -x /usr/bin/id ]; then
USER="`id -un`"
LOGNAME=\\$USER
fi

HOSTNAME=`/bin/hostname`
HISTSIZE=1000

if [ -z "\\$INPUTRC" -a ! -f "\\$HOME/.inputrc" ]; then
INPUTRC=/etc/inputrc
fi

export PATH USER LOGNAME HOSTNAME HISTSIZE INPUTRC

_THE_END_
#
cat > ${CHROOT}/etc/bashrc << _THE_EHD_
# ${CHROOT}/etc/bashrc

PS1="[\u@\h \W]\\\\$ "
export PS1

alias ll='ls -l'

_THE_END_
#
# Give note about fix-ups required
#
echo "You need to delete unnecessary stuff from:
${CHROOT}/etc/passwd
${CHROOT}/etc/group

You also need to edit the chroot-ed users in /etc/passwd.
In the real /etc/passwd file, the home directory should be
${CHROOT}/home/${USER}
In the ${CHROOT}/etc/passwd file, the home directory should be
/home/${USER}

In general, these files only need stuff related to:
root (itself)
users being chroot-ed
nobody
services whose UID/GID show up in files in the chroot

You will probably want to edit the MOTD message

You may also want to make all files in ${CHROOT}/etc immutable
" > /dev/stderr
#
# Fixup perms and security context
#
chown root:root ${CHROOT}/etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd
,localtime,bashrc,profile}
chmod 444 ${CHROOT}/etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd
,localtime,bashrc,profile}
#
chown root:root ${CHROOT}/dev/{null,zero,random,urandom}
chmod 666 ${CHROOT}/dev/{null,zero,random}
chmod 444 ${CHROOT}/dev/urandom
#
chcon system_u:object_r:bin_t ${CHROOT}/bin/{chmod,cp,date,echo,ln,mkdir,mv,rm,rmdir,sed,vi,cat,more} ${CHROOT}/usr/bin/{clear,id,less,nano,pico,w,who}
chcon system_u:object_r:etc_t ${CHROOT}/etc/{bashrc,group,hosts,inputrc,nsswitch.conf,passwd,profile,m
otd}
chcon system_u:object_r:hostname_exec_t ${CHROOT}/bin/hostname
chcon system_u:object_r:ld_so_t ${CHROOT}/lib64/ld-2.5.so
chcon system_u:object_r:lib_t ${CHROOT}/lib64/{libacl.so.1.1.0,libattr.so.1.1.0,libc-2.5.so,libcom_err
.so.2.1,libcrypt-2.5.so,libcrypto.so.0.9.8e,libdl-2.5.so,libkeyutils-1.2
.so,libm-2.5.so,libnss_compat-2.5.so,libnss_db-2.2.so,libnss_dns-2.5.so,
libnss_files-2.5.so,libnss_hesiod-2.5.so,libnss_ldap-2.5.so,libnss_nis-2
.5.so,libnss_nisplus-2.5.so,libpthread-2.5.so,libresolv-2.5.so,librt-2.5
.so,libselinux.so.1,libsepol.so.1,libssl.so.0.9.8e} ${CHROOT}/lib64/{libtermcap.so.2.0.8,libnss_compat-2.5.so,libnss_db-2.2.
so,libnss_dns-2.5.so,libnss_files-2.5.so,libnss_hesiod-2.5.so,libnss_lda
p-2.5.so,libnss_nis-2.5.so,libnss_nisplus-2.5.so} ${CHROOT}/usr/lib64/{libgssapi_krb5.so.2.2,libk5crypto.so.3.1,libkrb5.so
.3.3,libkrb5support.so.0.1,liblber-2.3.so.0.2.31,libldap-2.3.so.0.2.31,l
ibncurses.so.5.5,libncursesw.so.5.5,libnss3.so,libnssckbi.so,libnssutil3
.so,libsasl2.so.2.0.22,libtcl8.4.so,libz.so.1.2.3} ${CHROOT}/usr/lib/{libnss3.so,libnssckbi.so,libnssutil3.so}
chcon system_u:object_r:locale_t ${CHROOT}/etc/localtime
chcon system_u:object_r:ls_exec_t ${CHROOT}/bin/ls
chcon system_u:object_r:net_conf_t ${CHROOT}/etc/resolv.conf
chcon system_u:object_r:null_device_t ${CHROOT}/dev/null
chcon system_u:object_r:random_device_t ${CHROOT}/dev/random
chcon system_u:object_r:shell_exec_t ${CHROOT}/bin/bash
chcon system_u:object_r:urandom_device_t ${CHROOT}/dev/urandom
chcon system_u:object_r:zero_device_t ${CHROOT}/dev/zero
chcon -h system_u:object_r:lib_t ${CHROOT}/lib64/{ld-linux-x86-64.so.2,libacl.so.1,libattr.so.1,libcom_er
r.so.2,libcrypto.so.6,libcrypt.so.1,libc.so.6,libdl.so.2,libkeyutils.so.
1,libm.so.6,libnss_compat.so.2,libnss_db.so.2,libnss_dns.so.2,libnss_fil
es.so.2,libnss_hesiod.so.2,libnss_ldap.so.2,libnss_nisplus.so.2,libnss_n
is.so.2,libpthread.so.0,libresolv.so.2,librt.so.1,libssl.so.6,libtermcap
.so.2} ${CHROOT}/lib/{libnss_compat.so.2,libnss_db.so.2,libnss_dns.so.2,libnss_
files.so.2,libnss_hesiod.so.2,libnss_ldap.so.2,libnss_nisplus.so.2,libns
s_nis.so.2} ${CHROOT}/usr/lib64/{libgssapi_krb5.so.2,libk5crypto.so.3,libkrb5.so.3,l
ibkrb5support.so.0,liblber-2.3.so.0,libldap-2.3.so.0,libncurses.so.5,lib
ncursesw.so.5,libnss_compat.so,libnss_db.so,libnss_dns.so,libnss_files.s
o,libnss_hesiod.so,libnss_ldap.so,libnss_nisplus.so,libnss_nis.so,libsas
l2.so.2,libz.so.1} ${CHROOT}/usr/lib/{libnss_compat.so,libnss_db.so,libnss_dns.so,libnss_fi
les.so,libnss_hesiod.so,libnss_ldap.so,libnss_nisplus.so,libnss_nis.so}
chcon -h system_u:object_r:udev_tbl_t ${CHROOT}/dev/i{stderr,stdout,stdin}
#
# This should complete the chroot setup
#
# The next step is to create a user
#
# A test user should be created and the following checks performed:
# 1) ssh does chroot the user
# 2) the user's home directory is correct (and not ${CHROOT}/home/${USER})
# 3) the user sees correct owner and group when doing a 'ls -l'
# (if this shows UID/GID, then there is either a permissions issue on
# ${CHROOT}/etc/{passwd,group,nsswitch.conf} or there is an nss library issue)
# 4) you must test both ssh and sftp for the user
# 5) the user gets both issue and motd for a shell login and only issue for sftp
# (if you create alternate /etc/issue files, make sure they have the correct
# security context, too.)
#
# Final word of warning:
# When setting perms, or making other "massive" changes, be sure that you
# only effect the chroot directory and NOT mounted partitions. In fact,
# when doing the setup, you may not want to mount the paritions until
# you have everything else set up and working.
#
# ########################################################################
####
#
# This environment was tested using OpenSSH 5.3p1 that was built using the
# following configuration (despite what the configuration says, the system
# is using sha-512 passwords, and it works fine; however, it does gag if
# you do not give it the md5-passwords parameter):

#/bin/bash
PFX='/usr/local'
./configure --prefix=${PFX} --sysconfdir=${PFX}/etc/ssh --with-pam --with-lastlog --with-tcp-wrappers --with-md5-passwords --with-selinux --with-kerberos5
exit

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus