"Fossies" - the Fresh Open Source Software Archive

Member "scponly-20110526/BUILDING-JAILS.TXT" (20 Dec 2005, 7927 Bytes) of package /linux/privat/old/scponly-20110526.tgz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. 
    1 Building scponly jail configurations manually.
    2     Paul Hyder
    3     NOAA Forecast Systems Lab
    4     Boulder, CO 
    5     DRAFT of March 2005
    6     paul.hyder@noaa.gov
    7 
    8 Building a jail is almost always >site< specific.  There isn't really
    9 an easy answer, even if you ignore the OS differences.
   10 
   11 Hence, as you've probably found, building jails is actually not very
   12 easily automated.
   13 
   14 At the very least you have to have an idea of the chrooted directory
   15 structure that you want for your site.  (We use a chrooted multi-user
   16 topology with a single central set of NFS mounts.  Other sites have
   17 individual chrooted environments for each user so that no one sees
   18 anyone else.  The default script builds individual environments.)
   19 
   20 If someone does provide a script make sure it does what you want.
   21 If you don't get something specific that you like it isn't too hard
   22 to extract the topology from the default script and build a jail to
   23 meet your needs.
   24 
   25 A. Build scponly with your site specific options.  Figure out where your
   26    specific ssh/scp/rsync/sftp (and other) binaries are.  You will also
   27    need to know exactly how your sshd is configured, i.e. find the
   28    relevant sshd_config file and look at it.
   29 
   30    If you use dsa or rsa keys you should change the sshd_config and put
   31    them in an isolated directory that is NOT in the chrooted environment.
   32    You are likely to be happier and safer if you move them out of
   33    $HOME/.ssh!
   34 
   35    Ssh authentication, keys or passwords, is handled by the top level
   36    sshd and the associated sshd_config file.  You authenticate normally
   37    and then are chrooted into the scponly tree.
   38 
   39    NOTE: Even if you set it up that way, scponly WILL NOT permit root
   40    owned sessions, i.e. any session with UID=0
   41 
   42    An "incoming" directory can be created anywhere in the chrooted
   43    tree.  The default script creates one in the users home directory.
   44    The home directory is not user writeable but the incoming sub
   45    directory is.
   46 
   47    BTW: If you use the default setup_chroot.sh script, the top level
   48    /etc/password file should already contain the scponly users.
   49    This is still a good idea if you build the jail manually.
   50 
   51 1. Determine your chrooted topology, user visibilty, and file system
   52    mounts.  Basically you need to know what >you< want the final
   53    chrooted environment to be.
   54 	a. Choose a location for your alternate root.
   55 	   (We use /altroot/scponly.  Users will see a small subset
   56 	   of a normal / configuration after the chroot.)
   57    	b. Determine the file system mount topology (often NFS) in the
   58 	   chrooted location.
   59    	c. Decide whether users can see each others files.
   60 
   61 2. Create the chrooted directory location.
   62 	mkdir /{altroot}
   63 	      /{altroot}
   64               /{altroot}/home
   65               /{altroot}/home/{username}
   66               /{altroot}/home/{username}/incoming
   67               /{altroot}/bin
   68               /{altroot}/etc
   69               /{altroot}/lib
   70               /{altroot}/usr
   71               /{altroot}/usr/bin
   72               /{altroot}/usr/lib
   73               /{altroot}/usr/libexec
   74               /{altroot}/usr/libexec/openssh
   75 
   76 	      Where "altroot" is either a single shared location OR
   77 	      multiple single user locations.  In the single user
   78 	      topology each user has their own isolated set of
   79 	      all binary files.
   80 
   81 	      Unless you are !absolutely! sure of your sshd configuration
   82 	      the users home directory, /{altroot}/home/{username} above,
   83 	      should be empty and owned by root and not writeable by the
   84 	      user.
   85 
   86               Synopsis: chrooted home directories are empty, root (0.0)
   87 	      owned, and user readable.  (after chroot are just
   88 	      /home/{username})
   89 
   90 	      Our multi-user configuration has /{altroot}/misc and 
   91 	      selected file systems are NFS mounted there.  If you
   92 	      do this you probably also will want to install a copy
   93 	      of /etc/group in /{altroot}/etc/group as noted below.
   94 	      
   95 
   96 3. Install the subset of commands and libraries.  This means you copy them
   97    from the equivalent top level directory.  This is of course where
   98    operating system differences and local utility locations introduce
   99    problems.  Sadly there isn't a single set, just guidelines.  The
  100    information below is based on my setup with RedHat Linux.
  101    
  102    See additional notes embedded below.
  103 
  104 	/{altroot}/bin
  105 		chgrp  chmod  chown  ln  ls  mkdir  mv  rm  rmdir
  106 
  107 	This provides the EXPLICIT set of basic commands that work from
  108 	ssh.  Not any more dangerous than leaving sftp.  IMPORTANT: $PATH
  109 	doesn't impact these commands, their location is hard coded in
  110 	scponly making it difficult or impossible for a user to add
  111 	commands.  There isn't a shell, hence no real $PATH.
  112 	
  113 	IMPORTANT: If your standard binaries are in another directory you
  114 	should put them in the right location in the /{altroot} tree
  115 	instead of /{altroot}/bin.  You have to check.
  116 
  117 	/{altroot}/etc
  118 		ld.so.cache  ld.so.conf  passwd  group
  119 
  120 	The passwd file is a subset of the /etc/passwd file.  The only
  121 	thing you need is the first part of the line, e.g. an entry in
  122 	the chrooted passwd file can be edited to look like:
  123 		auser:x:3444:3000:::
  124 
  125 	The passwd file will either have a stripped set of passwd entries
  126 	for multiple users OR a single line for the single isolated user.
  127 
  128 	The group file is only needed in an open multi-user environment.
  129 
  130 	The ld.so.cache and/or ld.so.conf may need to be elsewhere
  131 	depending on the operating system.  Look in places like /var/ld.
  132 
  133         /{altroot}/usr/bin
  134 		rsync  scp
  135 
  136 	Copy your current rsync and scp binaries if you configured scponly
  137 	to support them.
  138 	
  139 	IMPORTANT: If your standard binaries are in another directory you
  140 	should put them them in the right location in the /{altroot} tree
  141 	instead of /{altroot}/usr/bin.  A common one for scp is
  142 	/usr/local/bin.  Again you have to check.
  143 
  144         /{altroot}/usr/libexec/openssh
  145 		sftp-server
  146 
  147 	Copy your current sftp-server binary if you configured scponly to
  148 	support sftp.
  149 
  150 	IMPORTANT: If your system sftp-server is not in /usr/libexec put
  151 	it in the right location in the /{altroot} tree.
  152 
  153 	/{altroot}/lib
  154 		ld-linux.so.2  libc.so.6  libdl.so.2  libnsl.so.1
  155 		libnss_compat-2.2.5.so libnss_compat.so.1
  156 		libnss_compat.so.2 libtermcap.so.2  libutil.so.1
  157 	/{altroot}/lib/tls
  158 		libc.so.6*  libpthread.so.0*  librt.so.1
  159 	/{altroot}/usr/lib
  160 		libcrypto.so.1  libz.so.1
  161 
  162 	Ok, libraries are the truly nasty part.  The set of libraries
  163 	depends on your specific operating system and the scponly
  164 	supported utilities.  The above set works with RedHat Linux.
  165 
  166 	For other operating systems you probably need to run ldd on the
  167 	binaries you copy into bin, usr/bin, usr/libexec, etc.  You may
  168 	also need to run ldd on the libraries to determine a complete
  169 	set of libraries and their required location in the chrooted
  170 	environment.
  171 
  172 	If things don't work suspect incomplete library selection or that
  173 	a library is in the wrong location.
  174 
  175 4. Modify the top level /etc/password file. (See above for the format of
  176    the chrooted etc/password file.)
  177      
  178    The top level /etc/password file is modified for each scponly user,
  179    you insert the chrooted path in front of the existing path (With
  180    a // at the chroot point) and the shell set to your scponlyc location.
  181 
  182    Original /etc/passwd line
  183      auser:x:3444:3000:A user:/home/auser:/bin/csh
  184    Modified /etc/passwd line
  185      auser:x:3444:3000:A user:/{altroot}//home/EmptyHomeDir:/sbin/scponlyc
  186 
  187      Where {altroot} is your chosen chroot point for this user,
  188      EmptyHomeDir is the chrooted home directory name, and scponlyc is
  189      the path your installed version.
  190 
  191    The two slashes ('//') are used by scponlyc to determine the chroot
  192    point.  Everything in front of them is used as the new root location
  193    in the chroot call.  Everything after the double slash designates the 
  194    directory to chdir() into AFTER chrooting.  This is so users can be
  195    dropped into a writable directory inside the chroot.