Chroot, Ubuntu 10.04, and rssh

Days of effort have finally paid off; I have managed to establish an chroot jail for a project I was working on.

A chroot jail is basically a less-secure virtual machine.  User “A” logs into a machine and thinks he is in root (when he really is in /usr/foo/bar/).  If he has a sufficiently locked-down environment (such as the one that rssh provides), he will not be able to break out of his little cage and modify important system files.  However, as a result of his confinement, he will also not be able to access other system resources – including shell files.

Herein lies the crux of the problem.  It isn’t clear to me what files are needed and what files are not needed to establish a basic SCP or SSH connection.  The following worked in my case.

  1. Install rssh (sudo apt-get install rssh)
  2. Install scponly (sudo apt-get install scponly)
  3. Copy the scponly files to /foo/bar (or wherever you are making your jail)
  4. Copy the /lib/ directory files to /foo/bar/lib (as it appears that not all files needed are copied)
  5. Modify the /foo/bar/etc/passwd file (sudo chmod a+r /foo/bar/etc/passwd) and eliminate all users you don’t need in it.
  6. Create a new user (sudo useradd -m -d /chroot/restricted_user -s /usr/bin/rssh restricted_user) and copy over his information from /etc/passwd to /foo/bar/etc/passwd
  7. Your Chroot is working!  (Be sure toedit /etc/rssh.conf to enable the options you want working, and set your chroot directory to whatever you want)

This approach needs to be cleaned up, since I still don’t know what library files I need and which files I don’t.  I am sure that, as is, there are a few security bugs.  Probably will whip up a script to test it out tomorrow.