Days of effort have finally paid off; I have managed to establish an chroot jail for a project I was working on.
A chroot jail is basically a less-secure virtual machine. User “A” logs into a machine and thinks he is in root (when he really is in /usr/foo/bar/). If he has a sufficiently locked-down environment (such as the one that rssh provides), he will not be able to break out of his little cage and modify important system files. However, as a result of his confinement, he will also not be able to access other system resources – including shell files.
Herein lies the crux of the problem. It isn’t clear to me what files are needed and what files are not needed to establish a basic SCP or SSH connection. The following worked in my case.
- Install rssh (sudo apt-get install rssh)
- Install scponly (sudo apt-get install scponly)
- Copy the scponly files to /foo/bar (or wherever you are making your jail)
- Copy the /lib/ directory files to /foo/bar/lib (as it appears that not all files needed are copied)
- Modify the /foo/bar/etc/passwd file (sudo chmod a+r /foo/bar/etc/passwd) and eliminate all users you don’t need in it.
- Create a new user (sudo useradd -m -d /chroot/restricted_user -s /usr/bin/rssh restricted_user) and copy over his information from /etc/passwd to /foo/bar/etc/passwd
- Your Chroot is working! (Be sure toedit /etc/rssh.conf to enable the options you want working, and set your chroot directory to whatever you want)
This approach needs to be cleaned up, since I still don’t know what library files I need and which files I don’t. I am sure that, as is, there are a few security bugs. Probably will whip up a script to test it out tomorrow.