Saturday, February 6, 2010

SSH Chrooting on Ubuntu 9.10

SSH Configuration Section:

First thing first, setup sshd so that it allows chroot for a given user as following:

Match User jazz
ChrootDirectory /home/jazz
AllowTCPForwarding yes
X11Forwarding no

Next, make sure the directory /home/jazz is owned explicitly on root and no one else:

chown -R root:root /home/jazz

Next execute following:

cd /home/jazz
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

Execute following:
APPS="/bin/bash /bin/ls"
for prog in $APPS; do
cp $prog ./$prog

# obtain a list of related libraries
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`
for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l

Please note apps above can be modified as per needed binaries. In a nutshell all the libraries on which binaries depend must be copied to lib, even those libraries depending on libraries must be copied.

Finally copy library as following:

cp /lib/ lib

If you would like to share files between chroot and otherwise use following:

mount --bind /home/ubuntu/Downloads /home/jazz/Downloads

Ofcourse /home/jazz/Downloads must exist!

There chroot should work!