Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 29th August 2007, 21:07
thanis thanis is offline
Member
 
Join Date: Aug 2007
Location: somewhere over the rainbox
Posts: 30
Thanks: 0
Thanked 7 Times in 7 Posts
Default

Hi all, it seems like someone did all the hard work and created the perfect setup script for a chroot jail
http://www.fuschlberger.net/programs...p-chroot-jail/

Just used it on Debian Sarge, Etch & Centos ... works like a charm !
Reply With Quote
Sponsored Links
  #22  
Old 30th August 2007, 21:49
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

I get a 404 error when I try to download the script.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #23  
Old 1st September 2007, 18:40
jxself jxself is offline
Junior Member
 
Join Date: Sep 2007
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko
I get a 404 error
Seems that it's been fixed, as http://www.fuschlberger.net/programs...chroot_jail.sh worked for me. The script did work, although I get a complaint of
Code:
No directory, logging in with HOME=/
when logging in, although the user is chrooted into the correct area.
Reply With Quote
  #24  
Old 7th September 2007, 00:48
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

I've published my chroot-SSH tutorial for Debian Etch: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #25  
Old 7th September 2007, 02:54
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

falko,
I have a question about using chroot when using with ispconfig.
I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
here is what I have done.
Code:
/root/ispconfig/scripts/shell/create_chroot_env.sh
Code:
#!/bin/bash

#
# Usage: ./create_chroot_env username
#

# Here specify the apps you want into the enviroment
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server /usr/bin/unzip /usr/bin/mysqldump /usr/bin/mysql /usr/bin/zip /bin/tar"

# Sanity check

if [ "$1" = "" ] ; then
        echo "    Usage: ./create_chroot_env username"
        exit
fi

# Obtain username and HomeDir
CHROOT_USERNAME=$1
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"  | cut -d':' -f 6`
cd $HOMEDIR

# Create Directories no one will do it for you
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null
chmod 666 dev/zero

# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage

echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups

# Add some users to ./etc/paswd

grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group

if [ -x ${HOMEDIR}/ldlist ]; then 
  mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
fi

if [ -x ${HOMEDIR}/lddlist2 ]; then 
  mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
fi

for app in $APPS;  do
  # First of all, check that this application exists
  if [ -x $app ]; then
    # Check that the directory exists; create it if not.
    app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
    if ! [ -d .$app_path ]; then
      mkdir -p .$app_path
    fi

    # If the files in the chroot are on the same file system as the
    # original files you should be able to use hard links instead of
    # copying the files, too. Symbolic links cannot be used, because the
    # original files are outside the chroot.
    cp -p $app .$app
    # get list of necessary libraries
    ldd $app >> ${HOMEDIR}/ldlist
  fi
done

# Clear out any old temporary file before we start
if [ -e ${HOMEDIR}/ldlist2 ]; then
  rm ${HOMEDIR}/ldlist2
fi
for libs in `cat ${HOMEDIR}/ldlist`; do
  frst_char="`echo $libs | cut -c1`"
  if [ "$frst_char" = "/" ]; then
    echo "$libs" >> ${HOMEDIR}/ldlist2
  fi
done

for lib in `cat ${HOMEDIR}/ldlist2`; do
  mkdir -p .`dirname $lib` > /dev/null 2>&1
  # If the files in the chroot are on the same file system as the original
  # files you should be able to use hard links instead of copying the files,
  # too. Symbolic links cannot be used, because the original files are
  # outside the chroot.
  cp $lib .$lib
done

#
# Now, cleanup the 2 files we created for the library list
#
/bin/rm -f ${HOMEDIR}/ldlist
/bin/rm -f ${HOMEDIR}/ldlist2

# From some strange reason these 3 libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/

# mysql needs the socket in the chrooted environment
mkdir ${HOMEDIR}/var
mkdir ${HOMEDIR}/var/run
mkdir ${HOMEDIR}/var/run/mysqld
ln /var/run/mysqld/mysqld.sock ${HOMEDIR}/var/run/mysqld/mysqld.sock
is this correct?
Reply With Quote
  #26  
Old 7th September 2007, 16:06
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Looks good. Have you tried it?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #27  
Old 7th September 2007, 20:55
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

yes I tried it and seems to work good so far, if I have any problems this is the first place I shall report
Reply With Quote
The Following User Says Thank You to daveb For This Useful Post:
falko (8th September 2007)
  #28  
Old 11th September 2007, 01:30
Jcorrea920 Jcorrea920 is offline
Member
 
Join Date: Feb 2006
Posts: 82
Thanks: 4
Thanked 1 Time in 1 Post
Question Thanks for the tip!

6th September 2007 17:54
daveb said:
Quote:
falko,
I have a question about using chroot when using with ispconfig.
I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
here is what I have done.

Code:
/root/ispconfig/scripts/shell/create_chroot_env.sh
...
Daveb thanks for all your work modifying the ISPConfig file. But how exactly do I deviate from the How To Tutorial to make this function with ISPConfig?

Do I still do this?:

Quote:
2.1 Install The Chrooted OpenSSH
First we install some prerequisites:

Code:
cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh build-essential bzip2
Then we download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as the directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

Code:
wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install
The reason I ask is because on the Perfect Setup Tutorials I have already installed ssh and openssh-server packages. Do I remove them or run these commands on top of this install?

When creating the chrooted environment can I use the existing one located in /var/www ? Or do I have to create another one?

Will I be modifying this file like Falko suggests in the tutorial?

Code:
vi /usr/local/sbin/create_chroot_env
Or will your file allow ISPConfig do all the work when granting users shell access on the Control Panel?

I have also read somewhere that there is a config file in ISPConfig that activates chrooted ssh. Do I have to activate that or is it done by default? Will I have to activate this after every upgrade? Sorry for all the questions I am quite the noob. Thank you in advance...

JCorrea920

ISPConfig 2.2.12
Ubuntu 6.06

ISPConfig 2.2.13
Fedora Core 6
Reply With Quote
  #29  
Old 11th September 2007, 18:53
daveb daveb is offline
Senior Member
 
Join Date: Dec 2006
Location: St Louis Mo
Posts: 272
Thanks: 43
Thanked 41 Times in 37 Posts
Default

Well Jcorrea920 I followed the section "2.1 Install The Chrooted OpenSSH" of the How To Tutorial. Then I modified the script that is within ISPConfig as my earlier post describes. You must also make sure that you change if you havnt already.
Code:
/home/admispconfig/ispconfig/lib/config.inc.php
$go_info["server"]["ssh_chroot"] = 0;
to
$go_info["server"]["ssh_chroot"] = 1;
I then restarted ssh and the ispconfig_server. Logged in to control panel then granted the web shell rights and then granted the user of the web shell rights also.

I also saved a copy of the script in a safe place in case its rewrote during next ISPconfig Upgrade for replacement.

What I did doesn't chroot any system user just the users within ISPConfig granted shell access.
Reply With Quote
The Following User Says Thank You to daveb For This Useful Post:
Jcorrea920 (13th September 2007)
  #30  
Old 23rd September 2008, 10:39
bplgonzo bplgonzo is offline
Member
 
Join Date: Jun 2007
Posts: 37
Thanks: 3
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by falko View Post
I've published my chroot-SSH tutorial for Debian Etch: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch
Falco, I tried this tutorial and first steps and download and .config went well, but when I get to MAKE and MAKE INSTALL I get this message:

make: *** Keine Targets angegeben und keine »make«-Steuerdatei gefunden. Schluss.

(my server is in Germany with preinstalled Debian which I upgraded to Etch, so most of my error messages are on german, but I don't understand them)
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian Etch (Debian 4.0) apache2 file needed Dekalb Installation/Configuration 3 1st June 2007 23:40
Bind Failed christoph2k HOWTO-Related Questions 4 28th April 2007 00:57
Moving ISPConfig from Suse 10.1 to Debian Etch grasomega Installation/Configuration 3 27th April 2007 12:42
Pls Help - Problem installing OpenVZ with Debian Etch. joelee HOWTO-Related Questions 3 14th January 2007 18:37
e-mail problem!!! Debian 3.1 maroonworks Installation/Configuration 18 6th December 2005 14:42


All times are GMT +2. The time now is 06:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.