Re: [off-topic?] Chrooting ssh/telnet users?
On Sat, Oct 27, 2001 at 01:02:45AM +0200, Javier Fernández-Sanguino Peña wrote: Umm... couldn't you have a restricted environment but with commands hard-linked in it to the proper ones and restricting thoroughly the hard links? (only rX, no w bits) The problem is how to do this automatically (and not checking dynamic dependencies one by one...) not if your luser's home directories are on a different partition from / and /usr like they should be. hard links can't have different permissions from the `originals' either btw, since with hard links neither is the `real' file; they both are. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: [off-topic?] Chrooting ssh/telnet users?
Sunny Dubey [EMAIL PROTECTED] writes: The problem is, how can an admin restrict remote access from a given user (through telnet and/or sshd) in order to limit his moves inside the operating system. no idea if this will help but you could change their shells from bash to rbash (or bash -r) its pretty crappy however rbash seems to go out of its way to make life hard for someone - no ability to execute `cd' or `alias' at all, that sort of thing. It's not a lot of use if you want a complete chroot()ed environment with ability to do whatever they like within it; it's normally more useful to be able to organize your files into directories which rbash doesn't exactly help with. ~Tim -- The light of the world keeps shining, |[EMAIL PROTECTED] Bright in the primal glow |http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [off-topic?] Chrooting ssh/telnet users?
well give credit to it to Vasil Kolev /home/image.root is an image of what you want your users to have. Ivan Dimitrov System Administrator Bastun Networks On Sat, 27 Oct 2001, Javier [iso-8859-1] Fernández-Sanguino Peña wrote: I would be interested only in the chroot patch. Is there any reason you have not contributed it to openssh? Do you want me to do it? Best regards Javi On Fri, Oct 26, 2001 at 05:24:13PM +0300, Ivan Dimitrov wrote: recently i've worked on a small patch for openssh that chroots a user when he logs in. it uses mysql for password auth. it is not posted anyware but if you want it, send me a personal mail. Ivan Dimitrov System Administrator Bastun Networks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- orig-session.h Thu Oct 11 17:57:08 2001 +++ session.h Thu Oct 11 15:41:11 2001 @@ -32,5 +32,6 @@ void session_input_channel_req(int id, void *arg); void session_close_by_pid(pid_t pid, int status); void session_close_by_channel(int id, void *arg); +#define AM_CHROOT #endif --- orig-session.c Thu Oct 11 17:53:53 2001 +++ session.c Fri Oct 12 15:38:24 2001 @@ -93,6 +93,12 @@ # include uinfo.h #endif + +#ifdef AM_CHROOT +#include sys/file.h +#endif + + /* types */ #define TTYSZ 64 @@ -162,6 +168,71 @@ static login_cap_t *lc; #endif + + +#ifdef AM_CHROOT +/* + system() by W.Richard Stevens + */ + + +int +system(const char *cmdstring) /* with appropriate signal handling */ +{ + pid_t pid; + int status; + struct sigactionignore, saveintr, savequit; + sigset_tchldmask, savemask; + + if (cmdstring == NULL) + return(1); /* always a command processor with Unix */ + + ignore.sa_handler = SIG_IGN;/* ignore SIGINT and SIGQUIT */ + sigemptyset(ignore.sa_mask); + ignore.sa_flags = 0; + if (sigaction(SIGINT, ignore, saveintr) 0) + return(-1); + if (sigaction(SIGQUIT, ignore, savequit) 0) + return(-1); + + sigemptyset(chldmask); /* now block SIGCHLD */ + sigaddset(chldmask, SIGCHLD); + if (sigprocmask(SIG_BLOCK, chldmask, savemask) 0) + return(-1); + + if ( (pid = fork()) 0) { + status = -1;/* probably out of processes */ + + } else if (pid == 0) { /* child */ + /* restore previous signal actions reset signal mask */ + sigaction(SIGINT, saveintr, NULL); + sigaction(SIGQUIT, savequit, NULL); + sigprocmask(SIG_SETMASK, savemask, NULL); + + execl(/bin/sh, sh, -c, cmdstring, (char *) 0); + _exit(127); /* exec error */ + } else {/* parent */ + while (waitpid(pid, status, 0) 0) + if (errno != EINTR) { + status = -1; /* error other than EINTR from waitpid() +*/ + break; + } + } + + /* restore previous signal actions reset signal mask */ + if (sigaction(SIGINT, saveintr, NULL) 0) + return(-1); + if (sigaction(SIGQUIT, savequit, NULL) 0) + return(-1); + if (sigprocmask(SIG_SETMASK, savemask, NULL) 0) + return(-1); + + return(status); +} + +#endif + + void do_authenticated(Authctxt *authctxt) { @@ -1049,6 +1120,12 @@ #endif /* WITH_IRIX_ARRAY */ #endif /* WITH_IRIX_JOBS */ +#ifdef AM_CHROOT + char *mounting,*buff; +int fd0,n,num; +#endif + + /* remove hostkey from the child's memory */ destroy_sensitive_data(); @@ -1127,6 +1204,79 @@ */ do_pam_setcred(0); # endif /* USE_PAM */ +# ifdef AM_CHROOT + if (pw-pw_gid == 888) + { + mounting=(char *) malloc(1024); + +snprintf(mounting,1024,/var/run/sshd/%s.mount,pw-pw_name); + fd0=open(mounting,O_RDWR|O_CREAT|O_EXCL,S_IRUSR +|S_IWUSR); + if ( chdir(/home/sessions)!=0) + { + perror(Chdir to session dir failed); + exit(1); + } + if(fd0 != -1 ) + { + flock(fd0,LOCK_EX); +
RE: [off-topic?] Chrooting ssh/telnet users?
There is a chroot patch for the potato openssh-1.2.3 source in /contrib however it appears to be broken. I have created a modified diff for the Debian package source which will apply the patch correctly and build an ssh_1.2.3chroot1-9.3 package. Email me if you would like the diff. As has been well covered in this thread you will need to create a chroot jail which has all the executables your chroot user requires as well as the libraries the executables rely on. There are many ways to acheive this. For a very small chrooted environment (i.e. bash, cp, scp, ls, mv etc.) I generally create this manually by copying the executables into the new structure then running ldd on them to identify the libraries. For a larger chroot environment you may want to look at dbootstrap. You will have to manually maintain your chroot (upgrading executables/security updates) unless you install APT into the chroot. I generally don't. Regards, -- Andrew J. Stephen Phone +64 4 496 4484 Team Leader, Network Operations Mobile +64 25 582 304 New Zealand PostFax+64 4 496 4914 The important thing about standards is to have them. -- Bruce Schneier, creator of the Twofish algorithm -Original Message- From: Javier Fernández-Sanguino Peña [mailto:[EMAIL PROTECTED]] Sent: Saturday, 27 October 2001 02:15 To: [EMAIL PROTECTED] Subject: [off-topic?] Chrooting ssh/telnet users? I have been asked for this and I was trying to figure out how to do it (would document it later on in the Securing-Debian-Manual). So please, excuse me if you feel this is off-topic. The problem is, how can an admin restrict remote access from a given user (through telnet and/or sshd) in order to limit his moves inside the operating system. Chrooting the daemon is a possibility, but it's not tailored in a per-user basis but globally to all users (besides you need all the tools that users might want to use in the jail). I'm looking more into a jailed enviroment like proftpd's when you sed DefaultRoot ~ (jails the user into his home directory but he's able to use all commands, without having to setup all the libraries in it). AFAIK, pam only allows to limit some user accesses (cores, memory limits..) not users movement in the OS Ideas? Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [off-topic?] Chrooting ssh/telnet users?
It seems pam_chroot is available at http://www.kernel.org/pub/linux/libs/pam/pre/modules/ I will try and take a look at it... Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [off-topic?] Chrooting ssh/telnet users?
argh, this sounds like the sort of thing that would've been useful when i set up rsync on our company backup machine (as opposed to writing a small shell that chrooted and ran rsync). it doesn't appear to be in debian unstable; apt-cache shows no third party module for it, and it's most definitely not included in stock pam. according to the rpm changelog, redhat added it on 10/02/00, somewhere before 0.73 was merged. the readme in the modules/chroot directory identifies the source as ftp://ferret.lmh.ox.ac.uk/users/weejock/pam_chroot/. i would love to see it packaged; i put redhat's source tarball at http://etc.mp3revolution.net/pam-redhat-0.74-22.tar.gz On Fri, Oct 26, 2001 at 05:25:28PM +0200, Christian Kurz wrote: On 26/10/01, Javier Fern?ndez-Sanguino Pe?a wrote: The problem is, how can an admin restrict remote access from a given user (through telnet and/or sshd) in order to limit his moves inside the operating system. [...] AFAIK, pam only allows to limit some user accesses (cores, memory limits..) not users movement in the OS That's a wrong assumption. At least RedHat contains a pam_chroot.so module which can be used in connection with the latest ssh to limit a user into a chroot. I'm just wondering if that module is packaged already for debian or not. Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 -- I think a lot of the basis of the open source movement comes from procrastinating students... -- Andrew Tridgell http://www.linux-mag.com/2001-07/tridgell_04.html
Re: [off-topic?] Chrooting ssh/telnet users?
On Fri, Oct 26, 2001 at 04:35:14PM +0100, Tim Haynes wrote: Rishi L Khan [EMAIL PROTECTED] writes: I think the only way to accomplish a chroot IS to include all the files in the jail that the user needs. [snip] Yes. Somehow, if you're going to run something, it needs to be in the jail. Various alternatives to consider for various reasons : busybox, rbash, sash. What would be nice would be a union-mount, so you could graft a real /bin on top of /home/foo/bin, and so on. I'm not sure that `mount --bind' is the same thing? Umm... couldn't you have a restricted environment but with commands hard-linked in it to the proper ones and restricting thoroughly the hard links? (only rX, no w bits) The problem is how to do this automatically (and not checking dynamic dependencies one by one...) FWIW I had to implement a chroot-jailled login for someone recently; if anyone's interested, my attempts at the relevant C, nicked in part from the appropriate manpages, are to be found below. There is sufficient jiggery-pokery with arg{c,v} in here to allow ssh [EMAIL PROTECTED] cat foofile localfoofile to transfer a file, but not to make scp work. (Don't ask me; don't take this code as professional, bug-free, exploit-free or generally anything other than rubbish, but it compiles, and it works.) Will take a look... Regards Javi
Re: [off-topic?] Chrooting ssh/telnet users?
On Sat, Oct 27, 2001 at 01:02:45AM +0200, Javier Fernández-Sanguino Peña wrote: Umm... couldn't you have a restricted environment but with commands hard-linked in it to the proper ones and restricting thoroughly the hard links? (only rX, no w bits) The problem is how to do this automatically (and not checking dynamic dependencies one by one...) not if your luser's home directories are on a different partition from / and /usr like they should be. hard links can't have different permissions from the `originals' either btw, since with hard links neither is the `real' file; they both are. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpCr3HQUkF0p.pgp Description: PGP signature
Re: [off-topic?] Chrooting ssh/telnet users?
Sunny Dubey [EMAIL PROTECTED] writes: The problem is, how can an admin restrict remote access from a given user (through telnet and/or sshd) in order to limit his moves inside the operating system. no idea if this will help but you could change their shells from bash to rbash (or bash -r) its pretty crappy however rbash seems to go out of its way to make life hard for someone - no ability to execute `cd' or `alias' at all, that sort of thing. It's not a lot of use if you want a complete chroot()ed environment with ability to do whatever they like within it; it's normally more useful to be able to organize your files into directories which rbash doesn't exactly help with. ~Tim -- The light of the world keeps shining, |[EMAIL PROTECTED] Bright in the primal glow |http://spodzone.org.uk/
Re: [off-topic?] Chrooting ssh/telnet users?
well give credit to it to Vasil Kolev /home/image.root is an image of what you want your users to have. Ivan Dimitrov System Administrator Bastun Networks On Sat, 27 Oct 2001, Javier [iso-8859-1] Fern?ndez-Sanguino Pe?a wrote: I would be interested only in the chroot patch. Is there any reason you have not contributed it to openssh? Do you want me to do it? Best regards Javi On Fri, Oct 26, 2001 at 05:24:13PM +0300, Ivan Dimitrov wrote: recently i've worked on a small patch for openssh that chroots a user when he logs in. it uses mysql for password auth. it is not posted anyware but if you want it, send me a personal mail. Ivan Dimitrov System Administrator Bastun Networks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] --- orig-session.h Thu Oct 11 17:57:08 2001 +++ session.h Thu Oct 11 15:41:11 2001 @@ -32,5 +32,6 @@ void session_input_channel_req(int id, void *arg); void session_close_by_pid(pid_t pid, int status); void session_close_by_channel(int id, void *arg); +#define AM_CHROOT #endif --- orig-session.c Thu Oct 11 17:53:53 2001 +++ session.c Fri Oct 12 15:38:24 2001 @@ -93,6 +93,12 @@ # include uinfo.h #endif + +#ifdef AM_CHROOT +#include sys/file.h +#endif + + /* types */ #define TTYSZ 64 @@ -162,6 +168,71 @@ static login_cap_t *lc; #endif + + +#ifdef AM_CHROOT +/* + system() by W.Richard Stevens + */ + + +int +system(const char *cmdstring) /* with appropriate signal handling */ +{ + pid_t pid; + int status; + struct sigactionignore, saveintr, savequit; + sigset_tchldmask, savemask; + + if (cmdstring == NULL) + return(1); /* always a command processor with Unix */ + + ignore.sa_handler = SIG_IGN;/* ignore SIGINT and SIGQUIT */ + sigemptyset(ignore.sa_mask); + ignore.sa_flags = 0; + if (sigaction(SIGINT, ignore, saveintr) 0) + return(-1); + if (sigaction(SIGQUIT, ignore, savequit) 0) + return(-1); + + sigemptyset(chldmask); /* now block SIGCHLD */ + sigaddset(chldmask, SIGCHLD); + if (sigprocmask(SIG_BLOCK, chldmask, savemask) 0) + return(-1); + + if ( (pid = fork()) 0) { + status = -1;/* probably out of processes */ + + } else if (pid == 0) { /* child */ + /* restore previous signal actions reset signal mask */ + sigaction(SIGINT, saveintr, NULL); + sigaction(SIGQUIT, savequit, NULL); + sigprocmask(SIG_SETMASK, savemask, NULL); + + execl(/bin/sh, sh, -c, cmdstring, (char *) 0); + _exit(127); /* exec error */ + } else {/* parent */ + while (waitpid(pid, status, 0) 0) + if (errno != EINTR) { + status = -1; /* error other than EINTR from waitpid() */ + break; + } + } + + /* restore previous signal actions reset signal mask */ + if (sigaction(SIGINT, saveintr, NULL) 0) + return(-1); + if (sigaction(SIGQUIT, savequit, NULL) 0) + return(-1); + if (sigprocmask(SIG_SETMASK, savemask, NULL) 0) + return(-1); + + return(status); +} + +#endif + + void do_authenticated(Authctxt *authctxt) { @@ -1049,6 +1120,12 @@ #endif /* WITH_IRIX_ARRAY */ #endif /* WITH_IRIX_JOBS */ +#ifdef AM_CHROOT + char *mounting,*buff; +int fd0,n,num; +#endif + + /* remove hostkey from the child's memory */ destroy_sensitive_data(); @@ -1127,6 +1204,79 @@ */ do_pam_setcred(0); # endif /* USE_PAM */ +# ifdef AM_CHROOT + if (pw-pw_gid == 888) + { + mounting=(char *) malloc(1024); + snprintf(mounting,1024,/var/run/sshd/%s.mount,pw-pw_name); + fd0=open(mounting,O_RDWR|O_CREAT|O_EXCL,S_IRUSR |S_IWUSR); + if ( chdir(/home/sessions)!=0) + { + perror(Chdir to session dir failed); + exit(1); + } + if(fd0 != -1 ) + { + flock(fd0,LOCK_EX); +write(fd0,1,1); +flock(fd0,LOCK_UN); +
RE: [off-topic?] Chrooting ssh/telnet users?
There is a chroot patch for the potato openssh-1.2.3 source in /contrib however it appears to be broken. I have created a modified diff for the Debian package source which will apply the patch correctly and build an ssh_1.2.3chroot1-9.3 package. Email me if you would like the diff. As has been well covered in this thread you will need to create a chroot jail which has all the executables your chroot user requires as well as the libraries the executables rely on. There are many ways to acheive this. For a very small chrooted environment (i.e. bash, cp, scp, ls, mv etc.) I generally create this manually by copying the executables into the new structure then running ldd on them to identify the libraries. For a larger chroot environment you may want to look at dbootstrap. You will have to manually maintain your chroot (upgrading executables/security updates) unless you install APT into the chroot. I generally don't. Regards, -- Andrew J. Stephen Phone +64 4 496 4484 Team Leader, Network Operations Mobile +64 25 582 304 New Zealand PostFax+64 4 496 4914 The important thing about standards is to have them. -- Bruce Schneier, creator of the Twofish algorithm -Original Message- From: Javier Fernández-Sanguino Peña [mailto:[EMAIL PROTECTED] Sent: Saturday, 27 October 2001 02:15 To: debian-security@lists.debian.org Subject: [off-topic?] Chrooting ssh/telnet users? I have been asked for this and I was trying to figure out how to do it (would document it later on in the Securing-Debian-Manual). So please, excuse me if you feel this is off-topic. The problem is, how can an admin restrict remote access from a given user (through telnet and/or sshd) in order to limit his moves inside the operating system. Chrooting the daemon is a possibility, but it's not tailored in a per-user basis but globally to all users (besides you need all the tools that users might want to use in the jail). I'm looking more into a jailed enviroment like proftpd's when you sed DefaultRoot ~ (jails the user into his home directory but he's able to use all commands, without having to setup all the libraries in it). AFAIK, pam only allows to limit some user accesses (cores, memory limits..) not users movement in the OS Ideas? Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] This email with any attachments is confidential and may be subject to legal privilege. If it is not intended for you please reply immediately, destroy it and do not copy, disclose or use it in any way.
Re: [off-topic?] Chrooting ssh/telnet users?
It seems pam_chroot is available at http://www.kernel.org/pub/linux/libs/pam/pre/modules/ I will try and take a look at it... Javi