[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chroot and OpenSSH

> > > > Then I tried the following which probably indicates my ignorance of the
> > > > Linux/SSH/login process, I tried changing  the user's shell: "/bin/bash"
> > > > to a shell script with: usermod -s /bin/usr_login.sh which contained one line:
> > > >
> > > > chroot /path/to/userhomedir /bin/bash
> > > >
> > > > This fails, and I'm pretty sure that I know why, but I wanted to seek
> > > > advice and guidance from those of you who might have experience with
> > > > this before proceeding.
> > >
> > > Did you add '/bin/usr_login.sh' to /etc/shells?
> >
> > Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm
> > still getting the same error message as before:
> >
> > chroot: cannot change root directory to /home/userdir: Operation not permitted
> I'm not sure what they should be, but this looks like a permissions
> problem.  Try adding global execute permissions to '/home/userdir'.
> This might or might not be a security hole.  I don't see anything
> obvious.

I think Frank and Alans' responses (pasted below) are correct (I had a
feeling this was the problem).
Only root can do a chroot. So best thing to do would be to dig into
the code and add a chroot() call just before the setuid ...

chroot has to be run as root (ie. before a process drops privileges).  You
can't run it as a user.

So the the shell actually runs as a process owned by the user... Of
course, what a dummy I am!  So I need the SSHD process to do the chroot
prior to authentication (and starting of the shell...) Hmm any idea if
that is possible, without getting into OpenSSH's source code?  I'm
starting to think it might just be easier to switch to SSH2... 

> You do understand that by chroot-ing a user, you need to put
> all the commands and libraries into the chroot-ed directory.  (At least
> the commands that user will use).

Yes, this is in fact exactly what i want.

> > In addition these are the corresponding lines from my /var/log/messages:
> >
> > Aug  3 12:16:22 server1 sshd[1770]: Accepted password for user1 from
> > xxx.xxx.xxx.xxx port 49155 ssh2
> > Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session opened for user
> > user1 by (uid=0)
> > Aug  3 12:16:22 server1 sshd[1770]: fatal: session_input_channel_req:
> > channel 0: no session
> > Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session closed for user user11

Reply to: