Lab Exercise #5: a Simple Chroot Jail Example

Lab Exercise #5: a Simple Chroot Jail Example

CIS 290 – LINUX Security

Lab Exercise #5: A simple chroot jail example

(Chapter 11. Sobells Fedora and RHEL 6th Edition)

1) Creating a chroot jail, as root, give the command:

/usr/sbin/chroot <directory> <command>.

The directory becomes the root directory, and the process attempts to run the default shell.

2) To create an ordinary user chroot jail, as ROOT

useradd user8

passwd user8

3) Create jailed directories

cd /home/user8

mkdir /home/user8/etc

mkdir /home/user8/dev

mkdir /home/user8/bin

mkdir /home/user8/lib

ls –al (Note root ownership)

4) Change ownership to the ordinary user

chown user8 *

ls –al (note user8 ownership)

5) To set up a useful chroot jail, determine which utilities the chroot jail needs.

Then copy the appropriate binaries and their .so libraries (ldd command) into the jail.

cp /bin/ls ./bin

cp /bin/bash ./bin

cp /bin/echo ./bin

ldd /bin/ls

linux-gate.so.1 => (0xb77b6000)

libselinux.so.1 => /lib/libselinux.so.1 (0x46af0000)

librt.so.1 => /lib/librt.so.1 (0x46967000)

libcap.so.2 => /lib/libcap.so.2 (0x46cba000)

libacl.so.1 => /lib/libacl.so.1 (0x47837000)

libc.so.6 => /lib/libc.so.6 (0x467b6000)

libdl.so.2 => /lib/libdl.so.2 (0x46960000)

/lib/ld-linux.so.2 (0x46794000)

libpthread.so.0 => /lib/libpthread.so.0 (0x46944000)

libattr.so.1 => /lib/libattr.so.1 (0x477f6000)

ldd /bin/bash

linux-gate.so.1 => (0xb770e000)

libtinfo.so.5 => /lib/libtinfo.so.5 (0x480ad000)

libdl.so.2 => /lib/libdl.so.2 (0x46960000)

libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x469b6000)

libc.so.6 => /lib/libc.so.6 (0x467b6000)

/lib/ld-linux.so.2 (0x46794000)

ldd /bin/echo

linux-gate.so.1 => (0xb7790000)

libc.so.6 => /lib/libc.so.6 (0x467b6000)

/lib/ld-linux.so.2 (0x46794000)

cp /lib/libdl.so.2 ./lib

cp /lib/libtinfo.so.5 /lib

cp /lib/libtinfo.so.5 ./lib

cp /lib/libselinux.so.1 ./lib

cp /lib/libselinux.so.1 ./lib

cp /lib/ld-linux.so.2 ./lib

cp /lib/libc.so.6 ./lib

cp /lib/libgcc_s.so.1 ./lib

cp /lib/librt.so.1 ./lib

cp /lib/libcap.so.2 ./lib

cp /lib/libc.so.6 ./lib

cp /lib/libacl.so.1 ./lib

cp /lib/libdl.so.2 ./lib

cp /lib/libpthread.so.0 ./lib

cp /lib/libattr.so.1 ./lib

6) Run the process from chroot:

chroot /home/user8 /bin/ls

bin dev etc lib

chroot /home/user8 /bin/echo hi there

hi there

7) As an ordinary user:

exit (root)

su - user8

pwd

chroot /home/user8 /bin/ls

chroot: cannot change root directory to /home/user8: Operation not permitted

8) As root:

su -c "chroot /home/user8 /bin/ls"

9) To automate the process for user8 login , you can put su or sudo in the jail and then start a shell program to start the process inside the jail:

/usr/sbin/chroot /home/user8 /bin/su user8 -c /bin/bash

You will have to move all of PAM, including its libraries and configuration files, in the jail for su or sudo to function.

10) Create a dummy password and group file for the user at system level and copy t0 /home/user8/etc/passwd

root:x:0:0::/:/bin/bash

user8:x:1004:1004::/home:/bin/bash

11) Copy to /home/user8/etc/group

root:x:0:

jailed:x:1004:

12) chgrp jailed /home/user8

13) Copy the command from 9) into a shell script chroot.sh and make that the user program run in the system /etc/passwd. Then modify system /etc/passwd as follows:

usermod -d /home/user8 -s /<some dir>/chroot.sh user8

- If you plan to deploy multiple chroot jails, it is a good idea to keep a clean copy of the binand lib files somewhere other than in one of the active jails.

- Running a process shell inside a jail is done as follows:

/usr/sbin/chroot jailpath /bin/su user daemonname &

However, most processes some with their own “chroot jail” procedures – Apache, BIND, SSH, etc. Those are usually application specific.

Top View