-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/2/10 4:25 PM, James B. Byrne wrote: > I built and installed openssh-5.3p1 on an x86_64 host running > CentOs-5.4. These are the build options: > I have it working on CentOS 5.4. It was a PITA to get to work. Most likely you are getting bit by selinux. Here is some stuff that may be of help: BUILD SCRIPT ============ [root@FOO openssh-5.3p1]# more run-config #/bin/bash PFX='/usr/local' ./configure \ --prefix=${PFX} \ --sysconfdir=${PFX}/etc/ssh \ --with-pam \ --with-lastlog \ --with-tcp-wrappers \ --with-md5-passwords \ --with-selinux \ --with-kerberos5 \ exit CHANGES TO /etc/init.d/sshd =========================== ... # pull in sysconfig settings [ -f /usr/local/etc/sysconfig/sshd ] && . /usr/local/etc/sysconfig/sshd RETVAL=0 prog="sshd" # Some functions to make the below more readable KEYGEN=/usr/local/bin/ssh-keygen SSHD=/usr/local/sbin/sshd RSA1_KEY=/usr/local/etc/ssh/ssh_host_key RSA_KEY=/usr/local/etc/ssh/ssh_host_rsa_key DSA_KEY=/usr/local/etc/ssh/ssh_host_dsa_key ... SSHD PAM STACK ============== [root@FOO pam.d]# cat sshd #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so ADDITIONS TO /etc/fstab ======================= /selinux /PATH2CHROOT/chroot/selinux none bind,ro 0 0 /etc/selinux /PATH2CHROOT/chroot/etc/selinux none bind,ro 0 0 proc /PATH2CHROOT/chroot/proc proc defaults 0 0 sysfs /PATH2CHROOT/chroot/sys sysfs defaults 0 0 tmpfs /PATH2CHROOT/chroot/tmp tmpfs noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M 0 0 CHROOT DIRECTORY REQUIREMENTS ============================= [root@FOO chroot]# ll drwxr-x--x 2 root root 4096 Jan 24 21:40 bin drwxr-x--x 2 root root 4096 Jan 24 15:10 dev drwxr-x--x 3 root root 4096 Jan 25 10:55 etc drwxr-x--x 4 root root 4096 Jan 25 10:47 home drwxr-x--x 2 root root 4096 Jan 24 21:16 lib drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64 dr-xr-xr-x 117 root root 0 Jan 24 01:12 proc drwxr-xr-x 4 root root 0 Jan 24 01:12 selinux drwxr-xr-x 11 root root 0 Jan 24 01:12 sys drwxrwxrwt 2 root root 40 Jan 24 14:04 tmp drwxr-x--x 5 root root 4096 Jan 24 15:35 usr drwxr-x--x 3 root root 4096 Jan 24 16:14 var [root@FOO chroot]# ll bin total 2128 - -r-xr-xr-x 1 root root 801512 Jan 22 2009 bash (and other stuff that you may want users to use) [root@FOO chroot]# ll dev crw-rw-rw- 1 root root 1, 3 Jan 24 15:02 null crw-rw-rw- 1 root root 1, 8 Jan 24 15:07 random lrwxrwxrwx 1 root root 15 Jan 24 15:09 stderr -> /proc/self/fd/2 lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdin -> /proc/self/fd/0 lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdout -> /proc/self/fd/1 cr--r--r-- 1 root root 1, 9 Jan 24 15:08 urandom crw-rw-rw- 1 root root 1, 5 Jan 24 15:02 zero # except for motd, all of the following is needed # motd is needed if you have SSH display motd message [root@FOO chroot]# ll etc total 88 - -r--r--r-- 1 root root 80 Jan 24 21:39 bashrc - -r--r--r-- 1 root root 266 Jan 25 10:50 group - -r--r--r-- 1 root root 1257 Jan 24 20:52 hosts - -r--r--r-- 1 root root 758 Sep 23 2004 inputrc - -r--r--r-- 1 root root 118 May 8 2009 localtime - -r--r--r-- 1 root root 2026 Jan 24 23:02 motd - -r--r--r-- 1 root root 1696 Sep 23 2004 nsswitch.conf - -r--r--r-- 1 root root 558 Jan 25 10:55 passwd - -r--r--r-- 1 root root 739 Jan 24 22:16 profile - -r--r--r-- 1 root root 149 Jan 24 20:55 resolv.conf drwxr-x--x 3 root root 4096 Jan 22 11:00 selinux # most lib + lib64 + /usr/lib + /usr/lib64 # exists so that name services works # including making the bash command prompt work [root@FOO chroot]# ll lib - -rwxr-xr-x 1 root root 36348 Jan 20 22:11 libnss_compat-2.5.so lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 -> libnss_compat-2.5.so - -rwxr-xr-x 1 root root 824548 May 24 2008 libnss_db-2.2.so lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 -> libnss_db-2.2.so - -rwxr-xr-x 1 root root 21876 Jan 20 22:11 libnss_dns-2.5.so lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 -> libnss_dns-2.5.so - -rwxr-xr-x 1 root root 46680 Jan 20 22:11 libnss_files-2.5.so lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 -> libnss_files-2.5.so - -rwxr-xr-x 1 root root 22692 Jan 20 22:11 libnss_hesiod-2.5.so lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 -> libnss_hesiod-2.5.so - -rwxr-xr-x 1 root root 3200212 Oct 27 14:01 libnss_ldap-2.5.so lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 -> libnss_ldap-2.5.so - -rwxr-xr-x 1 root root 42372 Jan 20 22:11 libnss_nis-2.5.so - -rwxr-xr-x 1 root root 51636 Jan 20 22:11 libnss_nisplus-2.5.so lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 -> libnss_nisplus-2.5.so lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 -> libnss_nis-2.5.so [root@FOO chroot]# ll lib64 - -rwxr-xr-x 1 root root 139416 Jan 20 18:43 ld-2.5.so lrwxrwxrwx 1 root root 9 Jan 24 15:59 ld-linux-x86-64.so.2 -> ld-2.5.so lrwxrwxrwx 1 root root 15 Jan 24 15:59 libacl.so.1 -> libacl.so.1.1.0 - -rwxr-xr-x 1 root root 28008 May 24 2008 libacl.so.1.1.0 lrwxrwxrwx 1 root root 16 Jan 24 15:59 libattr.so.1 -> libattr.so.1.1.0 - -rwxr-xr-x 1 root root 17888 Jan 6 2007 libattr.so.1.1.0 - -rwxr-xr-x 1 root root 1717800 Jan 20 18:43 libc-2.5.so lrwxrwxrwx 1 root root 17 Jan 24 15:59 libcom_err.so.2 -> libcom_err.so.2.1 - -rwxr-xr-x 1 root root 10000 Sep 3 19:53 libcom_err.so.2.1 - -rwxr-xr-x 1 root root 48600 Jan 20 18:43 libcrypt-2.5.so - -rwxr-xr-x 1 root root 1366208 Jan 20 15:56 libcrypto.so.0.9.8e lrwxrwxrwx 1 root root 19 Jan 24 15:59 libcrypto.so.6 -> libcrypto.so.0.9.8e lrwxrwxrwx 1 root root 15 Jan 24 15:59 libcrypt.so.1 -> libcrypt-2.5.so lrwxrwxrwx 1 root root 11 Jan 24 15:59 libc.so.6 -> libc-2.5.so - -rwxr-xr-x 1 root root 23360 Jan 20 18:43 libdl-2.5.so lrwxrwxrwx 1 root root 12 Jan 24 15:59 libdl.so.2 -> libdl-2.5.so - -rwxr-xr-x 1 root root 9472 Jan 6 2007 libkeyutils-1.2.so lrwxrwxrwx 1 root root 18 Jan 24 15:59 libkeyutils.so.1 -> libkeyutils-1.2.so - -rwxr-xr-x 1 root root 615136 Jan 20 18:43 libm-2.5.so lrwxrwxrwx 1 root root 11 Jan 24 15:59 libm.so.6 -> libm-2.5.so - -rwxr-xr-x 1 root root 43040 Jan 20 18:43 libnss_compat-2.5.so lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 -> libnss_compat-2.5.so - -rwxr-xr-x 1 root root 791456 May 24 2008 libnss_db-2.2.so lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 -> libnss_db-2.2.so - -rwxr-xr-x 1 root root 23736 Jan 20 18:43 libnss_dns-2.5.so lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 -> libnss_dns-2.5.so - -rwxr-xr-x 1 root root 53880 Jan 20 18:43 libnss_files-2.5.so lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 -> libnss_files-2.5.so - -rwxr-xr-x 1 root root 24736 Jan 20 18:43 libnss_hesiod-2.5.so lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 -> libnss_hesiod-2.5.so - -rwxr-xr-x 1 root root 3165384 Oct 27 13:56 libnss_ldap-2.5.so lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 -> libnss_ldap-2.5.so - -rwxr-xr-x 1 root root 53432 Jan 20 18:43 libnss_nis-2.5.so - -rwxr-xr-x 1 root root 62944 Jan 20 18:43 libnss_nisplus-2.5.so lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 -> libnss_nisplus-2.5.so lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 -> libnss_nis-2.5.so - -rwxr-xr-x 1 root root 145824 Jan 20 18:43 libpthread-2.5.so lrwxrwxrwx 1 root root 17 Jan 24 15:59 libpthread.so.0 -> libpthread-2.5.so - -rwxr-xr-x 1 root root 92736 Jan 20 18:43 libresolv-2.5.so lrwxrwxrwx 1 root root 16 Jan 24 15:59 libresolv.so.2 -> libresolv-2.5.so - -rwxr-xr-x 1 root root 53448 Jan 20 18:43 librt-2.5.so lrwxrwxrwx 1 root root 12 Jan 24 15:59 librt.so.1 -> librt-2.5.so - -rwxr-xr-x 1 root root 95464 Sep 3 23:00 libselinux.so.1 - -rwxr-xr-x 1 root root 247496 Sep 3 20:35 libsepol.so.1 - -rwxr-xr-x 1 root root 306568 Jan 20 15:56 libssl.so.0.9.8e lrwxrwxrwx 1 root root 16 Jan 24 15:59 libssl.so.6 -> libssl.so.0.9.8e lrwxrwxrwx 1 root root 19 Jan 24 15:59 libtermcap.so.2 -> libtermcap.so.2.0.8 - -rwxr-xr-x 1 root root 15584 Jan 6 2007 libtermcap.so.2.0.8 [root@FOO chroot]# ll usr drwxr-x--x 2 root root 4096 Jan 24 16:40 bin drwxr-x--x 2 root root 4096 Jan 24 21:16 lib drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64 [root@FOO chroot]# ll usr/lib - -rwxr-xr-x 1 root root 1187124 Jul 27 2009 libnss3.so - -rwxr-xr-x 1 root root 373992 Jul 27 2009 libnssckbi.so lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_compat.so -> ../../lib/libnss_compat.so.2 lrwxrwxrwx 1 root root 24 Jan 24 21:16 libnss_db.so -> ../../lib/libnss_db.so.2 lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_dns.so -> ../../lib/libnss_dns.so.2 lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_files.so -> ../../lib/libnss_files.so.2 lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_hesiod.so -> ../../lib/libnss_hesiod.so.2 lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_ldap.so -> ../../lib/libnss_ldap.so.2 lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_nisplus.so -> ../../lib/libnss_nisplus.so.2 lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_nis.so -> ../../lib/libnss_nis.so.2 - -rwxr-xr-x 1 root root 96924 Jul 27 2009 libnssutil3.so [root@FOO chroot]# ll usr/lib64 lrwxrwxrwx 1 root root 21 Jan 24 15:59 libgssapi_krb5.so.2 -> libgssapi_krb5.so.2.2 - -rwxr-xr-x 1 root root 190976 Jan 13 00:17 libgssapi_krb5.so.2.2 lrwxrwxrwx 1 root root 18 Jan 24 15:59 libk5crypto.so.3 -> libk5crypto.so.3.1 - -rwxr-xr-x 1 root root 153624 Jan 13 00:17 libk5crypto.so.3.1 lrwxrwxrwx 1 root root 14 Jan 24 15:59 libkrb5.so.3 -> libkrb5.so.3.3 - -rwxr-xr-x 1 root root 613896 Jan 13 00:17 libkrb5.so.3.3 lrwxrwxrwx 1 root root 21 Jan 24 15:59 libkrb5support.so.0 -> libkrb5support.so.0.1 - -rwxr-xr-x 1 root root 35728 Jan 13 00:17 libkrb5support.so.0.1 lrwxrwxrwx 1 root root 21 Jan 24 15:59 liblber-2.3.so.0 -> liblber-2.3.so.0.2.31 - -rwxr-xr-x 1 root root 59040 Jan 21 2009 liblber-2.3.so.0.2.31 lrwxrwxrwx 1 root root 21 Jan 24 15:59 libldap-2.3.so.0 -> libldap-2.3.so.0.2.31 - -rwxr-xr-x 1 root root 241360 Jan 21 2009 libldap-2.3.so.0.2.31 lrwxrwxrwx 1 root root 17 Jan 24 15:59 libncurses.so.5 -> libncurses.so.5.5 - -rwxr-xr-x 1 root root 380336 Jan 6 2007 libncurses.so.5.5 lrwxrwxrwx 1 root root 18 Jan 24 15:59 libncursesw.so.5 -> libncursesw.so.5.5 - -rwxr-xr-x 1 root root 413488 Jan 6 2007 libncursesw.so.5.5 - -rwxr-xr-x 1 root root 1221496 Jul 27 2009 libnss3.so - -rwxr-xr-x 1 root root 492960 Jul 27 2009 libnssckbi.so lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_compat.so -> ../../lib64/libnss_compat.so.2 lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_db.so -> ../../lib64/libnss_db.so.2 lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_dns.so -> ../../lib64/libnss_dns.so.2 lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_files.so -> ../../lib64/libnss_files.so.2 lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_hesiod.so -> ../../lib64/libnss_hesiod.so.2 lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_ldap.so -> ../../lib64/libnss_ldap.so.2 lrwxrwxrwx 1 root root 31 Jan 24 21:16 libnss_nisplus.so -> ../../lib64/libnss_nisplus.so.2 lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_nis.so -> ../../lib64/libnss_nis.so.2 - -rwxr-xr-x 1 root root 119696 Jul 27 2009 libnssutil3.so lrwxrwxrwx 1 root root 18 Jan 24 15:59 libsasl2.so.2 -> libsasl2.so.2.0.22 - -rwxr-xr-x 1 root root 105464 Sep 4 00:05 libsasl2.so.2.0.22 - -rwxr-xr-x 1 root root 805656 Sep 20 02:26 libtcl8.4.so lrwxrwxrwx 1 root root 13 Jan 24 15:59 libz.so.1 -> libz.so.1.2.3 - -rwxr-xr-x 1 root root 85608 Jan 9 2007 libz.so.1.2.3 PASSWD MUNGE ============ entry in /etc/passwd footest:x:505:505:Chroot Test Account:/PATH2CHROOT/chroot/home/footest:/bin/bash entry in /PATH2CHROOT/chroot/etc/passwd footest:x:505:505:Chroot Test Account:/home/footest:/bin/bash Also, in chroot-ed passwd and group file, strip out all non-chroot-ed users and groups, except for root. PROFILE MUNGE ============= copy /etc/profile to /PATH2CHROOT/chroot/etc/profile and add the following code to the top of the file: # CHROOT environment for login setup # Special setup for chroot HOME=$(echo ${HOME} | sed 's^/PATH2CHROOT/chroot^^') export HOME PWD=${HOME} export PWD cd ${HOME} umask 002 # end chroot setup FINAL NOTES =========== 1) I have not tried to make syslog work. It should be rather straight forward, but I just have not had time to set it up. 2) I am attaching a template that can be used to build the chroot environment. It has been tested exactly once. YMMV. (Assuming it makes it past the mailing list filter!) I hope this fixes your problem. Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224 e: Jon.Kibler@xxxxxxxx or Jon.R.Kibler@xxxxxxxxx s: JonRKibler http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt3r9MACgkQUVxQRc85QlPmZACgmYQ9z3Ji9TrUY9Qq372SpwTq 9OEAnikPvbaPr9f1EPPt3u7q9Qe57872 =YOSg -----END PGP SIGNATURE-----
#!/bin/sh # Copyright (c) 2010 by Advanced Systems Engineering Technology, Inc. All Rights Reserved. # # You are free to use this script as you see fit. # However, if you modify / copy / redistribute it, you must give # attribution to its original source. # # Script is provided "as-is" and may or may not work in your # environment. Please report bugs to: Jon.R.Kibler@xxxxxxxxx # # # create-chroot.sh -- create an SSH chroot environment for users # that works with PAM and SELinux # REQUIRES OpenSSH > 5.Xp1 # # STOP!! Read and tailor this file!! Don't just blindly use it!! # This file is a TEMPLATE -- NOT a real chroot creation script! # # You will also have to set up ssd_config to chroot the user. # That step must include: # -- adding pam_selinux.so to /etc/pam.d/sshd # -- creating a unique chroot group for this chroot # and adding to that chroot group all users that # are to be chrooted (user's home directory must # be ${CHROOT}/home/${USER}) # -- creating a "Match Group" section at the end of # the sshd_config file for that chroot group, and # explicitly setting the chroot path on the # ChrootDirectory statement in the match group. # You will probably want to also create an unique # /etc/issue for and put the appropriate Banner # pointer in that match group. Also, lock down # the group to prevent creating tunnels, etc. # exit # # Create the chroot dir # # directory pathname MUST begin with a "/" and *not* end with a "/" CHROOT=/var/www/chroot mkdir ${CHROOT} chown root:root ${CHROOT} chmod 751 ${CHROOT} chcon system_u:object_r:root_t ${CHROOT} # # Create required directories in ${CHROOT} # mkdir ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var chown root:root ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var chmod 751 ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var chcon system_u:object_r:bin_t ${CHROOT}/bin chcon system_u:object_r:device_t ${CHROOT}/dev chcon system_u:object_r:etc_t ${CHROOT}/etc chcon system_u:object_r:home_root_t ${CHROOT}/home chcon system_u:object_r:lib_t ${CHROOT}/lib chcon system_u:object_r:lib_t ${CHROOT}/lib64 chcon system_u:object_r:usr_t ${CHROOT}/usr chcon system_u:object_r:bin_t ${CHROOT}/usr/bin chcon system_u:object_r:lib_t ${CHROOT}/usr/lib chcon system_u:object_r:lib_t ${CHROOT}/usr/lib64 chcon system_u:object_r:var_t ${CHROOT}/var # # create mount point within the mount point # N.B. You *must* set appropriate permissions and # SELinux context on each directory in this # path under the initial ${CHROOT}. # Also, you must adjust the path to create a # symbolic link that points to the ${CHROOT}/home # directory within ${CHROOT}${CHROOT}, and this # must be a relative path. mkdir -p ${CHROOT}${CHROOT} # chown root:root ${CHROOT}${CHROOT} # chmod 751 ${CHROOT}${CHROOT} # chcon system_u:object_r:root_t ${CHROOT}${CHROOT} # ln -s ../../../home ${CHROOT}${CHROOT}/home # chown -h root:root ${CHROOT}${CHROOT}/home # chcon -h system_u:object_r:root_t ${CHROOT}${CHROOT}/home # # create mount points mkdir ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys ${CHROOT}/tmp chown root:root ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys ${CHROOT}/tmp chmod 751 ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys chmod 1777 ${CHROOT}/tmp chcon system_u:object_r:security_t ${CHROOT}/selinux chcon system_u:object_r:selinux_config_t ${CHROOT}/etc/selinux chcon system_u:object_r:proc_t ${CHROOT}/proc chcon system_u:object_r:sysfs_t ${CHROOT}/sys chcon user_u:object_r:tmpfs_t ${CHROOT}/tmp # # example of a web site project's directory # mkdir ${CHROOT}/projects # mkdir ${CHROOT}/projects/FOO # mkdir ${CHROOT}/projects/FOO/cgi-bin # mkdir ${CHROOT}/projects/FOO/htdocs # mkdir ${CHROOT}/projects/FOO/logs # chown root:root ${CHROOT}/projects # chmod 751 ${CHROOT}/projects # chown -R USER:GROUP ${CHROOT}/projects/FOO # chmod -R 751 ${CHROOT}/projects/FOO # chcon -R user_u:object_r:httpd_sys_content_t ${CHROOT}/projects # # you may also want to create a /var/tmp directory. # if you do, be sure to give it 1777 perms and the correct security context. # # # Mount file systems required to support chroot # cat >> /etc/fstab << _THE_END_ /selinux ${CHROOT}/selinux none bind,ro 0 0 /etc/selinux ${CHROOT}/etc/selinux none bind,ro 0 0 proc ${CHROOT}/proc proc defaults 0 0 sysfs ${CHROOT}/sys sysfs defaults 0 0 tmpfs ${CHROOT}/tmp tmpfs noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M 0 0 _THE_END_ # # do not do mounts until all else is set up and you are ready to test. # then be very careful that you do not accidentally change anything # in the mounted file systems. #mount ${CHROOT}/selinux #mount ${CHROOT}/etc/selinux #mount ${CHROOT}/proc #mount ${CHROOT}/sys #mount ${CHROOT}/tmp # # Copy in required files # (Note: /etc/bashrc and /etc/profile are special and created later) # cp -p /bin/{ln,mv,bash,cp,mkdir,more,rmdir,cat,chmod,date,sed,ls,hostname,rm,vi,echo} ${CHROOT}/bin/ cp -p /usr/bin/{w,who,id,pico,nano,less,clear} ${CHROOT}/usr/bin/ cp -p /lib/{libnss_nis-2.5.so,libnss_files-2.5.so,libnss_ldap-2.5.so,libnss_nisplus-2.5.so,libnss_db-2.2.so,libnss_hesiod-2.5.so,libnss_dns-2.5.so,libnss_compat-2.5.so} ${CHROOT}/lib/ cp -p /lib64/{libc-2.5.so,libm-2.5.so,libkeyutils-1.2.so,libnss_nis-2.5.so,libnss_files-2.5.so,libpthread-2.5.so,libnss_ldap-2.5.so,libnss_nisplus-2.5.so,libacl.so.1.1.0,libcom_err.so.2.1,libssl.so.0.9.8e,libnss_db-2.2.so,libnss_hesiod-2.5.so,libselinux.so.1,libattr.so.1.1.0,libnss_dns-2.5.so,libnss_compat-2.5.so,librt-2.5.so,libsepol.so.1,libresolv-2.5.so,libtermcap.so.2.0.8,libcrypt-2.5.so,libdl-2.5.so,ld-2.5.so,libcrypto.so.0.9.8e} ${CHROOT}/lib64/ cp -p /usr/lib/{libnssckbi.so,libnssutil3.so,libnss3.so} ${CHROOT}/usr/lib/ cp -p /usr/lib64/{libtcl8.4.so,libk5crypto.so.3.1,libncursesw.so.5.5,libz.so.1.2.3,libkrb5support.so.0.1,libncurses.so.5.5,libldap-2.3.so.0.2.31,libnssckbi.so,libkrb5.so.3.3,libsasl2.so.2.0.22,libnssutil3.so,libnss3.so,liblber-2.3.so.0.2.31,libgssapi_krb5.so.2.2} ${CHROOT}/usr/lib64/ cp -p /etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd,localtime} ${CHROOT}/etc/ # # Create required links # ln -s libssl.so.0.9.8e ${CHROOT}/lib64/libssl.so.6 ln -s libnss_db-2.2.so ${CHROOT}/lib64/libnss_db.so.2 ln -s libcom_err.so.2.1 ${CHROOT}/lib64/libcom_err.so.2 ln -s libkeyutils-1.2.so ${CHROOT}/lib64/libkeyutils.so.1 ln -s libnss_files-2.5.so ${CHROOT}/lib64/libnss_files.so.2 ln -s libm-2.5.so ${CHROOT}/lib64/libm.so.6 ln -s libnss_compat-2.5.so ${CHROOT}/lib64/libnss_compat.so.2 ln -s libresolv-2.5.so ${CHROOT}/lib64/libresolv.so.2 ln -s ld-2.5.so ${CHROOT}/lib64/ld-linux-x86-64.so.2 ln -s libcrypt-2.5.so ${CHROOT}/lib64/libcrypt.so.1 ln -s libnss_ldap-2.5.so ${CHROOT}/lib64/libnss_ldap.so.2 ln -s libattr.so.1.1.0 ${CHROOT}/lib64/libattr.so.1 ln -s libnss_hesiod-2.5.so ${CHROOT}/lib64/libnss_hesiod.so.2 ln -s libnss_nisplus-2.5.so ${CHROOT}/lib64/libnss_nisplus.so.2 ln -s libpthread-2.5.so ${CHROOT}/lib64/libpthread.so.0 ln -s libdl-2.5.so ${CHROOT}/lib64/libdl.so.2 ln -s libnss_dns-2.5.so ${CHROOT}/lib64/libnss_dns.so.2 ln -s libcrypto.so.0.9.8e ${CHROOT}/lib64/libcrypto.so.6 ln -s librt-2.5.so ${CHROOT}/lib64/librt.so.1 ln -s libnss_nis-2.5.so ${CHROOT}/lib64/libnss_nis.so.2 ln -s libc-2.5.so ${CHROOT}/lib64/libc.so.6 ln -s libtermcap.so.2.0.8 ${CHROOT}/lib64/libtermcap.so.2 ln -s libacl.so.1.1.0 ${CHROOT}/lib64/libacl.so.1 ln -s /proc/self/fd/0 ${CHROOT}/dev/stdin ln -s /proc/self/fd/1 ${CHROOT}/dev/stdout ln -s /proc/self/fd/2 ${CHROOT}/dev/stderr ln -s ../../lib64/libnss_db.so.2 ${CHROOT}/usr/lib64/libnss_db.so ln -s libz.so.1.2.3 ${CHROOT}/usr/lib64/libz.so.1 ln -s ../../lib64/libnss_nis.so.2 ${CHROOT}/usr/lib64/libnss_nis.so ln -s libkrb5support.so.0.1 ${CHROOT}/usr/lib64/libkrb5support.so.0 ln -s ../../lib64/libnss_dns.so.2 ${CHROOT}/usr/lib64/libnss_dns.so ln -s libgssapi_krb5.so.2.2 ${CHROOT}/usr/lib64/libgssapi_krb5.so.2 ln -s ../../lib64/libnss_compat.so.2 ${CHROOT}/usr/lib64/libnss_compat.so ln -s libk5crypto.so.3.1 ${CHROOT}/usr/lib64/libk5crypto.so.3 ln -s ../../lib64/libnss_ldap.so.2 ${CHROOT}/usr/lib64/libnss_ldap.so ln -s libldap-2.3.so.0.2.31 ${CHROOT}/usr/lib64/libldap-2.3.so.0 ln -s ../../lib64/libnss_hesiod.so.2 ${CHROOT}/usr/lib64/libnss_hesiod.so ln -s libncurses.so.5.5 ${CHROOT}/usr/lib64/libncurses.so.5 ln -s ../../lib64/libnss_nisplus.so.2 ${CHROOT}/usr/lib64/libnss_nisplus.so ln -s libsasl2.so.2.0.22 ${CHROOT}/usr/lib64/libsasl2.so.2 ln -s liblber-2.3.so.0.2.31 ${CHROOT}/usr/lib64/liblber-2.3.so.0 ln -s libkrb5.so.3.3 ${CHROOT}/usr/lib64/libkrb5.so.3 ln -s libncursesw.so.5.5 ${CHROOT}/usr/lib64/libncursesw.so.5 ln -s ../../lib64/libnss_files.so.2 ${CHROOT}/usr/lib64/libnss_files.so ln -s ../../lib/libnss_db.so.2 ${CHROOT}/usr/lib/libnss_db.so ln -s ../../lib/libnss_nis.so.2 ${CHROOT}/usr/lib/libnss_nis.so ln -s ../../lib/libnss_dns.so.2 ${CHROOT}/usr/lib/libnss_dns.so ln -s ../../lib/libnss_compat.so.2 ${CHROOT}/usr/lib/libnss_compat.so ln -s ../../lib/libnss_ldap.so.2 ${CHROOT}/usr/lib/libnss_ldap.so ln -s ../../lib/libnss_hesiod.so.2 ${CHROOT}/usr/lib/libnss_hesiod.so ln -s ../../lib/libnss_nisplus.so.2 ${CHROOT}/usr/lib/libnss_nisplus.so ln -s ../../lib/libnss_files.so.2 ${CHROOT}/usr/lib/libnss_files.so ln -s ../../projects/csc ${CHROOT}/home/stameyjw/csc ln -s libnss_db-2.2.so ${CHROOT}/lib/libnss_db.so.2 ln -s libnss_files-2.5.so ${CHROOT}/lib/libnss_files.so.2 ln -s libnss_compat-2.5.so ${CHROOT}/lib/libnss_compat.so.2 ln -s libnss_ldap-2.5.so ${CHROOT}/lib/libnss_ldap.so.2 ln -s libnss_hesiod-2.5.so ${CHROOT}/lib/libnss_hesiod.so.2 ln -s libnss_nisplus-2.5.so ${CHROOT}/lib/libnss_nisplus.so.2 ln -s libnss_dns-2.5.so ${CHROOT}/lib/libnss_dns.so.2 ln -s libnss_nis-2.5.so ${CHROOT}/lib/libnss_nis.so.2 # # Make devices # mknod ${CHROOT}/dev/null c 1 3 mknod ${CHROOT}/dev/zero c 1 5 mknod ${CHROOT}/dev/random c 1 8 mknod ${CHROOT}/dev/urandom c 1 9 # # Create special /etc files # cat > ${CHROOT}/etc/profile << _THE_EHD_ # ${CHROOT}/etc/profile # CHROOT environment for login setup # Functions and aliases go in /etc/bashrc # Special setup for chroot HOME=\\$(echo \\${HOME} | sed 's^${CHROT}^^') export HOME PWD=\\${HOME} export PWD cd \\${HOME} umask 002 # end chroot setup # User specific environment and startup programs PATH=\\$PATH:\\$HOME/bin export PATH # ksh workaround if [ -z "\\$EUID" -a -x /usr/bin/id ]; then EUID=`id -u` UID=`id -ru` fi # No core files by default ulimit -S -c 0 > /dev/null 2>&1 if [ -x /usr/bin/id ]; then USER="`id -un`" LOGNAME=\\$USER fi HOSTNAME=`/bin/hostname` HISTSIZE=1000 if [ -z "\\$INPUTRC" -a ! -f "\\$HOME/.inputrc" ]; then INPUTRC=/etc/inputrc fi export PATH USER LOGNAME HOSTNAME HISTSIZE INPUTRC _THE_END_ # cat > ${CHROOT}/etc/bashrc << _THE_EHD_ # ${CHROOT}/etc/bashrc PS1="[\u@\h \W]\\\\$ " export PS1 alias ll='ls -l' _THE_END_ # # Give note about fix-ups required # echo "You need to delete unnecessary stuff from: ${CHROOT}/etc/passwd ${CHROOT}/etc/group You also need to edit the chroot-ed users in /etc/passwd. In the real /etc/passwd file, the home directory should be ${CHROOT}/home/${USER} In the ${CHROOT}/etc/passwd file, the home directory should be /home/${USER} In general, these files only need stuff related to: root (itself) users being chroot-ed nobody services whose UID/GID show up in files in the chroot You will probably want to edit the MOTD message You may also want to make all files in ${CHROOT}/etc immutable " > /dev/stderr # # Fixup perms and security context # chown root:root ${CHROOT}/etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd,localtime,bashrc,profile} chmod 444 ${CHROOT}/etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd,localtime,bashrc,profile} # chown root:root ${CHROOT}/dev/{null,zero,random,urandom} chmod 666 ${CHROOT}/dev/{null,zero,random} chmod 444 ${CHROOT}/dev/urandom # chcon system_u:object_r:bin_t ${CHROOT}/bin/{chmod,cp,date,echo,ln,mkdir,mv,rm,rmdir,sed,vi,cat,more} ${CHROOT}/usr/bin/{clear,id,less,nano,pico,w,who} chcon system_u:object_r:etc_t ${CHROOT}/etc/{bashrc,group,hosts,inputrc,nsswitch.conf,passwd,profile,motd} chcon system_u:object_r:hostname_exec_t ${CHROOT}/bin/hostname chcon system_u:object_r:ld_so_t ${CHROOT}/lib64/ld-2.5.so chcon system_u:object_r:lib_t ${CHROOT}/lib64/{libacl.so.1.1.0,libattr.so.1.1.0,libc-2.5.so,libcom_err.so.2.1,libcrypt-2.5.so,libcrypto.so.0.9.8e,libdl-2.5.so,libkeyutils-1.2.so,libm-2.5.so,libnss_compat-2.5.so,libnss_db-2.2.so,libnss_dns-2.5.so,libnss_files-2.5.so,libnss_hesiod-2.5.so,libnss_ldap-2.5.so,libnss_nis-2.5.so,libnss_nisplus-2.5.so,libpthread-2.5.so,libresolv-2.5.so,librt-2.5.so,libselinux.so.1,libsepol.so.1,libssl.so.0.9.8e} ${CHROOT}/lib64/{libtermcap.so.2.0.8,libnss_compat-2.5.so,libnss_db-2.2.so,libnss_dns-2.5.so,libnss_files-2.5.so,libnss_hesiod-2.5.so,libnss_ldap-2.5.so,libnss_nis-2.5.so,libnss_nisplus-2.5.so} ${CHROOT}/usr/lib64/{libgssapi_krb5.so.2.2,libk5crypto.so.3.1,libkrb5.so.3.3,libkrb5support.so.0.1,liblber-2.3.so.0.2.31,libldap-2.3.so.0.2.31,libncurses.so.5.5,libncursesw.so.5.5,libnss3.so,libnssckbi.so,libnssutil3.so,libsasl2.so.2.0.22,libtcl8.4.so,libz.so.1.2.3} ${CHROOT}/usr/lib/{libnss3.so,libnssckbi.so,libnssutil3.so} chcon system_u:object_r:locale_t ${CHROOT}/etc/localtime chcon system_u:object_r:ls_exec_t ${CHROOT}/bin/ls chcon system_u:object_r:net_conf_t ${CHROOT}/etc/resolv.conf chcon system_u:object_r:null_device_t ${CHROOT}/dev/null chcon system_u:object_r:random_device_t ${CHROOT}/dev/random chcon system_u:object_r:shell_exec_t ${CHROOT}/bin/bash chcon system_u:object_r:urandom_device_t ${CHROOT}/dev/urandom chcon system_u:object_r:zero_device_t ${CHROOT}/dev/zero chcon -h system_u:object_r:lib_t ${CHROOT}/lib64/{ld-linux-x86-64.so.2,libacl.so.1,libattr.so.1,libcom_err.so.2,libcrypto.so.6,libcrypt.so.1,libc.so.6,libdl.so.2,libkeyutils.so.1,libm.so.6,libnss_compat.so.2,libnss_db.so.2,libnss_dns.so.2,libnss_files.so.2,libnss_hesiod.so.2,libnss_ldap.so.2,libnss_nisplus.so.2,libnss_nis.so.2,libpthread.so.0,libresolv.so.2,librt.so.1,libssl.so.6,libtermcap.so.2} ${CHROOT}/lib/{libnss_compat.so.2,libnss_db.so.2,libnss_dns.so.2,libnss_files.so.2,libnss_hesiod.so.2,libnss_ldap.so.2,libnss_nisplus.so.2,libnss_nis.so.2} ${CHROOT}/usr/lib64/{libgssapi_krb5.so.2,libk5crypto.so.3,libkrb5.so.3,libkrb5support.so.0,liblber-2.3.so.0,libldap-2.3.so.0,libncurses.so.5,libncursesw.so.5,libnss_compat.so,libnss_db.so,libnss_dns.so,libnss_files.so,libnss_hesiod.so,libnss_ldap.so,libnss_nisplus.so,libnss_nis.so,libsasl2.so.2,libz.so.1} ${CHROOT}/usr/lib/{libnss_compat.so,libnss_db.so,libnss_dns.so,libnss_files.so,libnss_hesiod.so,libnss_ldap.so,libnss_nisplus.so,libnss_nis.so} chcon -h system_u:object_r:udev_tbl_t ${CHROOT}/dev/i{stderr,stdout,stdin} # # This should complete the chroot setup # # The next step is to create a user # # A test user should be created and the following checks performed: # 1) ssh does chroot the user # 2) the user's home directory is correct (and not ${CHROOT}/home/${USER}) # 3) the user sees correct owner and group when doing a 'ls -l' # (if this shows UID/GID, then there is either a permissions issue on # ${CHROOT}/etc/{passwd,group,nsswitch.conf} or there is an nss library issue) # 4) you must test both ssh and sftp for the user # 5) the user gets both issue and motd for a shell login and only issue for sftp # (if you create alternate /etc/issue files, make sure they have the correct # security context, too.) # # Final word of warning: # When setting perms, or making other "massive" changes, be sure that you # only effect the chroot directory and NOT mounted partitions. In fact, # when doing the setup, you may not want to mount the paritions until # you have everything else set up and working. # # ############################################################################ # # This environment was tested using OpenSSH 5.3p1 that was built using the # following configuration (despite what the configuration says, the system # is using sha-512 passwords, and it works fine; however, it does gag if # you do not give it the md5-passwords parameter): #/bin/bash PFX='/usr/local' ./configure \ --prefix=${PFX} \ --sysconfdir=${PFX}/etc/ssh \ --with-pam \ --with-lastlog \ --with-tcp-wrappers \ --with-md5-passwords \ --with-selinux \ --with-kerberos5 \ exit