Re: openssh-5.3p1 chroot selinux error on CentOS-5.4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/2/10 4:25 PM, James B. Byrne wrote:
> I built and installed openssh-5.3p1 on an x86_64 host running
> CentOs-5.4.  These are the build options:
> 

I have it working on CentOS 5.4. It was a PITA to get to work. Most
likely you are getting bit by selinux. Here is some stuff that may be of
help:

BUILD SCRIPT
============
[root@FOO openssh-5.3p1]# more run-config
#/bin/bash
PFX='/usr/local'
./configure \
	--prefix=${PFX} \
	--sysconfdir=${PFX}/etc/ssh \
	--with-pam \
	--with-lastlog \
	--with-tcp-wrappers \
	--with-md5-passwords \
	--with-selinux \
	--with-kerberos5 \

exit


CHANGES TO /etc/init.d/sshd
===========================
...
# pull in sysconfig settings
[ -f /usr/local/etc/sysconfig/sshd ] && . /usr/local/etc/sysconfig/sshd

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh/ssh_host_key
RSA_KEY=/usr/local/etc/ssh/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh/ssh_host_dsa_key
...


SSHD PAM STACK
==============
[root@FOO pam.d]# cat sshd
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    required     pam_selinux.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so


ADDITIONS TO /etc/fstab
=======================
/selinux		/PATH2CHROOT/chroot/selinux		none	bind,ro		0 0
/etc/selinux		/PATH2CHROOT/chroot/etc/selinux		none	bind,ro		0 0
proc			/PATH2CHROOT/chroot/proc		proc	defaults	0 0
sysfs			/PATH2CHROOT/chroot/sys			sysfs	defaults	0 0
tmpfs			/PATH2CHROOT/chroot/tmp			tmpfs
noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M	0 0


CHROOT DIRECTORY REQUIREMENTS
=============================
[root@FOO chroot]# ll
drwxr-x--x   2 root root 4096 Jan 24 21:40 bin
drwxr-x--x   2 root root 4096 Jan 24 15:10 dev
drwxr-x--x   3 root root 4096 Jan 25 10:55 etc
drwxr-x--x   4 root root 4096 Jan 25 10:47 home
drwxr-x--x   2 root root 4096 Jan 24 21:16 lib
drwxr-x--x   2 root root 4096 Jan 24 21:16 lib64
dr-xr-xr-x 117 root root    0 Jan 24 01:12 proc
drwxr-xr-x   4 root root    0 Jan 24 01:12 selinux
drwxr-xr-x  11 root root    0 Jan 24 01:12 sys
drwxrwxrwt   2 root root   40 Jan 24 14:04 tmp
drwxr-x--x   5 root root 4096 Jan 24 15:35 usr
drwxr-x--x   3 root root 4096 Jan 24 16:14 var


[root@FOO chroot]# ll bin
total 2128
- -r-xr-xr-x 1 root root 801512 Jan 22  2009 bash
(and other stuff that you may want users to use)


[root@FOO chroot]# ll dev
crw-rw-rw- 1 root root 1, 3 Jan 24 15:02 null
crw-rw-rw- 1 root root 1, 8 Jan 24 15:07 random
lrwxrwxrwx 1 root root   15 Jan 24 15:09 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root   15 Jan 24 15:10 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root   15 Jan 24 15:10 stdout -> /proc/self/fd/1
cr--r--r-- 1 root root 1, 9 Jan 24 15:08 urandom
crw-rw-rw- 1 root root 1, 5 Jan 24 15:02 zero


# except for motd, all of the following is needed
# motd is needed if you have SSH display motd message
[root@FOO chroot]# ll etc
total 88
- -r--r--r-- 1 root root   80 Jan 24 21:39 bashrc
- -r--r--r-- 1 root root  266 Jan 25 10:50 group
- -r--r--r-- 1 root root 1257 Jan 24 20:52 hosts
- -r--r--r-- 1 root root  758 Sep 23  2004 inputrc
- -r--r--r-- 1 root root  118 May  8  2009 localtime
- -r--r--r-- 1 root root 2026 Jan 24 23:02 motd
- -r--r--r-- 1 root root 1696 Sep 23  2004 nsswitch.conf
- -r--r--r-- 1 root root  558 Jan 25 10:55 passwd
- -r--r--r-- 1 root root  739 Jan 24 22:16 profile
- -r--r--r-- 1 root root  149 Jan 24 20:55 resolv.conf
drwxr-x--x 3 root root 4096 Jan 22 11:00 selinux


# most lib + lib64 + /usr/lib + /usr/lib64
# exists so that name services works
# including making the bash command prompt work
[root@FOO chroot]# ll lib
- -rwxr-xr-x 1 root root   36348 Jan 20 22:11 libnss_compat-2.5.so
lrwxrwxrwx 1 root root      20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root  824548 May 24  2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root      16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root   21876 Jan 20 22:11 libnss_dns-2.5.so
lrwxrwxrwx 1 root root      17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root   46680 Jan 20 22:11 libnss_files-2.5.so
lrwxrwxrwx 1 root root      19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root   22692 Jan 20 22:11 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root      20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3200212 Oct 27 14:01 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root      18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root   42372 Jan 20 22:11 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root   51636 Jan 20 22:11 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root      21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root      17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so


[root@FOO chroot]# ll lib64
- -rwxr-xr-x 1 root root  139416 Jan 20 18:43 ld-2.5.so
lrwxrwxrwx 1 root root       9 Jan 24 15:59 ld-linux-x86-64.so.2 ->
ld-2.5.so
lrwxrwxrwx 1 root root      15 Jan 24 15:59 libacl.so.1 -> libacl.so.1.1.0
- -rwxr-xr-x 1 root root   28008 May 24  2008 libacl.so.1.1.0
lrwxrwxrwx 1 root root      16 Jan 24 15:59 libattr.so.1 -> libattr.so.1.1.0
- -rwxr-xr-x 1 root root   17888 Jan  6  2007 libattr.so.1.1.0
- -rwxr-xr-x 1 root root 1717800 Jan 20 18:43 libc-2.5.so
lrwxrwxrwx 1 root root      17 Jan 24 15:59 libcom_err.so.2 ->
libcom_err.so.2.1
- -rwxr-xr-x 1 root root   10000 Sep  3 19:53 libcom_err.so.2.1
- -rwxr-xr-x 1 root root   48600 Jan 20 18:43 libcrypt-2.5.so
- -rwxr-xr-x 1 root root 1366208 Jan 20 15:56 libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root      19 Jan 24 15:59 libcrypto.so.6 ->
libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root      15 Jan 24 15:59 libcrypt.so.1 -> libcrypt-2.5.so
lrwxrwxrwx 1 root root      11 Jan 24 15:59 libc.so.6 -> libc-2.5.so
- -rwxr-xr-x 1 root root   23360 Jan 20 18:43 libdl-2.5.so
lrwxrwxrwx 1 root root      12 Jan 24 15:59 libdl.so.2 -> libdl-2.5.so
- -rwxr-xr-x 1 root root    9472 Jan  6  2007 libkeyutils-1.2.so
lrwxrwxrwx 1 root root      18 Jan 24 15:59 libkeyutils.so.1 ->
libkeyutils-1.2.so
- -rwxr-xr-x 1 root root  615136 Jan 20 18:43 libm-2.5.so
lrwxrwxrwx 1 root root      11 Jan 24 15:59 libm.so.6 -> libm-2.5.so
- -rwxr-xr-x 1 root root   43040 Jan 20 18:43 libnss_compat-2.5.so
lrwxrwxrwx 1 root root      20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root  791456 May 24  2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root      16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root   23736 Jan 20 18:43 libnss_dns-2.5.so
lrwxrwxrwx 1 root root      17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root   53880 Jan 20 18:43 libnss_files-2.5.so
lrwxrwxrwx 1 root root      19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root   24736 Jan 20 18:43 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root      20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3165384 Oct 27 13:56 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root      18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root   53432 Jan 20 18:43 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root   62944 Jan 20 18:43 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root      21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root      17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so
- -rwxr-xr-x 1 root root  145824 Jan 20 18:43 libpthread-2.5.so
lrwxrwxrwx 1 root root      17 Jan 24 15:59 libpthread.so.0 ->
libpthread-2.5.so
- -rwxr-xr-x 1 root root   92736 Jan 20 18:43 libresolv-2.5.so
lrwxrwxrwx 1 root root      16 Jan 24 15:59 libresolv.so.2 ->
libresolv-2.5.so
- -rwxr-xr-x 1 root root   53448 Jan 20 18:43 librt-2.5.so
lrwxrwxrwx 1 root root      12 Jan 24 15:59 librt.so.1 -> librt-2.5.so
- -rwxr-xr-x 1 root root   95464 Sep  3 23:00 libselinux.so.1
- -rwxr-xr-x 1 root root  247496 Sep  3 20:35 libsepol.so.1
- -rwxr-xr-x 1 root root  306568 Jan 20 15:56 libssl.so.0.9.8e
lrwxrwxrwx 1 root root      16 Jan 24 15:59 libssl.so.6 -> libssl.so.0.9.8e
lrwxrwxrwx 1 root root      19 Jan 24 15:59 libtermcap.so.2 ->
libtermcap.so.2.0.8
- -rwxr-xr-x 1 root root   15584 Jan  6  2007 libtermcap.so.2.0.8


[root@FOO chroot]# ll usr
drwxr-x--x 2 root root 4096 Jan 24 16:40 bin
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64


[root@FOO chroot]# ll usr/lib
- -rwxr-xr-x 1 root root 1187124 Jul 27  2009 libnss3.so
- -rwxr-xr-x 1 root root  373992 Jul 27  2009 libnssckbi.so
lrwxrwxrwx 1 root root      28 Jan 24 21:16 libnss_compat.so ->
../../lib/libnss_compat.so.2
lrwxrwxrwx 1 root root      24 Jan 24 21:16 libnss_db.so ->
../../lib/libnss_db.so.2
lrwxrwxrwx 1 root root      25 Jan 24 21:16 libnss_dns.so ->
../../lib/libnss_dns.so.2
lrwxrwxrwx 1 root root      27 Jan 24 21:16 libnss_files.so ->
../../lib/libnss_files.so.2
lrwxrwxrwx 1 root root      28 Jan 24 21:16 libnss_hesiod.so ->
../../lib/libnss_hesiod.so.2
lrwxrwxrwx 1 root root      26 Jan 24 21:16 libnss_ldap.so ->
../../lib/libnss_ldap.so.2
lrwxrwxrwx 1 root root      29 Jan 24 21:16 libnss_nisplus.so ->
../../lib/libnss_nisplus.so.2
lrwxrwxrwx 1 root root      25 Jan 24 21:16 libnss_nis.so ->
../../lib/libnss_nis.so.2
- -rwxr-xr-x 1 root root   96924 Jul 27  2009 libnssutil3.so


[root@FOO chroot]# ll usr/lib64
lrwxrwxrwx 1 root root      21 Jan 24 15:59 libgssapi_krb5.so.2 ->
libgssapi_krb5.so.2.2
- -rwxr-xr-x 1 root root  190976 Jan 13 00:17 libgssapi_krb5.so.2.2
lrwxrwxrwx 1 root root      18 Jan 24 15:59 libk5crypto.so.3 ->
libk5crypto.so.3.1
- -rwxr-xr-x 1 root root  153624 Jan 13 00:17 libk5crypto.so.3.1
lrwxrwxrwx 1 root root      14 Jan 24 15:59 libkrb5.so.3 -> libkrb5.so.3.3
- -rwxr-xr-x 1 root root  613896 Jan 13 00:17 libkrb5.so.3.3
lrwxrwxrwx 1 root root      21 Jan 24 15:59 libkrb5support.so.0 ->
libkrb5support.so.0.1
- -rwxr-xr-x 1 root root   35728 Jan 13 00:17 libkrb5support.so.0.1
lrwxrwxrwx 1 root root      21 Jan 24 15:59 liblber-2.3.so.0 ->
liblber-2.3.so.0.2.31
- -rwxr-xr-x 1 root root   59040 Jan 21  2009 liblber-2.3.so.0.2.31
lrwxrwxrwx 1 root root      21 Jan 24 15:59 libldap-2.3.so.0 ->
libldap-2.3.so.0.2.31
- -rwxr-xr-x 1 root root  241360 Jan 21  2009 libldap-2.3.so.0.2.31
lrwxrwxrwx 1 root root      17 Jan 24 15:59 libncurses.so.5 ->
libncurses.so.5.5
- -rwxr-xr-x 1 root root  380336 Jan  6  2007 libncurses.so.5.5
lrwxrwxrwx 1 root root      18 Jan 24 15:59 libncursesw.so.5 ->
libncursesw.so.5.5
- -rwxr-xr-x 1 root root  413488 Jan  6  2007 libncursesw.so.5.5
- -rwxr-xr-x 1 root root 1221496 Jul 27  2009 libnss3.so
- -rwxr-xr-x 1 root root  492960 Jul 27  2009 libnssckbi.so
lrwxrwxrwx 1 root root      30 Jan 24 21:16 libnss_compat.so ->
../../lib64/libnss_compat.so.2
lrwxrwxrwx 1 root root      26 Jan 24 21:16 libnss_db.so ->
../../lib64/libnss_db.so.2
lrwxrwxrwx 1 root root      27 Jan 24 21:16 libnss_dns.so ->
../../lib64/libnss_dns.so.2
lrwxrwxrwx 1 root root      29 Jan 24 21:16 libnss_files.so ->
../../lib64/libnss_files.so.2
lrwxrwxrwx 1 root root      30 Jan 24 21:16 libnss_hesiod.so ->
../../lib64/libnss_hesiod.so.2
lrwxrwxrwx 1 root root      28 Jan 24 21:16 libnss_ldap.so ->
../../lib64/libnss_ldap.so.2
lrwxrwxrwx 1 root root      31 Jan 24 21:16 libnss_nisplus.so ->
../../lib64/libnss_nisplus.so.2
lrwxrwxrwx 1 root root      27 Jan 24 21:16 libnss_nis.so ->
../../lib64/libnss_nis.so.2
- -rwxr-xr-x 1 root root  119696 Jul 27  2009 libnssutil3.so
lrwxrwxrwx 1 root root      18 Jan 24 15:59 libsasl2.so.2 ->
libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root  105464 Sep  4 00:05 libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root  805656 Sep 20 02:26 libtcl8.4.so
lrwxrwxrwx 1 root root      13 Jan 24 15:59 libz.so.1 -> libz.so.1.2.3
- -rwxr-xr-x 1 root root   85608 Jan  9  2007 libz.so.1.2.3


PASSWD MUNGE
============
entry in /etc/passwd
   footest:x:505:505:Chroot Test
Account:/PATH2CHROOT/chroot/home/footest:/bin/bash

entry in /PATH2CHROOT/chroot/etc/passwd
   footest:x:505:505:Chroot Test Account:/home/footest:/bin/bash

Also, in chroot-ed passwd and group file, strip out all non-chroot-ed
users and groups, except for root.


PROFILE MUNGE
=============
copy /etc/profile to /PATH2CHROOT/chroot/etc/profile and add the
following code to the top of the file:

# CHROOT environment for login setup
# Special setup for chroot
HOME=$(echo ${HOME} | sed 's^/PATH2CHROOT/chroot^^')
export HOME
PWD=${HOME}
export PWD
cd ${HOME}
umask 002
# end chroot setup



FINAL NOTES
===========
1) I have not tried to make syslog work. It should be rather straight
forward, but I just have not had time to set it up.

2) I am attaching a template that can be used to build the chroot
environment. It has been tested exactly once. YMMV. (Assuming it makes
it past the mailing list filter!)

I hope this fixes your problem.

Jon Kibler
- -- 
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
e: Jon.Kibler@xxxxxxxx or Jon.R.Kibler@xxxxxxxxx
s: JonRKibler
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt3r9MACgkQUVxQRc85QlPmZACgmYQ9z3Ji9TrUY9Qq372SpwTq
9OEAnikPvbaPr9f1EPPt3u7q9Qe57872
=YOSg
-----END PGP SIGNATURE-----
#!/bin/sh
# Copyright (c) 2010 by Advanced Systems Engineering Technology, Inc.  All Rights Reserved.
#
# You are free to use this script as you see fit.
# However, if you modify / copy / redistribute it, you must give 
# attribution to its original source.
#
# Script is provided "as-is" and may or may not work in your
# environment. Please report bugs to: Jon.R.Kibler@xxxxxxxxx
#
#
# create-chroot.sh -- create an SSH chroot environment for users
#                     that works with PAM and SELinux
#                     REQUIRES OpenSSH > 5.Xp1
#
# STOP!! Read and tailor this file!! Don't just blindly use it!!
#        This file is a TEMPLATE -- NOT a real chroot creation script!
#
# You will also have to set up ssd_config to chroot the user.
# That step must include:
#   -- adding pam_selinux.so to /etc/pam.d/sshd
#   -- creating a unique chroot group for this chroot
#      and adding to that chroot group all users that
#      are to be chrooted (user's home directory must
#      be ${CHROOT}/home/${USER})
#   -- creating a "Match Group" section at the end of
#      the sshd_config file for that chroot group, and
#      explicitly setting the chroot path on the
#      ChrootDirectory statement in the match group.
#      You will probably want to also create an unique
#      /etc/issue for and put the appropriate Banner
#      pointer in that match group. Also, lock down
#      the group to prevent creating tunnels, etc.
#
exit
#
# Create the chroot dir
#
# directory pathname MUST begin with a "/" and *not* end with a "/"
CHROOT=/var/www/chroot
mkdir ${CHROOT}
chown root:root ${CHROOT}
chmod 751 ${CHROOT}
chcon system_u:object_r:root_t ${CHROOT}
#
# Create required directories in ${CHROOT}
#
mkdir ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var
chown root:root ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var
chmod 751  ${CHROOT}/bin ${CHROOT}/dev ${CHROOT}/etc ${CHROOT}/home ${CHROOT}/lib ${CHROOT}/lib64 ${CHROOT}/usr ${CHROOT}/usr/bin ${CHROOT}/usr/lib ${CHROOT}/usr/lib64 ${CHROOT}/var
chcon system_u:object_r:bin_t ${CHROOT}/bin
chcon system_u:object_r:device_t ${CHROOT}/dev
chcon system_u:object_r:etc_t ${CHROOT}/etc
chcon system_u:object_r:home_root_t ${CHROOT}/home
chcon system_u:object_r:lib_t ${CHROOT}/lib
chcon system_u:object_r:lib_t ${CHROOT}/lib64
chcon system_u:object_r:usr_t ${CHROOT}/usr
chcon system_u:object_r:bin_t ${CHROOT}/usr/bin
chcon system_u:object_r:lib_t ${CHROOT}/usr/lib
chcon system_u:object_r:lib_t ${CHROOT}/usr/lib64
chcon system_u:object_r:var_t ${CHROOT}/var
#
# create mount point within the mount point
# N.B. You *must* set appropriate permissions and
#      SELinux context on each directory in this 
#      path under the initial ${CHROOT}.
#      Also, you must adjust the path to create a
#      symbolic link that points to the ${CHROOT}/home
#      directory within ${CHROOT}${CHROOT}, and this
#      must be a relative path.
mkdir -p ${CHROOT}${CHROOT}
# chown root:root  ${CHROOT}${CHROOT}
# chmod 751  ${CHROOT}${CHROOT}
# chcon system_u:object_r:root_t ${CHROOT}${CHROOT}
# ln -s  ../../../home ${CHROOT}${CHROOT}/home
# chown -h root:root  ${CHROOT}${CHROOT}/home
# chcon -h system_u:object_r:root_t ${CHROOT}${CHROOT}/home
# 
# create mount points
mkdir ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys ${CHROOT}/tmp
chown root:root ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys ${CHROOT}/tmp
chmod 751 ${CHROOT}/selinux ${CHROOT}/etc/selinux ${CHROOT}/proc ${CHROOT}/sys
chmod 1777 ${CHROOT}/tmp
chcon system_u:object_r:security_t ${CHROOT}/selinux
chcon system_u:object_r:selinux_config_t ${CHROOT}/etc/selinux
chcon system_u:object_r:proc_t ${CHROOT}/proc
chcon system_u:object_r:sysfs_t ${CHROOT}/sys
chcon user_u:object_r:tmpfs_t ${CHROOT}/tmp
#
# example of a web site project's directory
# mkdir ${CHROOT}/projects
# mkdir ${CHROOT}/projects/FOO
# mkdir ${CHROOT}/projects/FOO/cgi-bin
# mkdir ${CHROOT}/projects/FOO/htdocs
# mkdir ${CHROOT}/projects/FOO/logs
# chown root:root  ${CHROOT}/projects
# chmod 751  ${CHROOT}/projects
# chown -R USER:GROUP  ${CHROOT}/projects/FOO
# chmod -R 751  ${CHROOT}/projects/FOO
# chcon -R user_u:object_r:httpd_sys_content_t ${CHROOT}/projects
#
# you may also want to create a /var/tmp directory.
# if you do, be sure to give it 1777 perms and the correct security context.
#
#
# Mount file systems required to support chroot
#
cat >> /etc/fstab << _THE_END_
/selinux		${CHROOT}/selinux	none	bind,ro		0 0
/etc/selinux		${CHROOT}/etc/selinux	none	bind,ro		0 0
proc			${CHROOT}/proc		proc	defaults	0 0
sysfs			${CHROOT}/sys		sysfs	defaults	0 0
tmpfs			${CHROOT}/tmp		tmpfs	noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M	0 0
_THE_END_
#
# do not do mounts until all else is set up and you are ready to test.
# then be very careful that you do not accidentally change anything
# in the mounted file systems.
#mount ${CHROOT}/selinux
#mount ${CHROOT}/etc/selinux
#mount ${CHROOT}/proc
#mount ${CHROOT}/sys
#mount ${CHROOT}/tmp
#
# Copy in required files
# (Note: /etc/bashrc and /etc/profile are special and created later)
#
cp -p /bin/{ln,mv,bash,cp,mkdir,more,rmdir,cat,chmod,date,sed,ls,hostname,rm,vi,echo} ${CHROOT}/bin/
cp -p /usr/bin/{w,who,id,pico,nano,less,clear} ${CHROOT}/usr/bin/
cp -p /lib/{libnss_nis-2.5.so,libnss_files-2.5.so,libnss_ldap-2.5.so,libnss_nisplus-2.5.so,libnss_db-2.2.so,libnss_hesiod-2.5.so,libnss_dns-2.5.so,libnss_compat-2.5.so} ${CHROOT}/lib/
cp -p /lib64/{libc-2.5.so,libm-2.5.so,libkeyutils-1.2.so,libnss_nis-2.5.so,libnss_files-2.5.so,libpthread-2.5.so,libnss_ldap-2.5.so,libnss_nisplus-2.5.so,libacl.so.1.1.0,libcom_err.so.2.1,libssl.so.0.9.8e,libnss_db-2.2.so,libnss_hesiod-2.5.so,libselinux.so.1,libattr.so.1.1.0,libnss_dns-2.5.so,libnss_compat-2.5.so,librt-2.5.so,libsepol.so.1,libresolv-2.5.so,libtermcap.so.2.0.8,libcrypt-2.5.so,libdl-2.5.so,ld-2.5.so,libcrypto.so.0.9.8e} ${CHROOT}/lib64/
cp -p /usr/lib/{libnssckbi.so,libnssutil3.so,libnss3.so} ${CHROOT}/usr/lib/
cp -p /usr/lib64/{libtcl8.4.so,libk5crypto.so.3.1,libncursesw.so.5.5,libz.so.1.2.3,libkrb5support.so.0.1,libncurses.so.5.5,libldap-2.3.so.0.2.31,libnssckbi.so,libkrb5.so.3.3,libsasl2.so.2.0.22,libnssutil3.so,libnss3.so,liblber-2.3.so.0.2.31,libgssapi_krb5.so.2.2} ${CHROOT}/usr/lib64/
cp -p /etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd,localtime} ${CHROOT}/etc/
#
# Create required links
#
ln -s  libssl.so.0.9.8e ${CHROOT}/lib64/libssl.so.6
ln -s  libnss_db-2.2.so ${CHROOT}/lib64/libnss_db.so.2
ln -s  libcom_err.so.2.1 ${CHROOT}/lib64/libcom_err.so.2
ln -s  libkeyutils-1.2.so ${CHROOT}/lib64/libkeyutils.so.1
ln -s  libnss_files-2.5.so ${CHROOT}/lib64/libnss_files.so.2
ln -s  libm-2.5.so ${CHROOT}/lib64/libm.so.6
ln -s  libnss_compat-2.5.so ${CHROOT}/lib64/libnss_compat.so.2
ln -s  libresolv-2.5.so ${CHROOT}/lib64/libresolv.so.2
ln -s  ld-2.5.so ${CHROOT}/lib64/ld-linux-x86-64.so.2
ln -s  libcrypt-2.5.so ${CHROOT}/lib64/libcrypt.so.1
ln -s  libnss_ldap-2.5.so ${CHROOT}/lib64/libnss_ldap.so.2
ln -s  libattr.so.1.1.0 ${CHROOT}/lib64/libattr.so.1
ln -s  libnss_hesiod-2.5.so ${CHROOT}/lib64/libnss_hesiod.so.2
ln -s  libnss_nisplus-2.5.so ${CHROOT}/lib64/libnss_nisplus.so.2
ln -s  libpthread-2.5.so ${CHROOT}/lib64/libpthread.so.0
ln -s  libdl-2.5.so ${CHROOT}/lib64/libdl.so.2
ln -s  libnss_dns-2.5.so ${CHROOT}/lib64/libnss_dns.so.2
ln -s  libcrypto.so.0.9.8e ${CHROOT}/lib64/libcrypto.so.6
ln -s  librt-2.5.so ${CHROOT}/lib64/librt.so.1
ln -s  libnss_nis-2.5.so ${CHROOT}/lib64/libnss_nis.so.2
ln -s  libc-2.5.so ${CHROOT}/lib64/libc.so.6
ln -s  libtermcap.so.2.0.8 ${CHROOT}/lib64/libtermcap.so.2
ln -s  libacl.so.1.1.0 ${CHROOT}/lib64/libacl.so.1
ln -s  /proc/self/fd/0 ${CHROOT}/dev/stdin
ln -s  /proc/self/fd/1 ${CHROOT}/dev/stdout
ln -s  /proc/self/fd/2 ${CHROOT}/dev/stderr
ln -s  ../../lib64/libnss_db.so.2 ${CHROOT}/usr/lib64/libnss_db.so
ln -s  libz.so.1.2.3 ${CHROOT}/usr/lib64/libz.so.1
ln -s  ../../lib64/libnss_nis.so.2 ${CHROOT}/usr/lib64/libnss_nis.so
ln -s  libkrb5support.so.0.1 ${CHROOT}/usr/lib64/libkrb5support.so.0
ln -s  ../../lib64/libnss_dns.so.2 ${CHROOT}/usr/lib64/libnss_dns.so
ln -s  libgssapi_krb5.so.2.2 ${CHROOT}/usr/lib64/libgssapi_krb5.so.2
ln -s  ../../lib64/libnss_compat.so.2 ${CHROOT}/usr/lib64/libnss_compat.so
ln -s  libk5crypto.so.3.1 ${CHROOT}/usr/lib64/libk5crypto.so.3
ln -s  ../../lib64/libnss_ldap.so.2 ${CHROOT}/usr/lib64/libnss_ldap.so
ln -s  libldap-2.3.so.0.2.31 ${CHROOT}/usr/lib64/libldap-2.3.so.0
ln -s  ../../lib64/libnss_hesiod.so.2 ${CHROOT}/usr/lib64/libnss_hesiod.so
ln -s  libncurses.so.5.5 ${CHROOT}/usr/lib64/libncurses.so.5
ln -s  ../../lib64/libnss_nisplus.so.2 ${CHROOT}/usr/lib64/libnss_nisplus.so
ln -s  libsasl2.so.2.0.22 ${CHROOT}/usr/lib64/libsasl2.so.2
ln -s  liblber-2.3.so.0.2.31 ${CHROOT}/usr/lib64/liblber-2.3.so.0
ln -s  libkrb5.so.3.3 ${CHROOT}/usr/lib64/libkrb5.so.3
ln -s  libncursesw.so.5.5 ${CHROOT}/usr/lib64/libncursesw.so.5
ln -s  ../../lib64/libnss_files.so.2 ${CHROOT}/usr/lib64/libnss_files.so
ln -s  ../../lib/libnss_db.so.2 ${CHROOT}/usr/lib/libnss_db.so
ln -s  ../../lib/libnss_nis.so.2 ${CHROOT}/usr/lib/libnss_nis.so
ln -s  ../../lib/libnss_dns.so.2 ${CHROOT}/usr/lib/libnss_dns.so
ln -s  ../../lib/libnss_compat.so.2 ${CHROOT}/usr/lib/libnss_compat.so
ln -s  ../../lib/libnss_ldap.so.2 ${CHROOT}/usr/lib/libnss_ldap.so
ln -s  ../../lib/libnss_hesiod.so.2 ${CHROOT}/usr/lib/libnss_hesiod.so
ln -s  ../../lib/libnss_nisplus.so.2 ${CHROOT}/usr/lib/libnss_nisplus.so
ln -s  ../../lib/libnss_files.so.2 ${CHROOT}/usr/lib/libnss_files.so
ln -s  ../../projects/csc ${CHROOT}/home/stameyjw/csc
ln -s  libnss_db-2.2.so ${CHROOT}/lib/libnss_db.so.2
ln -s  libnss_files-2.5.so ${CHROOT}/lib/libnss_files.so.2
ln -s  libnss_compat-2.5.so ${CHROOT}/lib/libnss_compat.so.2
ln -s  libnss_ldap-2.5.so ${CHROOT}/lib/libnss_ldap.so.2
ln -s  libnss_hesiod-2.5.so ${CHROOT}/lib/libnss_hesiod.so.2
ln -s  libnss_nisplus-2.5.so ${CHROOT}/lib/libnss_nisplus.so.2
ln -s  libnss_dns-2.5.so ${CHROOT}/lib/libnss_dns.so.2
ln -s  libnss_nis-2.5.so ${CHROOT}/lib/libnss_nis.so.2
#
# Make devices
#
mknod ${CHROOT}/dev/null c 1 3
mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8
mknod ${CHROOT}/dev/urandom c 1 9
#
# Create special /etc files
#
cat > ${CHROOT}/etc/profile << _THE_EHD_
# ${CHROOT}/etc/profile

# CHROOT environment for login setup
# Functions and aliases go in /etc/bashrc

# Special setup for chroot
HOME=\\$(echo \\${HOME} | sed 's^${CHROT}^^')
export HOME
PWD=\\${HOME}
export PWD
cd \\${HOME}
umask 002
# end chroot setup


# User specific environment and startup programs

PATH=\\$PATH:\\$HOME/bin

export PATH

# ksh workaround
if [ -z "\\$EUID" -a -x /usr/bin/id ]; then 
	EUID=`id -u`
	UID=`id -ru`
fi

# No core files by default
ulimit -S -c 0 > /dev/null 2>&1

if [ -x /usr/bin/id ]; then
	USER="`id -un`"
	LOGNAME=\\$USER
fi

HOSTNAME=`/bin/hostname`
HISTSIZE=1000

if [ -z "\\$INPUTRC" -a ! -f "\\$HOME/.inputrc" ]; then
    INPUTRC=/etc/inputrc
fi

export PATH USER LOGNAME HOSTNAME HISTSIZE INPUTRC

_THE_END_
#
cat > ${CHROOT}/etc/bashrc << _THE_EHD_
# ${CHROOT}/etc/bashrc

PS1="[\u@\h \W]\\\\$ "
export PS1

alias ll='ls -l'

_THE_END_
#
# Give note about fix-ups required
#
echo "You need to delete unnecessary stuff from:
	${CHROOT}/etc/passwd
	${CHROOT}/etc/group

You also need to edit the chroot-ed users in /etc/passwd.
In the real /etc/passwd file, the home directory should be
	${CHROOT}/home/${USER}
In the ${CHROOT}/etc/passwd file, the home directory should be
	/home/${USER}

In general, these files only need stuff related to:
	root (itself)
	users being chroot-ed
	nobody
	services whose UID/GID show up in files in the chroot

You will probably want to edit the MOTD message

You may also want to make all files in ${CHROOT}/etc immutable
" > /dev/stderr
#
# Fixup perms and security context
#
chown root:root ${CHROOT}/etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd,localtime,bashrc,profile}
chmod 444 ${CHROOT}/etc/{group,resolv.conf,hosts,passwd,nsswitch.conf,inputrc,motd,localtime,bashrc,profile}
#
chown root:root ${CHROOT}/dev/{null,zero,random,urandom}
chmod 666 ${CHROOT}/dev/{null,zero,random}
chmod 444 ${CHROOT}/dev/urandom
#
chcon system_u:object_r:bin_t ${CHROOT}/bin/{chmod,cp,date,echo,ln,mkdir,mv,rm,rmdir,sed,vi,cat,more} ${CHROOT}/usr/bin/{clear,id,less,nano,pico,w,who}
chcon system_u:object_r:etc_t ${CHROOT}/etc/{bashrc,group,hosts,inputrc,nsswitch.conf,passwd,profile,motd}
chcon system_u:object_r:hostname_exec_t ${CHROOT}/bin/hostname
chcon system_u:object_r:ld_so_t ${CHROOT}/lib64/ld-2.5.so
chcon system_u:object_r:lib_t ${CHROOT}/lib64/{libacl.so.1.1.0,libattr.so.1.1.0,libc-2.5.so,libcom_err.so.2.1,libcrypt-2.5.so,libcrypto.so.0.9.8e,libdl-2.5.so,libkeyutils-1.2.so,libm-2.5.so,libnss_compat-2.5.so,libnss_db-2.2.so,libnss_dns-2.5.so,libnss_files-2.5.so,libnss_hesiod-2.5.so,libnss_ldap-2.5.so,libnss_nis-2.5.so,libnss_nisplus-2.5.so,libpthread-2.5.so,libresolv-2.5.so,librt-2.5.so,libselinux.so.1,libsepol.so.1,libssl.so.0.9.8e} ${CHROOT}/lib64/{libtermcap.so.2.0.8,libnss_compat-2.5.so,libnss_db-2.2.so,libnss_dns-2.5.so,libnss_files-2.5.so,libnss_hesiod-2.5.so,libnss_ldap-2.5.so,libnss_nis-2.5.so,libnss_nisplus-2.5.so} ${CHROOT}/usr/lib64/{libgssapi_krb5.so.2.2,libk5crypto.so.3.1,libkrb5.so.3.3,libkrb5support.so.0.1,liblber-2.3.so.0.2.31,libldap-2.3.so.0.2.31,libncurses.so.5.5,libncursesw.so.5.5,libnss3.so,libnssckbi.so,libnssutil3.so,libsasl2.so.2.0.22,libtcl8.4.so,libz.so.1.2.3} ${CHROOT}/usr/lib/{libnss3.so,libnssckbi.so,libnssutil3.so}
chcon system_u:object_r:locale_t ${CHROOT}/etc/localtime
chcon system_u:object_r:ls_exec_t ${CHROOT}/bin/ls
chcon system_u:object_r:net_conf_t ${CHROOT}/etc/resolv.conf
chcon system_u:object_r:null_device_t ${CHROOT}/dev/null
chcon system_u:object_r:random_device_t ${CHROOT}/dev/random
chcon system_u:object_r:shell_exec_t ${CHROOT}/bin/bash
chcon system_u:object_r:urandom_device_t ${CHROOT}/dev/urandom
chcon system_u:object_r:zero_device_t ${CHROOT}/dev/zero
chcon -h system_u:object_r:lib_t ${CHROOT}/lib64/{ld-linux-x86-64.so.2,libacl.so.1,libattr.so.1,libcom_err.so.2,libcrypto.so.6,libcrypt.so.1,libc.so.6,libdl.so.2,libkeyutils.so.1,libm.so.6,libnss_compat.so.2,libnss_db.so.2,libnss_dns.so.2,libnss_files.so.2,libnss_hesiod.so.2,libnss_ldap.so.2,libnss_nisplus.so.2,libnss_nis.so.2,libpthread.so.0,libresolv.so.2,librt.so.1,libssl.so.6,libtermcap.so.2} ${CHROOT}/lib/{libnss_compat.so.2,libnss_db.so.2,libnss_dns.so.2,libnss_files.so.2,libnss_hesiod.so.2,libnss_ldap.so.2,libnss_nisplus.so.2,libnss_nis.so.2} ${CHROOT}/usr/lib64/{libgssapi_krb5.so.2,libk5crypto.so.3,libkrb5.so.3,libkrb5support.so.0,liblber-2.3.so.0,libldap-2.3.so.0,libncurses.so.5,libncursesw.so.5,libnss_compat.so,libnss_db.so,libnss_dns.so,libnss_files.so,libnss_hesiod.so,libnss_ldap.so,libnss_nisplus.so,libnss_nis.so,libsasl2.so.2,libz.so.1} ${CHROOT}/usr/lib/{libnss_compat.so,libnss_db.so,libnss_dns.so,libnss_files.so,libnss_hesiod.so,libnss_ldap.so,libnss_nisplus.so,libnss_nis.so}
chcon -h system_u:object_r:udev_tbl_t ${CHROOT}/dev/i{stderr,stdout,stdin}
#
# This should complete the chroot setup
#
# The next step is to create a user
#
# A test user should be created and the following checks performed:
#   1) ssh does chroot the user
#   2) the user's home directory is correct (and not ${CHROOT}/home/${USER})
#   3) the user sees correct owner and group when doing a 'ls -l'
#      (if this shows UID/GID, then there is either a permissions issue on
#      ${CHROOT}/etc/{passwd,group,nsswitch.conf} or there is an nss library issue)
#   4) you must test both ssh and sftp for the user
#   5) the user gets both issue and motd for a shell login and only issue for sftp
#      (if you create alternate /etc/issue files, make sure they have the correct
#      security context, too.)
#
# Final word of warning:
#   When setting perms, or making other "massive" changes, be sure that you
#   only effect the chroot directory and NOT mounted partitions. In fact,
#   when doing the setup, you may not want to mount the paritions until
#   you have everything else set up and working.
#
# ############################################################################
#
# This environment was tested using OpenSSH 5.3p1 that was built using the
# following configuration (despite what the configuration says, the system
# is using sha-512 passwords, and it works fine; however, it does gag if
# you do not give it the md5-passwords parameter):

#/bin/bash
PFX='/usr/local'
./configure \
	--prefix=${PFX} \
	--sysconfdir=${PFX}/etc/ssh \
	--with-pam \
	--with-lastlog \
	--with-tcp-wrappers \
	--with-md5-passwords \
	--with-selinux \
	--with-kerberos5 \

exit


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux