Friday, November 12, 2010

To Lock Users To Their Home Directories Only CentOS /RedHat


rssh support chrooting option. If you want to chroot users, use chrootpath option. It is used to set the directory where the root of the chroot jail will be located. This is a security feature.

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default home directory is /home/rajat normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. chroot allows to restrict file system access and locks down user to their own directory.

Configuring rssh chroot

=> Chroot directory: /users.
Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.

=> Required directories in jail:

/users/dev - Device file
/users/etc - Configuration file such as passwd
/users/lib - Shared libs
/users/usr - rssh and other binaries
/users/bin - Copy default shell such as /bin/csh or /bin/bash
=> Required files in jail at /users directory (default for RHEL / CentOS / Debian Linux):

/etc/ld.so.cache
/etc/ld.so.cache.d/*
/etc/ld.so.conf
/etc/nsswitch.conf
/etc/passwd
/etc/group
/etc/hosts
/etc/resolv.conf
/usr/bin/scp
/usr/bin/rssh
/usr/bin/sftp
/usr/libexec/openssh/sftp-server OR /usr/lib/openssh/sftp-server
/usr/libexec/rssh_chroot_helper OR /usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
/bin/sh or /bin/bash (default shell)
Tip: Limit the binaries which live in the jail to the absolute minimum required to improve security. Usually /bin/bash and /bin/sh is not required but some system may give out error.

A note about jail file system

Note: The files need to be placed in the jail directory (such as /users) in directories that mimic their placement in the root (/) file system. So you need to copy all required files. For example, /usr/bin/rssh is located on / file system. If your jail is located at /users, then copy /usr/bin/rssh to /users/usr/bin/rssh. Following instuctions are tested on:

FreeBSD
Solaris UNIX
RHEL / Redhat / Fedora / CentOS Linux
Debian Linux
Building the Chrooted Jail

Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh

Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3

Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .

Open /usres/group and /users/passwd file and remove root and all other accounts.

Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .

OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper

OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .

OR
# cp /bin/bash .

Copy all shared library files

The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp

Output:

linux-gate.so.1 => (0x00456000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
libz.so.1 => /usr/lib/libz.so.1 (0x00110000)
libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)
libdl.so.2 => /lib/libdl.so.2 (0x00123000)
libnss3.so => /usr/lib/libnss3.so (0x00569000)
libc.so.6 => /lib/libc.so.6 (0x00b6c000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)
/lib/ld-linux.so.2 (0x00525000)
libplc4.so => /usr/lib/libplc4.so (0x008c9000)
libplds4.so => /usr/lib/libplds4.so (0x00133000)
libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)
libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)
You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
# cd /sbin
# wget -O l2chroot http://www.yeswedeal.biz/files/l2chroot.txt
# chmod +x l2chroot

Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/users"

Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server

OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper

OR
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh

OR
# l2chroot /bin/bash

Modify syslogd configuration

The syslog library function works by writing messages into a FIFO file such as /dev/log. You need to pass -a /path/to/chroot/dev/log option. Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you’re going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog

Find line that read as follows:
SYSLOGD_OPTIONS="-m 0"

Append -a /users/dev/log
SYSLOGD_OPTIONS="-m 0 -a /users/dev/log"

Save and close the file. Restart syslog:
# /etc/init.d/syslog restart

If you are using Debian / Ubuntu Linux apply changes to /etc/default/syslogd file.

Set chroot path

Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf

Set chrootpath to /users
chrootpath=/users

Save and close the file. If sshd is not running start it:
# /etc/init.d/sshd start

Add user to jail
Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user bidi to system with /usr/bin/rssh.

Create a new user with /usr/bin/rssh

Login as the root user
Type the following command to create a new user called bidi:# useradd -m -d /home/bidi -s /usr/bin/rssh bidi
# passwd bidi

Change existing user shell to /usr/bin/rssh

You don't have to edit /etc/passwd file to change your shell. You need to use chsh command. It changes the user login shell. This determines the name of the users initial login command. A normal user may only change the login shell for his/her own account, the super user i.e. root user may change the login shell for any account. Following is syntax of chsh command:chsh -s {shell-name} {user-name}
Where,
  • -s {shell-name} : Specify your login shell name. You can obtained list of avialble shell from /etc/shells file.
  • User-name: It is optional, useful if you are a root user.
First, find out available shell list:# less /etc/shells
Output:
/bin/ash
/bin/csh
/bin/sh
/usr/bin/es
/bin/ksh
/bin/tcsh
/bin/sash
/bin/zsh
/bin/dash
/usr/bin/screen
/bin/bash
/bin/rbash
Now change your shell name to /bin/tcsh:# chsh -s /bin/tcsh
Password:
When promoted for password, type your own password. If you just type chsh command, it will prompt for shell name interactively:# chsh
Output:
Password:
Changing the login shell for tv
Enter the new value, or press ENTER for the default
       Login Shell [/bin/bash]:


# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh rajat
# chsh -s /usr/bin/rssh rajat

Try login via ssh or sftp

Now try login via ssh or sftp using username bidi:# sftp bidi@my.backup.server.com
OR
# ssh bidi@my.backup.server.com
Output:
bidi@my.backup.server.com's password: TYPE-THE-PASSWORD
Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2010 i686

Last login: Thu Nov 10 16:35:04 2010 from localhost

This account is restricted by rssh.
This user is locked out.

If you believe this is in error, please contact your system administrator.

Connection to my.backup.server.com closed.
By default rssh configuration locks down everything including any sort of access.

Grant access to sftp and scp for all users

The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:# vi /etc/rssh.conf
Append or uncomment following two lines
allowscp
allowsftp

Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
# scp /path/to/file bidi@my.backup.server.com:/.
OR
# sftp bidi@my.backup.server.com:/.
Output:
Connecting to lmy.backup.server.com...
bidi@my.backup.server.com's password:
sftp> pwd
Remote working directory: /home/bidi
sftp>

Understanding command configuration options

You need to add following keywords / directives to allow or disallow scp / sftp and other commands:
  • allowscp : Tells the shell that scp is allowed.
  • allowsftp : Tells the shell that sftp is allowed.
  • allowcvs : Tells the shell that cvs is allowed.
  • allowrdist : Tells the shell that rdist is allowed.
  • allowrsync : Tells the shell that rsync is allowed.
Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.

# useradd -m -d /users/rajat -s /usr/bin/rssh rajat
# passwd rajat

Now rajat can login using sftp or copy files using scp:

sftp rajat@my-server.com
rajat@my-server.com's password:
sftp> ls
sftp> pwd
Remote working directory: /rajat
sftp> cd /tmp
Couldn't canonicalise: No such file or directory
User rajat is allowed to login to server to trasfer files, but not allowed to browse entier file system.