First of all, you need to decide, where to build this chroot environment, since you will later install a separated little system in it. The first step is to create this directory, to begin the basic operations of the build of the chroot. As you may know chroot effectively changes the root directory of a user (or process, daemon, etc...) to a specified environment by the root user. Any other resource outside of this kind of jail would and should be inaccessible to the user, who has been chrooted. The most relevant thing in the new chroot environment is, that you don't create a superuser (root, uid=0). If the chrooted user gains root access he can break out of this little cage. That is why we want to build a chrooted ambience, to protect our system from attackers. The attacker won't gain root access, if there is no such user. So, enough of the jaw, let's begin:
We'll build now the directory (for example /chroot), where the new environment should be installed:
osiris:~# mkdir /chroot
osiris:~# cd /chroot
osiris:/chroot#
Here you have two choices. Either you have to compile all the recommended programs (like libc, bash, fileutils, shellutils) statically, or you can download the debian package of it and install it with dpkg-deb (this is the method i used). The second method is the "dynamic" one. Here you can either choose to download each package and then extract it to the specified chroot directory or you can use debootstrap for this task. I propose we should make this step with debootstrap, it's easier:
osiris:~# debootstrap woody /chroot
I: Retrieving http://ftp.debian.org/debian/dists/woody/Release
I: Validating /chroot/var/lib/apt/lists/debootstrap.invalid_dists_woody_Release
I: Retrieving http://ftp.debian.org/debian/dis ... ry-i386/Packages.gz
I: Validating /chroot/var/lib/apt/lists/debootstrap.invalid_dists_woody_main_binary-i386_Packages.gz
I: Retrieving http://ftp.debian.org/debian/poo ... dduser_3.47_all.deb
I: Validating /chroot/var/cache/apt/archives/adduser_3.47_all.deb
I: Retrieving http://ftp.debian.org/debian/pool/main/a/apt/apt_0.5.4_i386.deb
[..]
Debootstrap is a very useful utility. You can choose instead of "debootstrap woody /chroot" of course "debootstrap sid /chroot" if you want to install packages from sid (or from other codenames, like slink, potato, etc...). Probably you want to install the packages yourself, or maybe you want to install required packages later, then you can do that as well. You have to download the packages from the debian mirrors or from your debian cds, put them to your chroot directory and extract them with the dpkg-deb tool:
osiris:/chroot# wget -q http://ftp.us.debian.org/debian/ ... 6_2.2.5-14_i386.deb
osiris:/chroot# ls -l
-rw-rw-r-- 1 root root 3348878 Aug 16 18:02 libc6_2.2.5-14_i386.deb
osiris:/chroot# dpkg-deb -x libc6_2.2.5-14_i386.deb .
osiris:/chroot# ls
etc lib libc6_2.2.5-14_i386.deb sbin usr
Here we go! Now we have setted up libc6 easily, thanks to the great dpkg-deb tool. You can add right now the other packages, that are recommended, like ldso, libncurses5, bash. The proceeding of this packages is the same as above. I would suggest to install fileutils, too, to see later if the chrooted environment works fine. After you extracted the packages with dpkg-deb, you can delete them. So, i guess you have now installed the fileutils, bash, libncurses5, libc6, ldso and base-files packages. The base-files package should put some basic files to your new system, and create the basic directories. Change the directory to /chroot/bin and let's see what's in it now:
osiris:/chroot/bin# ls
bash chmod cp df ln mkdir mv rm sh touch
chgrp chown dd dir ls mknod rbash rmdir sync vdir
The next step is to download and install the libpam-chroot package on your default (!) system. Simply apt-get install libpam-chroot. After the installation you can read some examples under (/usr/share/doc/libpam-chroot/examples). But i'll explain the functionality of this pam tool. We have to add a user to our system, let's call it "test":
osiris:~# useradd -c "Chrooted User" -d /home/test -s /bin/bash test osiris:~# grep ^test: /etc/passwd
test:x:1041:100:Chrooted User:/home/test:/bin/bash
Well, you have to add this line to the passwd file on the chrooted environment, too, because ssh will not read the default system's /etc/passwd, but from the chrooted environment's passwd file. So let's do the following for our test user:
osiris:~# grep ^test: /etc/passwd &>/chroot/etc/passwd
Lets edit /etc/security/chroot.conf as the documents describe. Your chroot.conf should look like this:
osiris:~# cat /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username chroot_dir
test /chroot
We have to add now a new line to /etc/pam.d/[operation]. Operation means something like login, ssh, su, ftp, etc... So if you would to ssh into your chroot, you have to add this line to /etc/pam.d/ssh, if you want to login localy, then to /etc/pam.d/login etc...
osiris:~# tail -1 /etc/pam.d/ssh
session required pam_chroot.so debug
Now, you should be able to login locally or to do a `su - test`. If you use ssh, there is another problem. The ssh user will be handled of the /dev/ptmx device file. That file recommends a "devpts" called filesystem to be mounted on your system. Since you don't have so far devices under your chroot environment, we should create them. Make a dev directory (if base-files package doesn't create it already) in your environment and copy /dev/MAKEDEV to /chroot/dev and then make some device files:
osiris:/chroot# cp /dev/MAKEDEV dev/; cd dev/
osiris:/chroot/dev# ./MAKEDEV generic
You should wait now, until the devices are generated. This may take few minutes... But we hadn't finish yet. Since ssh will put the sessions to /dev/pts we have to create a pts directory under /chroot/dev, that means:
osiris:/chroot/dev# mkdir pts
osiris:/chroot/dev# mount -t devpts devpts /chroot/dev/pts
Attention! If you want to access the chroot with ssh, you have to look what ssh version you're running. Since chroot need to be run with root privileges, you have to check, if the ssh daemon runs with this privileges. The newer ssh versions (3.4 or newer) have an option "UsePrivilegeSeparation yes", that means, that the ssh daemon runs as the sshd user. You have to change the configuration and disable this option, otherwise you wont be able to get into the chroot environment with the chrooted user, you'll become the following message:
linux:~$ ssh -l test osiris
test@osiris's password:
Connection to osiris closed by remote host.
Connection to osiris closed.
This happens, because the ssh daemon was started with the "UsePrivilegeSeparation yes" option and the daemon is running as a user, but this user has no permission to chroot the other user to /chroot. The same thing would be in the logs, since just root is able to chroot the chrooted user into the /chroot directory. I just put the "UsePrivilegeSeparation no" option into the sshd configuration file and it worked. You can now try to log in with ssh (if you use ssh...). And you get the bash prompt of the chrooted environment. You can try now to run basic commands like ls, cd, rm, mv, etc.. (since you have installed fileutils..)
test@osiris:~$ touch testfile
test@osiris:~$ ls
testfile
You can add now other packages you need to your own chroot environment, as described above.
Copyright / License
Copyright © 2002 Istvan Sebestyen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts and with no Back-Cover Texts. A Copy of the license is available at http://www.gnu.org/copyleft/fdl.html
This Document/Tutorial was written by Istvan Sebestyen .
Special thanks to cafuego, rahul and tarzeau on the #debian channel of the Openprojects IRC Network (OPN) and to mhp. |