Chroot, sftp,scp, ssh, limited shell in Redhat Enterprise linux 5 (SSH 4.3P2.EL5)
Few days ago, our client try to domain for their application. They wanted sftp access and also they need ssh command in bash for their user, but user is /bin/false shell :(
After make some searches i found rssh and lshell but they didn't satify me.
Ok, we have too many subdomains in RHEL5 server. users have own folder which can access ftp protocol. That's hy we just user's shell /bin/false. but this time we need to change this settings for one specific user
Here is the steps.
change shell of user /bin/bash
chsh -s /bin/bash username
our folder structureis like this
/dir1/dir2/dir3/userhomefolder/....
dir1, dir2, dir3 permissions is root:root
userhomefolder permissions is root:root and mod is 755
goto username home folder.
mkdir -p home
mkdir -p dev
mkdir -p usr
mkdir -p usr/bin
mkdir -p bin
mkdir -p lib
mkdir -p usr/lib/openssh
mkdir -p etc
mkdir -p etc/pam.d/
mkdir -p root
chown username:usernamegroup root
chmod 755 root
mknod dev/null c 1 3
mknod dev/zero c 1 5
mknod dev/tty c 5 0
mknod dev/urandom c 1 9
chmod 666 dev/null
chmod 666 dev/zero
chmod 666 dev/tty
chmod 666 dev/urandom
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd
grep /etc/username
grep /etc/group -e "^root" -e "^users" > etc/group
So all these folder owned by root, except root folder (becouse of ssh client )
after that, create a shell script under /usr/local/sbin or whereever you want
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APPS="/bin/sh /bin/bash /usr/sbin/chroot /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /usr/bin/ssh-keygen /bin/ping /usr/bin/dircolors /bin/vi /usr/bin/sftp /usr/libexec/openssh/sftp-server" #your apps here
# /usr/bin/sftp /usr/libexec/openssh/sftp-server is not neccessary but future use.
for prog in $APPS; do
mkdir -p ./`dirname $prog` > /dev/null 2>&1
cp $prog ./$prog
# obtain a list of related libraries
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`
for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l > /dev/null 2>&1
done
fi
done
after that run this command in /dir1/dir2/dir3/userhomefolder/
Ok, we have one more step for chroot. Chroot command run only root user, so we need to write a small program
#include stdio.h
#include stdlib.h
#include sys/types.h
#include unistd.h
#include string.h
int main(int argc, char *argv[])
{
char str_command[500] = "/root/chrt.sh ";
strcat(str_command,argv[1]); // first parameter is user home folder.
setuid( 0 );
system( str_command );
return 0;
}
save this code whatever. here is call-script.c. After that compile and set permissions
make call-script call-script.c
chmod +x call-script
chmod u+s call-script
let's create /root/chrt.sh file
#!/bin/bash
chroot $1 // this home path parameter from call-script program
and set permission
chmod +x /root/chrt.sh
and finally goto /etc/profile file add end of the file
if [ $USER == "username" ]; then
/usr/local/src/call-script username_home_folder
fi
also you make change in sshd_config file ;
Subsystem sftp internal-sftp
ChrootDirectory %h
also i created web folder in user home dir, and set apache's documentroot this web folder.
REFERENCES
1. chroot error "cannot change root directory to /jail: Operation not permitted"
2. SSH Chroot in ISPConfig Centos-4.6
