Salı, Mart 10, 2015

Chroot, sftp,scp, ssh, limited shell in Redhat Enterprise linux 5 (SSH 4.3P2.EL5)

       Few days ago, our client try to domain for their application. They wanted sftp access and also they need ssh command in bash for their user, but user is /bin/false shell :(

     After make some searches i found rssh and lshell but they didn't satify me.

    Ok, we have too many subdomains in RHEL5 server. users have own folder which can access ftp protocol. That's hy we just user's shell /bin/false. but this time we need to change this settings for one specific user

Here is the steps.

change shell of user /bin/bash
     chsh -s /bin/bash username

our folder structureis like this


dir1, dir2, dir3 permissions is root:root

userhomefolder permissions is root:root and mod is 755

goto username home folder.

mkdir -p home
mkdir -p dev
mkdir -p usr
mkdir -p usr/bin
mkdir -p bin
mkdir -p lib
mkdir -p usr/lib/openssh
mkdir -p etc
mkdir -p etc/pam.d/
mkdir -p root
chown username:usernamegroup root
chmod 755 root

mknod dev/null c 1 3
mknod dev/zero c 1 5
mknod  dev/tty c 5 0
mknod dev/urandom c 1 9
chmod 666 dev/null
chmod 666 dev/zero
chmod 666 dev/tty
chmod 666 dev/urandom

cp /lib/ /lib/ /lib/ /lib/ /lib/ /lib/ ./lib/

cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/ usr/lib/
cp /usr/lib/ usr/lib/
cp /usr/lib/ usr/lib/
cp /lib/ lib/
cp /usr/lib/ usr/lib/

echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd
grep /etc/username
grep /etc/group -e "^root" -e "^users" > etc/group

So all these folder owned by root, except root folder (becouse of ssh client )

after that, create a shell script under /usr/local/sbin or whereever you want


APPS="/bin/sh /bin/bash /usr/sbin/chroot /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /usr/bin/ssh-keygen /bin/ping /usr/bin/dircolors /bin/vi /usr/bin/sftp /usr/libexec/openssh/sftp-server"   #your apps here
/usr/bin/sftp /usr/libexec/openssh/sftp-server is not neccessary but future use.
for prog in $APPS;  do
        mkdir -p ./`dirname $prog` > /dev/null 2>&1
        cp $prog ./$prog

        # obtain a list of related libraries
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir -p ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l  > /dev/null 2>&1

after that run this command in  /dir1/dir2/dir3/userhomefolder/

Ok, we have one more step for chroot. Chroot command run only root user, so we need to write a small program

#include   stdio.h
#include  stdlib.h
#include  sys/types.h
#include   unistd.h
#include   string.h

int main(int argc, char *argv[])
   char str_command[500] = "/root/ ";
   strcat(str_command,argv[1]); // first parameter is user home folder.
   setuid( 0 );
   system( str_command );

   return 0;

save this code whatever. here is call-script.c. After that compile and set permissions

make call-script call-script.c
chmod +x call-script
chmod u+s call-script

let's create /root/ file

chroot $1  // this home path parameter from call-script program
and set permission

chmod +x /root/

and finally goto /etc/profile file add end of the file

if [ $USER == "username" ]; then
    /usr/local/src/call-script username_home_folder

also you make change in sshd_config file ;

Subsystem       sftp    internal-sftp
ChrootDirectory %h

also i created web folder in user home dir, and set apache's documentroot this web folder.

1. chroot error "cannot change root directory to /jail: Operation not permitted"
2. SSH Chroot in ISPConfig Centos-4.6