jailbash

flattr this!

chroot for users suck!

It is work to maintain them and all in all you have to do a lot of nasty hacks to get it going! In the meantime AppArmor is in the mainline kernel. It is pretty simple to write rules for it and you can easily update it with tools like ‘logprof’.

Here is a small howto to trap users in their home directory with a simple AppArmor profile. First you need to compile the following C code:

#include <unistd.h>

int main(int argc, char *argv[]) {
    return execv("/bin/bash", argv);
}

gcc -o jailbash jailbash.c

Then move the binary to /bin.

The next step is to create an AppArmor profile for the jailbash. So create the file /etc/apparmor.d/bin.jailbash and add the following content:

# Last Modified: Tue Jun  7 08:53:41 2011
#----------------------------------------------------------
#
# JAILBASH
#
#----------------------------------------------------------

#include 

/bin/jailbash {
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 


  deny /bin/df r,
  deny /etc/bash_command_not_found r,

  /bin/ r,
  /bin/bash rix,
  /bin/cat rix,
  /bin/chmod rix,
  /bin/chown rix,
  /bin/cp rix,
  /bin/date rix,
  /bin/egrep rix,
  /bin/grep rix,
  /bin/gunzip rix,
  /bin/gzip rix,
  /bin/jailbash rix,
  /bin/ln rix,
  /bin/ls rix,
  /bin/mkdir rix,
  /bin/mktemp rix,
  /bin/more rix,
  /bin/mv rix,
  /bin/ping rix,
  /bin/readlink rix,
  /bin/rm rix,
  /bin/rmdir rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/tar rix,
  /bin/touch rix,
  /bin/uname rix,
  /bin/vim rix,
  /bin/vim-normal rix,
  /bin/zcat rix,
  /dev/null rw,
  /dev/urandom r,
  /etc/ r,
  /etc/manpath.config r,
  /etc/opt/ r,
  /etc/sysconfig/console r,
  /etc/sysconfig/mail r,
  /etc/sysconfig/news r,
  /etc/sysconfig/proxy r,
  /etc/sysconfig/suseconfig r,
  /etc/sysconfig/windowmanager r,
  /etc/vimrc r,
  owner /home/*/ r,
  owner /home/*/** rwl,
  /opt/ r,
  owner /proc/*/cmdline r,
  owner /proc/*/exe r,
  owner /proc/*/mounts r,
  /proc/loadavg r,
  /usr/X11R6/bin/ r,
  /usr/bin/ r,
  /usr/bin/dircolors rix,
  /usr/bin/head rix,
  /usr/bin/id rix,
  /usr/bin/less rix,
  /usr/bin/man rix,
  /usr/bin/manpath rix,
  /usr/bin/mc rix,
  /usr/bin/scp rix,
  /usr/bin/screen rix,
  /usr/bin/ssh rix,
  /usr/bin/ssh-add rix,
  /usr/bin/ssh-agent rix,
  /usr/bin/ssh-copy-id rix,
  /usr/bin/ssh-keygen rix,
  /usr/bin/ssh-keyscan rix,
  /usr/bin/tail rix,
  /usr/bin/tty rix,
  /usr/bin/vim-enhanced rix,
  /usr/bin/wget rix,
  /usr/bin/which rix,
  /usr/lib*/git/git-update-ref rix,
  /usr/lib*/mc/cons.saver rix,
  /usr/lib*/ssh/sftp-server rix,
  /usr/lib*/ssh/ssh-keysign rix,
  /usr/local/bin/ r,
  /usr/share/git-core/*/ r,
  /usr/share/mc/** r,
  /usr/share/vim/** r,
}

This allows the user to execute the most basic commands he needs and allows ssh, sftp and git access. The user has access to some binaires and and can read directories he need for a working shell, like /usr/lib. The owner flag allows him only to write in his own home directory and browse only his home directory.

The next step is to create a new user and use /bin/jailbash as the bash. You can update the profile using logprof or manually if you watch /var/log/audit/audit.log.

5 thoughts on jailbash

  1. Pingback Links 7/9/2011: Linux World Domination, China Picks IBM’s GNU/Linux Mainframe | Techrights

Leave a Reply


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post comment

What is Persona?