jailbash

chroot for users suck!

It is work to maintain them and all in all you have to do a lot of nasty hacks to get it going! In the meantime AppArmor is in the mainline kernel. It is pretty simple to write rules for it and you can easily update it with tools like ‘logprof’.

Here is a small howto to trap users in their home directory with a simple AppArmor profile. First you need to compile the following C code:

#include <unistd.h>

int main(int argc, char *argv[]) {
    return execv("/bin/bash", argv);
}

gcc -o jailbash jailbash.c

Then move the binary to /bin.

The next step is to create an AppArmor profile for the jailbash. So create the file /etc/apparmor.d/bin.jailbash and add the following content:

# Last Modified: Tue Jun  7 08:53:41 2011
#----------------------------------------------------------
#
# JAILBASH
#
#----------------------------------------------------------

#include 

/bin/jailbash {
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 


  deny /bin/df r,
  deny /etc/bash_command_not_found r,

  /bin/ r,
  /bin/bash rix,
  /bin/cat rix,
  /bin/chmod rix,
  /bin/chown rix,
  /bin/cp rix,
  /bin/date rix,
  /bin/egrep rix,
  /bin/grep rix,
  /bin/gunzip rix,
  /bin/gzip rix,
  /bin/jailbash rix,
  /bin/ln rix,
  /bin/ls rix,
  /bin/mkdir rix,
  /bin/mktemp rix,
  /bin/more rix,
  /bin/mv rix,
  /bin/ping rix,
  /bin/readlink rix,
  /bin/rm rix,
  /bin/rmdir rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/tar rix,
  /bin/touch rix,
  /bin/uname rix,
  /bin/vim rix,
  /bin/vim-normal rix,
  /bin/zcat rix,
  /dev/null rw,
  /dev/urandom r,
  /etc/ r,
  /etc/manpath.config r,
  /etc/opt/ r,
  /etc/sysconfig/console r,
  /etc/sysconfig/mail r,
  /etc/sysconfig/news r,
  /etc/sysconfig/proxy r,
  /etc/sysconfig/suseconfig r,
  /etc/sysconfig/windowmanager r,
  /etc/vimrc r,
  owner /home/*/ r,
  owner /home/*/** rwl,
  /opt/ r,
  owner /proc/*/cmdline r,
  owner /proc/*/exe r,
  owner /proc/*/mounts r,
  /proc/loadavg r,
  /usr/X11R6/bin/ r,
  /usr/bin/ r,
  /usr/bin/dircolors rix,
  /usr/bin/head rix,
  /usr/bin/id rix,
  /usr/bin/less rix,
  /usr/bin/man rix,
  /usr/bin/manpath rix,
  /usr/bin/mc rix,
  /usr/bin/scp rix,
  /usr/bin/screen rix,
  /usr/bin/ssh rix,
  /usr/bin/ssh-add rix,
  /usr/bin/ssh-agent rix,
  /usr/bin/ssh-copy-id rix,
  /usr/bin/ssh-keygen rix,
  /usr/bin/ssh-keyscan rix,
  /usr/bin/tail rix,
  /usr/bin/tty rix,
  /usr/bin/vim-enhanced rix,
  /usr/bin/wget rix,
  /usr/bin/which rix,
  /usr/lib*/git/git-update-ref rix,
  /usr/lib*/mc/cons.saver rix,
  /usr/lib*/ssh/sftp-server rix,
  /usr/lib*/ssh/ssh-keysign rix,
  /usr/local/bin/ r,
  /usr/share/git-core/*/ r,
  /usr/share/mc/** r,
  /usr/share/vim/** r,
}

This allows the user to execute the most basic commands he needs and allows ssh, sftp and git access. The user has access to some binaires and and can read directories he need for a working shell, like /usr/lib. The owner flag allows him only to write in his own home directory and browse only his home directory.

The next step is to create a new user and use /bin/jailbash as the bash. You can update the profile using logprof or manually if you watch /var/log/audit/audit.log.

You may also like...

8 Responses

  1. Petr Viktorin says:

    Poor code, it got all mangled.

  2. Misc says:

    The #include line are missing, likely due to lack of html escape.

  3. tomsmeding says:

    The #include lines are still not working because you haven’t escaped the angled brackets as >…

  4. tomsmeding says:

    I expected that to happen. This probably doesn’t even work: bold text.
    You need to escape your input in your html renderer, replace > with & gt ; (without spaces) 🙂

  5. tomsmeding says:

    Another thing to try:

Leave a Reply

Your email address will not be published. Required fields are marked *