Jail in chroot in debian 7.5 - Privileges Separation problem

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I'm trying to create a jail for a user in my server. Let's call the user "juser".



What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.



For that, I'm following the tutorial given in here.



Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.



The other solution is in the next line in the tutorial:




If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.




But I don't know how to do this! In /etc/passwd I have for juser:



juser:x:5002:5002::/home/juser:/bin/sh


How do I implement what is said in the quoted sentence?










share|improve this question






























    1















    I'm trying to create a jail for a user in my server. Let's call the user "juser".



    What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.



    For that, I'm following the tutorial given in here.



    Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.



    The other solution is in the next line in the tutorial:




    If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.




    But I don't know how to do this! In /etc/passwd I have for juser:



    juser:x:5002:5002::/home/juser:/bin/sh


    How do I implement what is said in the quoted sentence?










    share|improve this question


























      1












      1








      1








      I'm trying to create a jail for a user in my server. Let's call the user "juser".



      What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.



      For that, I'm following the tutorial given in here.



      Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.



      The other solution is in the next line in the tutorial:




      If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.




      But I don't know how to do this! In /etc/passwd I have for juser:



      juser:x:5002:5002::/home/juser:/bin/sh


      How do I implement what is said in the quoted sentence?










      share|improve this question
















      I'm trying to create a jail for a user in my server. Let's call the user "juser".



      What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.



      For that, I'm following the tutorial given in here.



      Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.



      The other solution is in the next line in the tutorial:




      If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.




      But I don't know how to do this! In /etc/passwd I have for juser:



      juser:x:5002:5002::/home/juser:/bin/sh


      How do I implement what is said in the quoted sentence?







      debian ssh chroot sshd jails






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 9 at 12:25









      Rui F Ribeiro

      41.9k1483142




      41.9k1483142










      asked Dec 10 '14 at 14:29









      The Quantum PhysicistThe Quantum Physicist

      4621725




      4621725




















          1 Answer
          1






          active

          oldest

          votes


















          1














          Let us say the chroot is in /path/to/chroot. Then you need:



          1. A directory etc in /path/to/chroot, and


          2. A file called passwd in /path/to/chroot/etc, with at least one entry:



            juser:x:5002:5002::/some/path:/some/shell


          3. And both:
            • /path/to/chroot/some/path


            • /path/to/chroot/some/shell
              (The shell must be present, along with any necessary libraries and such.)






          share|improve this answer























          • I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?

            – The Quantum Physicist
            Dec 10 '14 at 16:45











          • @TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use ldd to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524

            – muru
            Dec 10 '14 at 16:48











          • Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.

            – The Quantum Physicist
            Dec 10 '14 at 23:01












          • @TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?

            – muru
            Dec 10 '14 at 23:08











          • Authentication. Could you please tell me what to do with the server root's passwd?

            – The Quantum Physicist
            Dec 10 '14 at 23:15











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172554%2fjail-in-chroot-in-debian-7-5-privileges-separation-problem%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Let us say the chroot is in /path/to/chroot. Then you need:



          1. A directory etc in /path/to/chroot, and


          2. A file called passwd in /path/to/chroot/etc, with at least one entry:



            juser:x:5002:5002::/some/path:/some/shell


          3. And both:
            • /path/to/chroot/some/path


            • /path/to/chroot/some/shell
              (The shell must be present, along with any necessary libraries and such.)






          share|improve this answer























          • I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?

            – The Quantum Physicist
            Dec 10 '14 at 16:45











          • @TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use ldd to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524

            – muru
            Dec 10 '14 at 16:48











          • Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.

            – The Quantum Physicist
            Dec 10 '14 at 23:01












          • @TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?

            – muru
            Dec 10 '14 at 23:08











          • Authentication. Could you please tell me what to do with the server root's passwd?

            – The Quantum Physicist
            Dec 10 '14 at 23:15















          1














          Let us say the chroot is in /path/to/chroot. Then you need:



          1. A directory etc in /path/to/chroot, and


          2. A file called passwd in /path/to/chroot/etc, with at least one entry:



            juser:x:5002:5002::/some/path:/some/shell


          3. And both:
            • /path/to/chroot/some/path


            • /path/to/chroot/some/shell
              (The shell must be present, along with any necessary libraries and such.)






          share|improve this answer























          • I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?

            – The Quantum Physicist
            Dec 10 '14 at 16:45











          • @TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use ldd to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524

            – muru
            Dec 10 '14 at 16:48











          • Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.

            – The Quantum Physicist
            Dec 10 '14 at 23:01












          • @TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?

            – muru
            Dec 10 '14 at 23:08











          • Authentication. Could you please tell me what to do with the server root's passwd?

            – The Quantum Physicist
            Dec 10 '14 at 23:15













          1












          1








          1







          Let us say the chroot is in /path/to/chroot. Then you need:



          1. A directory etc in /path/to/chroot, and


          2. A file called passwd in /path/to/chroot/etc, with at least one entry:



            juser:x:5002:5002::/some/path:/some/shell


          3. And both:
            • /path/to/chroot/some/path


            • /path/to/chroot/some/shell
              (The shell must be present, along with any necessary libraries and such.)






          share|improve this answer













          Let us say the chroot is in /path/to/chroot. Then you need:



          1. A directory etc in /path/to/chroot, and


          2. A file called passwd in /path/to/chroot/etc, with at least one entry:



            juser:x:5002:5002::/some/path:/some/shell


          3. And both:
            • /path/to/chroot/some/path


            • /path/to/chroot/some/shell
              (The shell must be present, along with any necessary libraries and such.)







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 10 '14 at 14:37









          murumuru

          37.2k589164




          37.2k589164












          • I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?

            – The Quantum Physicist
            Dec 10 '14 at 16:45











          • @TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use ldd to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524

            – muru
            Dec 10 '14 at 16:48











          • Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.

            – The Quantum Physicist
            Dec 10 '14 at 23:01












          • @TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?

            – muru
            Dec 10 '14 at 23:08











          • Authentication. Could you please tell me what to do with the server root's passwd?

            – The Quantum Physicist
            Dec 10 '14 at 23:15

















          • I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?

            – The Quantum Physicist
            Dec 10 '14 at 16:45











          • @TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use ldd to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524

            – muru
            Dec 10 '14 at 16:48











          • Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.

            – The Quantum Physicist
            Dec 10 '14 at 23:01












          • @TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?

            – muru
            Dec 10 '14 at 23:08











          • Authentication. Could you please tell me what to do with the server root's passwd?

            – The Quantum Physicist
            Dec 10 '14 at 23:15
















          I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?

          – The Quantum Physicist
          Dec 10 '14 at 16:45





          I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?

          – The Quantum Physicist
          Dec 10 '14 at 16:45













          @TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use ldd to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524

          – muru
          Dec 10 '14 at 16:48





          @TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use ldd to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524

          – muru
          Dec 10 '14 at 16:48













          Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.

          – The Quantum Physicist
          Dec 10 '14 at 23:01






          Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.

          – The Quantum Physicist
          Dec 10 '14 at 23:01














          @TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?

          – muru
          Dec 10 '14 at 23:08





          @TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?

          – muru
          Dec 10 '14 at 23:08













          Authentication. Could you please tell me what to do with the server root's passwd?

          – The Quantum Physicist
          Dec 10 '14 at 23:15





          Authentication. Could you please tell me what to do with the server root's passwd?

          – The Quantum Physicist
          Dec 10 '14 at 23:15

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172554%2fjail-in-chroot-in-debian-7-5-privileges-separation-problem%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?