Jail in chroot in debian 7.5 - Privileges Separation problem
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I'm trying to create a jail for a user in my server. Let's call the user "juser".
What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.
For that, I'm following the tutorial given in here.
Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.
The other solution is in the next line in the tutorial:
If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.
But I don't know how to do this! In /etc/passwd
I have for juser:
juser:x:5002:5002::/home/juser:/bin/sh
How do I implement what is said in the quoted sentence?
debian ssh chroot sshd jails
add a comment |
I'm trying to create a jail for a user in my server. Let's call the user "juser".
What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.
For that, I'm following the tutorial given in here.
Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.
The other solution is in the next line in the tutorial:
If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.
But I don't know how to do this! In /etc/passwd
I have for juser:
juser:x:5002:5002::/home/juser:/bin/sh
How do I implement what is said in the quoted sentence?
debian ssh chroot sshd jails
add a comment |
I'm trying to create a jail for a user in my server. Let's call the user "juser".
What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.
For that, I'm following the tutorial given in here.
Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.
The other solution is in the next line in the tutorial:
If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.
But I don't know how to do this! In /etc/passwd
I have for juser:
juser:x:5002:5002::/home/juser:/bin/sh
How do I implement what is said in the quoted sentence?
debian ssh chroot sshd jails
I'm trying to create a jail for a user in my server. Let's call the user "juser".
What do I want to achieve? I want an ssh user to be jailed in his home folder and not have any access (whatsoever) on my server's root directory.
For that, I'm following the tutorial given in here.
Everything went fine, until the step of Privileges Separation. Now I don't want to disable privilage separation as it is a security threat to the system.
The other solution is in the next line in the tutorial:
If you don't disable Privilege Separation you will need an /etc/passwd which includes the user's UID inside the chroot for Privilege Separation to work properly.
But I don't know how to do this! In /etc/passwd
I have for juser:
juser:x:5002:5002::/home/juser:/bin/sh
How do I implement what is said in the quoted sentence?
debian ssh chroot sshd jails
debian ssh chroot sshd jails
edited Mar 9 at 12:25
Rui F Ribeiro
41.9k1483142
41.9k1483142
asked Dec 10 '14 at 14:29
The Quantum PhysicistThe Quantum Physicist
4621725
4621725
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Let us say the chroot is in /path/to/chroot
. Then you need:
- A directory
etc
in/path/to/chroot
, and A file called
passwd
in/path/to/chroot/etc
, with at least one entry:juser:x:5002:5002::/some/path:/some/shell
- And both:
/path/to/chroot/some/path
/path/to/chroot/some/shell
(The shell must be present, along with any necessary libraries and such.)
I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?
– The Quantum Physicist
Dec 10 '14 at 16:45
@TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, useldd
to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524
– muru
Dec 10 '14 at 16:48
Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.
– The Quantum Physicist
Dec 10 '14 at 23:01
@TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?
– muru
Dec 10 '14 at 23:08
Authentication. Could you please tell me what to do with the server root's passwd?
– The Quantum Physicist
Dec 10 '14 at 23:15
|
show 5 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172554%2fjail-in-chroot-in-debian-7-5-privileges-separation-problem%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Let us say the chroot is in /path/to/chroot
. Then you need:
- A directory
etc
in/path/to/chroot
, and A file called
passwd
in/path/to/chroot/etc
, with at least one entry:juser:x:5002:5002::/some/path:/some/shell
- And both:
/path/to/chroot/some/path
/path/to/chroot/some/shell
(The shell must be present, along with any necessary libraries and such.)
I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?
– The Quantum Physicist
Dec 10 '14 at 16:45
@TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, useldd
to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524
– muru
Dec 10 '14 at 16:48
Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.
– The Quantum Physicist
Dec 10 '14 at 23:01
@TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?
– muru
Dec 10 '14 at 23:08
Authentication. Could you please tell me what to do with the server root's passwd?
– The Quantum Physicist
Dec 10 '14 at 23:15
|
show 5 more comments
Let us say the chroot is in /path/to/chroot
. Then you need:
- A directory
etc
in/path/to/chroot
, and A file called
passwd
in/path/to/chroot/etc
, with at least one entry:juser:x:5002:5002::/some/path:/some/shell
- And both:
/path/to/chroot/some/path
/path/to/chroot/some/shell
(The shell must be present, along with any necessary libraries and such.)
I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?
– The Quantum Physicist
Dec 10 '14 at 16:45
@TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, useldd
to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524
– muru
Dec 10 '14 at 16:48
Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.
– The Quantum Physicist
Dec 10 '14 at 23:01
@TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?
– muru
Dec 10 '14 at 23:08
Authentication. Could you please tell me what to do with the server root's passwd?
– The Quantum Physicist
Dec 10 '14 at 23:15
|
show 5 more comments
Let us say the chroot is in /path/to/chroot
. Then you need:
- A directory
etc
in/path/to/chroot
, and A file called
passwd
in/path/to/chroot/etc
, with at least one entry:juser:x:5002:5002::/some/path:/some/shell
- And both:
/path/to/chroot/some/path
/path/to/chroot/some/shell
(The shell must be present, along with any necessary libraries and such.)
Let us say the chroot is in /path/to/chroot
. Then you need:
- A directory
etc
in/path/to/chroot
, and A file called
passwd
in/path/to/chroot/etc
, with at least one entry:juser:x:5002:5002::/some/path:/some/shell
- And both:
/path/to/chroot/some/path
/path/to/chroot/some/shell
(The shell must be present, along with any necessary libraries and such.)
answered Dec 10 '14 at 14:37
murumuru
37.2k589164
37.2k589164
I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?
– The Quantum Physicist
Dec 10 '14 at 16:45
@TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, useldd
to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524
– muru
Dec 10 '14 at 16:48
Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.
– The Quantum Physicist
Dec 10 '14 at 23:01
@TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?
– muru
Dec 10 '14 at 23:08
Authentication. Could you please tell me what to do with the server root's passwd?
– The Quantum Physicist
Dec 10 '14 at 23:15
|
show 5 more comments
I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?
– The Quantum Physicist
Dec 10 '14 at 16:45
@TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, useldd
to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524
– muru
Dec 10 '14 at 16:48
Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.
– The Quantum Physicist
Dec 10 '14 at 23:01
@TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?
– muru
Dec 10 '14 at 23:08
Authentication. Could you please tell me what to do with the server root's passwd?
– The Quantum Physicist
Dec 10 '14 at 23:15
I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?
– The Quantum Physicist
Dec 10 '14 at 16:45
I'm not sure what to do about the shell... should I install a static shell inside that user's chroot?
– The Quantum Physicist
Dec 10 '14 at 16:45
@TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use
ldd
to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524– muru
Dec 10 '14 at 16:48
@TheQuantumPhysicist If you can get a static binary for the shell, sure. If not, use
ldd
to find the relevant libraries and copy them over as well: unix.stackexchange.com/q/85258/70524– muru
Dec 10 '14 at 16:48
Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.
– The Quantum Physicist
Dec 10 '14 at 23:01
Should this line be the same one in the root's /etc/passwd? After I set the parameters as you mention, I'm unable to login with the new user at all! ssh fails to login simply with no reason.
– The Quantum Physicist
Dec 10 '14 at 23:01
@TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?
– muru
Dec 10 '14 at 23:08
@TheQuantumPhysicist which step does it fail at? Connection? Authentication? Starting the shell?
– muru
Dec 10 '14 at 23:08
Authentication. Could you please tell me what to do with the server root's passwd?
– The Quantum Physicist
Dec 10 '14 at 23:15
Authentication. Could you please tell me what to do with the server root's passwd?
– The Quantum Physicist
Dec 10 '14 at 23:15
|
show 5 more comments
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f172554%2fjail-in-chroot-in-debian-7-5-privileges-separation-problem%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown