Annvix:Documentation/Jails

From linsec.ca
Jump to: navigation, search

This page contains content from the old Annvix.org wiki and has been moved here to preserve content. These pages have been retained for historical and nostalgic purposes only.
Please be aware that Annvix is no longer in development!

Yet To Be Done

(this note should be removed when this page is reasonably complete)
  1. Figure out how to enable ssh from within a jail environment
  2. Link to or include scripts that make adding bins to jails easier
  3. Convert the init.d/startjail script to a service tool.

Setting up user jails

Disclaimers

A secure and carefully managed Linux system probably does not need a chroot jail to secure anything better.

This tutorial is written based on my own experience and may have no bearing on how badly your system responds.

Nothing I can suggest will ensure that your system is more secure than it was before you attempted to follow any of these instructions. Since I'm not doing a code review or comprehensive testing, this may in fact make your system less secure.

In short Use at your own risk. I am doing this myself to allow unknown users into our network in carefully controlled ways and as such want to take every precaution available. I am doing it with the intention of making our network and this particular Annvix system more secure. It is my hope that you will find my experience useful.

Software

I'm using the Jailkit from http://olivier.sessink.nl/jailkit/ . I would advise reading on it before continuing. Personally I did all this as root, but you shouldn't. Modify as needed.

I downloaded it with lynx then decompressed and untarred, removed download and moved to that directory.

tar jvxf jailkit*.bz2;rm jailkit*.bz2;cd jailkit*

Then read through the license, install and readme files:

less COPYRIGHT;less README.txt;less INSTALL.txt


If you don't have it already, you'll need make to build the binaries from source. This is typically a bad idea to leave on a production machine. I'm installing make, building the software and then uninstalling make. These steps may be optional depending on your preferences. You'll need python as well, which I'm going to leave installed.

# apt-get install make python
# make
# make install
# apt-get remove make

Create directories for jails for the user(s) that need them:

mkdir -p /home/jails/carelessuser

Set the jails up with jailkit:

# jk_init /home/jails/carelessuser jk_lsh

Create the user and jail the user:

# adduser carelessuser
# jk_jailuser --jail=/home/jails/carelessuser carelessuser
home directory /home/userdev is not within /home/jails/userdev, move the directory contents?
[Y]/[n]

Answer y and you have your jailed user.

Post Jail Configuration

Creating a jailed user isn't good for much in itself. This example sets up the user with a non-interactive shell and nothing else they can do. The next steps you take define what the user will be able to do.

Note: I had to go back and redo the ssh addition. It seems that /dev/null is needed and not in the configuration at /etc/jailkit/jk_init.ini. It was easy enough to add, just look athe the example for procmail if you need help.

The user's I'll be allowing on the system will need basic shell access and ssh access so I added that with:

# jk_init /home/jails/carelessuser basicshell
# jk_init /home/jails/carelessuser ssh

Then I changed their default shell in /home/jails/etc/passwd to bash. Now they can log into the machine but can't really do much of anything there.


Other Jail Instructions

Other Notes

Potentially helpful scripts

Create some other potentially helpful devices

#!/bin/bash
# See: http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh.html
echo "What is the path to the jail?"
read JAILPATH
# Creating necessary devices
[ -r $JAILPATH/dev/urandom ] || mknod $JAILPATH/dev/urandom c 1 9
[ -r $JAILPATH/dev/null ]    || mknod -m 666 $JAILPATH/dev/null    c 1 3
[ -r $JAILPATH/dev/zero ]    || mknod -m 666 $JAILPATH/dev/zero    c 1 5
[ -r $JAILPATH/dev/tty ]     || mknod -m 666 $JAILPATH/dev/tty     c 5 0 


Copy other potentially required files

echo "Jail path?";read JAILPATH;cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/

Use ldd to build your file copy list

echo -n "App: ";read APPNAME;whichapp=`which $APPNAME`;echo -n "Jail Path: ";read JAILPATH;if [ -d "$JAILPATH" ];then copysources="`ldd $whichapp|grep '/'|sed 's/[^\/]*\(\/[^ ]*\).*/\1/'`";for i in $copysources;do dn="`dirname $i`";bn="`basename $i`";if [ ! -d "${JAILPATH}${dn}" ];then mkdir -p "${JAILPATH}${dn}";fi;cpcmd="cp $i ${JAILPATH}${dn}/$bn";echo "$cpcmd";$cpcmd;done;bn="`basename $whichapp`";dn="`dirname $whichapp`";cpcmd="cp $whichapp ${JAILPATH}${dn}/$bn";echo $cpcmd;$cpcmd;else echo "$JAILPATH does not exist.";f

Error: Servname not supported for ai_socktype

That error means that you don't have the necessary services defined. You could probably copy over your services file but I'd recommend only copying the services you're after.

For telnet as an example:

echo "Jail Path?";read JAILPATH;grep telnet /etc/services |head -n2 > ${JAILPATH}/etc/services