segunda-feira, fevereiro 01, 2016

HOWTO: Make a chroot'ed chroot CentOS 7 or debian 8

1.  groupadd chrootusers
2.  vim sshd_config -- add lines following lines
Match group sshusers
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home/%u
#ForceCommand /usr/libexec/openssh/sftp-server
3.  useradd user1
4.  usermod -G chrootusers
5.  usermod -G chrootusers -d / user1
6.  yum --installroot=/var/chroot --releasever=7 --nogpg --disablerepo='*' --enablerepo=base install centos-release openssh-clients wget vi nano zip unzip tar mariadb findutils iputils bind-utils rsync
7.  echo "none /var/chroot/proc proc defaults 0 0" >> /etc/fstab
8.  echo "/dev /var/chroot/dev none bind 0 0" >> /etc/fstab
9.  mount -a
10. systemctl restart sshd.service
11. id -u user1 (keep it)
12. id -g user1 (keep it)
13. chroot /var/chroot /bin/bash -c 'useradd -u (id item 11) user1'
14. chroot /var/chroot /bin/bash -c 'groupadd -g (id item 12) chrootusers'
Luckily, I was able to come up with a way to do that.

Debian 8

Install the required packages

apt-get install binutils debootstrap libpam-chroot

Choose a location

mkdir -p /srv/chroot/wheezy

Build the chroot
Either select a close network mirror manually, use one of the dns based mirrors such as where XX is your geographic country code, or use the which will do this for you automatically. The is easier to document and becoming the generally preferred method and is therefore recommended if you don't have your own fast preferred local mirror. See for documentation and details.

debootstrap --arch [i386|amd64] wheezy /srv/chroot/wheezy
To enter:

chroot /srv/chroot/wheezy

In general, it is necessary to create/edit key configuration points.

Create a /usr/sbin/policy-rc.d file IN THE CHROOT so that dpkg won't start daemons unless desired. This example prevents all daemons from being started in the chroot.

chroot /srv/chroot/wheezy
cat > ./usr/sbin/policy-rc.d <
exit 101
chmod a+x ./usr/sbin/policy-rc.d

real system /etc/passwd (points to the chroot folder)

where /var/chroot is the dir you build your chroot system
# vi  /etc/security/chroot.conf 

user    /var/chroot

# mount --bind /dev/pts /var/chroot/dev/pts
# mount -t proc proc /var/chroot/proc

# vim /etc/pam.d/sshd
session    required debug

# vim /etc/pam.d/login
session    required debug

Step 1: Add a group for chrooted users
groupadd chrootusers
Step 2: Configure SSH
nano /etc/ssh/sshd_config
Subsystem     sftp    /usr/libexec/openssh/sftp-server
Subsystem     sftp    internal-sftp
Paste at the End
Match Group chrootusers
  ChrootDirectory /home/%u
systemctl restart sshd
systemctl status sshd
Step 3: Add a user
Change peter to your desired user name.
export NEW_USER_NAME=peter

useradd ${NEW_USER_NAME}
usermod -G chrootusers -d / ${NEW_USER_NAME}
passwd ${NEW_USER_NAME}
Step 4: Install packages and create the necessary directory structure
yum --installroot=/home/${NEW_USER_NAME} --releasever=7 --nogpg --disablerepo='*' --enablerepo=base install centos-release openssh-clients wget vi nano zip unzip tar mariadb findutils iputils bind-utils rsync
Step 5: Mount proc and dev
echo "none /home/${NEW_USER_NAME}/proc proc defaults 0 0" >> /etc/fstab
echo "/dev /home/${NEW_USER_NAME}/dev none bind 0 0" >> /etc/fstab
mount -a
Step 6: Configure the DNS servers
echo "nameserver" >> /home/${NEW_USER_NAME}/etc/resolv.conf
echo "nameserver" >> /home/${NEW_USER_NAME}/etc/resolv.conf
That's all.
Keep in mind that $NEW_USER_NAME is bound to the current session!
Start from Step 3 when adding another user.
To install more packages later use the same command as in Step 4.

When logging in using SSH you will get messages like cannot find name for user ID x. They are safe to ignore, but if you'd like to get rid of them, you will need to duplicate the user in chroot:
export NEW_USER_ID=$(id -u ${NEW_USER_NAME})
export NEW_USER_GROUP_ID=$(id -g ${NEW_USER_NAME})

chroot /home/${NEW_USER_NAME} /bin/bash -c 'useradd -u ${NEW_USER_ID} ${NEW_USER_NAME}'
chroot /home/${NEW_USER_NAME} /bin/bash -c 'groupadd -g ${NEW_USER_GROUP_ID} chrootusers'

For use with chrooted in apache 2.4 and above you must include
 cp /sbin/suexec /var/chroot/sbin/suexec
cp /sbin/suexec /var/chroot/usr/sbin/suexec
 Require all granted

    DocumentRoot /var/chroot/home/user-name/public_html
    UseCanonicalName Off
    UserDir enabled user-name
    CustomLog /var/log/httpd/domlogs/ combined

#       Include conf.d/auth-inc.conf.txt
       AllowOverride All
       Require all granted
    # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
    # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
    # the user's .htaccess file.  For more information, please read:
            SSILegacyExprParser On

        suPHP_UserGroup user-name user-name
            SuexecUserGroup user-name user-name
        RMode config
        RUidGid user-name user-name
        # For more information on MPM ITK, please read:
        AssignUserID user-name user-name

    ScriptAlias /cgi-bin/ /var/chroot/home/user-name/public_html/cgi-bin/

Nenhum comentário: