Gentoo:Jail

De WikiMar
Dreceres ràpides: navegació, cerca

Instal.lació

emerge -va jail


Afegir usuari

Afegim usuari

useradd -g users -d /var/chroot/usuari1 -s /usr/bin/jail usuari1

Afegim /dev i /etc a la carpeta

mkjailenv /var/chroot/usuari1

Afegim usuaris dins del Chroot

addjailuser  /var/chroot/usuari1 /home/usuari1 /bin/bash usuari1

Afegim programes estandards

addjailsw /var/chroot

o per tenir més informació: 

addjailsw /var/chroot -D

Afegim Bash

addjailsw /var/chroot -P bash

Potser cal copiar els ~/.bash*

Gento especific

cp /lib/ld-linux.so.2 /var/chroot/usuari1/lib/

mkdir /var/chroot/usuari1/etc/bash 
cp /etc/bash/bashrc /var/chroot/usuari1/etc/bash/
cp /etc/profile /var/chroot/usuari1/etc/
cp /etc/DIR_COLORS /var/chroot/usuari1/etc/
addjailsw /var/chroot/usuari1 -P whoami

If the chroot environment can access IP address but no domain-name ("Name or service not known") : 

cp -a /lib/libnss_dns* /var/chroot/usuari1/lib/


Fer un Jail per tenir nomes SFTP (SSH) a una carpeta

En el home del jail no hi poden haver punts! 

sudo ln -s dafyn.com jail-dafyn

sudo usermod -d /var/www/jail-dafyn -s /usr/bin/jail dafyn

sudo mkjailenv /var/www/dafyn.com

sudo addjailuser /var/www/dafyn.com /home/dafyn /bin/bash dafyn

sudo addjailsw /var/www/dafyn.com

sudo addjailsw /var/www/dafyn.com -P bash
sudo addjailsw /var/www/dafyn.com -P sftp
sudo addjailsw /var/www/dafyn.com -P sftp-server

Cal fer-ho manualment: 

sudo mkdir /var/www/dafyn.com/usr/lib/misc/
sudo cp /usr/lib/misc/sftp-server /var/www/dafyn.com/usr/lib/misc/

sudo addjailsw /var/www/dafyn.com -P scp
sudo addjailsw /var/www/dafyn.com -P openssl

Opcional pel mantenir configuració del Bash: 

sudo mkdir /var/www/dafyn.com/etc/bash
cd /var/www/dafyn.com
sudo cp /etc/bash/bashrc etc/bash
sudo cp /etc/profile etc/
sudo cp /etc/DIR_COLORS etc/

addjailsw /var/www/dafyn.com -P whoami

Potser tambe el Rsync: 

addjailsw /var/www/dafyn.com -P rsync

sudo cp /lib/ld-linux.so.2 lib/

sudo chown dafyn:apache -R /var/www/dafyn.com/*

Mes info

Més info: http://no.gentoo-wiki.com/Jail

Here just a copy of some part of it:

Adding a normal system user with useradd

We will need the system user in both environments, so first we add him to the unrestricted environment. Our nick name for the test user used in the examples will be prisoner. All the magic resides on the /etc/passwd file. The line in this file has to fit the uid an gid fields password, etc. The line should look something like this: 

prisoner:x:1005:100:Jail Test User:/var/chroot:/usr/bin/jail

Note the /var/chroot field. This is the root directory of the chroot environment for this user. All we need to do with gentoo is this: 

# useradd -g users -d /var/chroot/ -s /usr/bin/jail prisoner

Creating the Jail environment Or how to invoke mkjailenv

mkjailenv creates the directories, and generates the basic filesystem layout with the special devices. mkjailenv has been written in perl.

This are the command line arguments: 

mkjailenv chrootdir

Argument Description 

chrootdir   The directory where the chrooted environment will live.
                     It its the home entry in the non-chrooted /etc/passwd file.

Invocation example: 

# mkjailenv /var/chroot

This will create the chrooted enviroment under the directory /var/chroot.


Adding users to the Jail Or how to invoke addjailuser

The tool addjailuser edits the chrooted /etc/passwd automatically and creates the user directories. Addjailuser has been written in perl script.

These are the command line arguments: 

addjailuser chrootdir userdir usershell username
Argument Description
chrootdir   The directory where the chrooted environment will live.
                    It its the home entry in the non-chrooted /etc/passwd file
userdir     The directory inside the chrooted enviroment when the user will live, in our  example,               
                    /home/prisoner.
usershell   The user's shell full path (e.g. /bin/bash)
username    The user's name.

In our example, Userinvocation would look like this: 

# addjailuser  /var/chroot /home/prisoner /bin/bash prisoner

This will add a user under the directory /var/chroot setups the home directory of the prisoner into /home/prisoner, and selects /bin/bash as default shell for the user prisoner. Also edits the chrooted /etc/passwd, /etc/group and /etc/shadow to configure the jail properly.


Adding software to Jail Or how to invoke addjailsw

The tool addjailsw will copy programs and their dependencies (libraries, auxiliar files, special devices) into the right places in the chrooted environment. addjailsw has been written in perl.

These are the command line arguments: addjailsw chrootdir [-D] [-P program args] Argument Description chrootdir The directory where the chrooted environment will live. 

                    It its the home entry in the non-chrooted / etc/passwd file

-P program args (optional) installs the specific program "program" into the chrooted environment. 

                            The script uses the "args" parameter to launch the program where doing
                            the strace command, to allows the program exit nicely, so the strace can do its work.
                            If this parameter isn?t specified, the standard programs included in the file will be installed.
                            See addjailsw?s code for in-deep details.

Invocation examples: 

# addjailsw /var/chroot

or 

# addjailsw /var/chroot -D

or 

# addjailsw /var/chroot -P bash "--version"


The first example will add the standard programs under the /var/choot directory. The second example will do the same as the first, but will also show which files are going to be copied in /var/chroot. The third example will install the program bash, and when launched in the strace call, the argument "--version" will be passed to it (so bash will exit immediately). You will definetly need a bash, if you want to login to the chroot jail!! Note: The software you add must run AND terminate, or else addjailsw won't finish! (You can kill the started application from another console, if you need to.)

Gentoo specific

For some reason, the addjailsw tool does not fetch the ld-linux.so.2, which leads to the error "execve(): File or Directory doesn't exist", so we copy it manually. 

# cp /lib/ld-linux.so.2 /var/chroot/lib/

but if architecture is amd64 then 

# mkdir -p /var/chroot/lib64; cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64/


That's all, folks! Now you can add whatever you want to the chroot. You can even start another chrooted environment in another directory.


Tip: Add /etc/bash/bashrc, /etc/DIR_COLORS, /etc/profile and the program "whoami" to the chrooted jail, if you want a nicer looking and working shell

Code: 

mkdir /var/chroot/etc/bash 
cp /etc/bash/bashrc /var/chroot/etc/bash/
cp /etc/profile /var/chroot/etc/
cp /etc/DIR_COLORS /var/chroot/etc/
addjailsw /var/chroot -P whoami


If the chroot environment can access IP address but no domain-name ("Name or service not known") : 

# cp -a /lib/libnss_dns* lib/

Screen in your jail

If you want to run a screen in your jail you must mount the /dev and /dev/pts filesystem in your jail. 

# mount -o bind /dev /var/chroot/dev

and 

# mount -t devpts none /var/chroot/dev/pts

I did need these too (not sure about security but works): 

# mkdir /var/chroot/proc
# mount -t proc proc /var/chroot/proc

http://forums.gentoo.org/viewtopic-p-3179496.html


Irssi

Instructions for running the irssi irc client in a chroot jail can be found here.

If you get an error message like

setupterm() failed for TERM=xterm: 0 Can't initialize screen handling, quitting. You can still use the dummy mode with -d parameter

Then try running irssi under a Screen session.

You can find the IP addresses with 

# emerge host

then 

# hostx irc.freenode.net

outside the jail.

You may also need to do something like 

# cp -r /usr/lib64/perl5/* /var/chroot/usr/lib64/perl5/

to get extra irssi scripts working.

Obtingut de «https://wiki.espai.de/index.php?title=Gentoo:Jail&oldid=807»