So you need to create a place where you can let people in to dump their files using ssh but you do not want them to be poking around in your machine?
Unix is by its own a very open system. You can cd around in most places and looka at what is installed where, even read a lot of the configuration files in /etc and what not. Also by default in many systems you are allowed to peek into other users home directories even if you can’t change something you can get a lot of info from them and even cp the whole thing. Unless they’ve changed permissions.
This is written for Ubuntu by the way, but most modern Linuxen would work very similar to this and SSH is pretty standard so is most of the other things in here. If you have any problems you can let me know in the comment section.
Let’s say you have a friend who wants to put his backups on your machine and you want to put yours on his but you don’t want him to see what else you have on there. You need to create a chrooted environment for the guy when he logs on.
Here is how you do this.
First of all you need to decide where to place your ”jail”. The jail is the root in the chrooted environment, we will refer to this as a jail throughout this article. The jail can be put in /var/jail or somewhere similar perhaps you prefer /mnt/jail and mount it on a separate volume alltogether or why not make use of /opt/jail. Whatever you decide is fine.
You need to create your jail and a few other top level directories first. Let’s first gain root privileges:
$ sudo bash
Now create a directory structure
# cd /var
# mkdir -p jail/{dev,bin,home,etc,lib}
# chown -R root:root jail
Next step is to creat the /dev/null file as this is needed by many things…
# mknod -m 666 /var/jail/dev/null c 1 3
Next step is to copy some needed files from /etc into the jailed etc:
# cd /var/jail/etc # cp /etc/ld.so.cache . # cp /etc/ld.so.conf . # cp /etc/nsswitch.conf . # cp /etc/hosts .
You can not link to the /etc real files because they would loop when you actually chroot… so that won’t work.
It’s now time to give the guys something to do in the jail. You need to add bash as a minimum at least. Whatever else you want to add also is okay, but don’t add too many commands. We will add the following commands: bash, rsync, ls, less, gzip, bzip2.
# cd /var/jail/bin
# cp /bin/{bash,ls,gzip,bzip2} .
# cp /usr/bin {rsync,less} .
Now you need to get your libraries over to the lib in the chroot. You can either figure out one by one which are needed by using the ldd command on each of our commands in the bin directory but that takes far too long. Let’s just throw them in there:
# cp -r /lib/* /var/jail/lib/
Create the chrooted user in the system: (In all the following [username] means the actual user name you want to add to the system. Your first one is probably a test user.)
# adduser -b /var/jail/home [username]
Then create his home dir:
# mkdir /var/jail/home/[username] # chown -R username:username /var/jail/home/[username] # chmod 700 /var/jail/home/[username]
When all this is done you need to tell SSH to put the user in jail when he logs on to your system. This is done by adding the following at the END OF THE FILE /etc/ssh/sshd_config:
Match User [username]
chrootdirectory /var/jail/
X11Forwarding no
AllowTcpForwarding no
AuthorizedKeysFile /var/jail/home/%u/.ssh/authorized_keys
That last part, the AuthorizedKeysFile is not needed if you do password logins, but if you want to be able to do rsa/dsa key logins with SSH you need to put that line in there, otherwise SSH will look for the keys in the wrong place!
If you are addin SSH keys also, you should do the following:
# cd /var/jail/home/[username] # mkdir .ssh # chown [username]:[username] .ssh # chmod 700 .ssh
Then put the authorized_keys in there and chown it to the username and chmod it to 600 and it should work out of the box.