0

I'm new to chroot jails; so far I've setup bash using this tutorial, and I've been able to login with the user through ssh secured with a public key.

The SSH configuration takes care of running the chroot jail:

AllowUsers <username>
Match User <username>
        ChrootDirectory "/home/<username>"

/etc/sshd_config

Basically I took every one of the dependencies listed and copied it to /home/username/<rest-of-the-path-to-dependency-file> and did the same with the executable.

I did nothing with linux-vdso as it doesn't play by the same rules.

They only thing I can do in the jail is cd and execute programs, my shell prompt appears like this:

-bash-4.4$

I added another program and in the same manner as the tutorial above, adding ldd dependencies and copying over the executable to the directory IU found it in

When I run the program it creates a directory and folders in /.config/taskell/config.ini and a couple of other files.

But when the program runs it gives me an error related to the encoding of the file /home/username/.config/taskell/config.ini: hGetContents: invalid argument (invalid byte sequence), but when I run it in my bash shell on the computer directly it works fine.

Did setting up the chroot jail change the way the shell or this program interprets the files it is reading? The -bash-4.4$ prompt seems to indicate that there's some kind of defaults set that aren't there when I initially log in using the regular prompt.

Additionally, I'm trying to do this on WSL Ubuntu 18.08 which appears to have something to do with the encoding issue I linked.

The only three commands I wish to be able to run are the command I'm trying to run, git, and vim, but I'm starting with this one and not having much luck.

leeand00
  • 4,443
  • 10
  • 51
  • 78
  • What's your goal with the chroot? If you're just looking for a sandbox in which to run some process(es), you might also consider containers. – Andy Dalton Jan 11 '20 at 03:02
  • @AndyDalton I want to securely connect to my laptop over ssh with a nice long prime number securing it and a passphrase; then I’d like to keep my todo list (taskell is a bash based kanban) there and maybe be able to store and edit it with vi and git; I want to allow others in to collaborate, by adding their public key, but not to get to the files outside that directory. – leeand00 Jan 11 '20 at 04:43
  • @AndyDalton So does a container just automate what I’m trying to do here? I’m making the chroot jail using the sshd_config and the username I’m trying to let in. – leeand00 Jan 11 '20 at 04:58
  • Additionally, I don't want to give a would be attacker access to any more libraries than are necessary for running the todo list. – leeand00 Jan 11 '20 at 20:10
  • @ctrl-alt-delor beat me to it with the answer below – Andy Dalton Jan 11 '20 at 23:55

1 Answers1

1

Instead of chroot, use a container, such as docker (there are many others):

  • It does more: chroot, namespace isolation, cgroups, etc.
  • It manages it for you.
  • For docker there are pre-built images.

However what I see you asking for, but be more easily solved with simple user isolation: A separate account for each user. You could then augment this with Mandatory-Access-Control (e.g. app armour).

However, all of this is complicated by you using WSL. WSL is Gnu/Linux on MS-Windows. WSL is Gnu/Linux with the Linux replaced. I am not sure if WSL2 is much better. All the stuff that we are discussing is done in the Linux part of Gnu/Linux, and is the most prone to not working (or working differently), if not running a real Gnu/Linux system. The shared file-system, is a big area of incompatibility. It makes it difficult to use file permissions, to keep users apart.

I have heard that docker works on MS-Windows, I think it does this by putting Gnu/Linux in a virtual machine (but am not sure).

ctrl-alt-delor
  • 27,473
  • 9
  • 58
  • 102
  • No it is not a VM it’s more akin to Wine in Linux where the Linux system calls call windows system calls; before I read that I was afraid to use it. – leeand00 Jan 11 '20 at 14:56
  • I’m using it because every employer I’ve ever worked for has always insisted I used Windows. Note that I’m not using the chroot command at all, that is all being done with sshd. – leeand00 Jan 11 '20 at 14:58
  • https://stackoverflow.com/questions/41550727/how-does-docker-for-windows-run-linux-containers – ctrl-alt-delor Jan 11 '20 at 14:58
  • They do that. I have even seen (many) adverts for a job, where they say that you will be a system architect designing a new system from the ground up (green field), then they tell you what OS, programming language, database, etc. that you will be using. – ctrl-alt-delor Jan 11 '20 at 15:01
  • Green field? What does that mean? – leeand00 Jan 11 '20 at 15:11
  • I'm a bit uncertain how docker includes external libraries from the base OS as well; I don't believe I want to include all of them, instead just the ones with the functions I want the logged in user to be able to perform. – leeand00 Jan 11 '20 at 20:12
  • Docker uses the host kernel, everything else is in the image. A docker image need only include what is needed. However you can't implement security by hiding libraries. You instead need to use security techniques. I have seen systems implemented this way, but when we pen-tested them, we just walked around (there was no security, it was just hard to use. The legitimate users were frustrated at how hard it was to do anything. We added what we needed to do what we wanted.) – ctrl-alt-delor Jan 11 '20 at 22:06
  • what part of the pen testing failed? – leeand00 Jan 11 '20 at 22:07
  • @leeand00 no part. We got in. – ctrl-alt-delor Jan 11 '20 at 22:19
  • How many bits was the public/private key generated? – leeand00 Jan 11 '20 at 22:20
  • 0 bits. I never mentioned a key. And it would not matter. It has nothing to do with how many libraries are available to someone that is already logged in. – ctrl-alt-delor Jan 11 '20 at 22:25
  • Was the private key secured with a passphrase? Did they turn off password authentication and restrict the login to not include the root user? – leeand00 Jan 11 '20 at 22:25
  • Oh so it was just passworded protected then? – leeand00 Jan 11 '20 at 22:26
  • 1
    Or are saying after you were already connected? – leeand00 Jan 11 '20 at 22:29
  • No. Where are you getting this from? Me not saying one thing, does not mean that I said the opposite. – ctrl-alt-delor Jan 11 '20 at 22:29
  • Oh sorry I didn’t mean to confuse, I’m just trying to clarify – leeand00 Jan 11 '20 at 22:35