jailkit-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Jailkit-users] Jailkit questions


From: Luiz Casey
Subject: RE: [Jailkit-users] Jailkit questions
Date: Thu, 19 Nov 2009 10:07:57 -0500

You can also accomplish it via rbash? This too restricts them from using specific commands.

 

From: address@hidden [mailto:address@hidden On Behalf Of Luiz Casey
Sent: Thursday, November 19, 2009 8:35 AM
To: 'address@hidden'
Subject: RE: [Jailkit-users] Jailkit questions

 

There are several commands that are invoked within “bash” such as “cd, ls, kill”. I too was trying to accomplish something along the lines you are trying to do. Have a ssh only shell where the only command they can run is ssh. There are couple road bumps to do so. First is the one you ran into. I tried to resolve this by  having “enable –n kill, enable –n cd” etc in .bashrc. The second you will notice is that even if you do that they can still scp their own .bashrc file.  To fix this what I did was to remove “write” access to the home directory. Then you start to think well it would be nice to have some location for them to actually transfer files to. So what I did was, I created an “upload” directory. Thus they have write access to scp what they want to that directory. After doing all that you should get a basic ssh only shell. The Second issue you will come across is the “ They should be able to view what is in their “upload” directory. So you will have to enable “ls”. By doing so you now gave them access to “ls” anything they want if they know the path, ie “ ls /etc” from their they can still scp file within “etc”. The third issue is they can still “sftp” to the system and have full access to roam the jailed environment. This is where I am at right now. The only solution I can come up with is if they need to transfer files to/from the box they will need to use a sftp only account using openssh chroot option. Using that they are restricted to their home directory or whatever directory you set. Somehow allow ssh access but deny sftp for only specific users.

 

Not sure if this helped or gave some incites or not. There might be a better way to do all this and am open to suggestions.

From: address@hidden [mailto:address@hidden On Behalf Of Jon Gullidge
Sent: Thursday, November 19, 2009 3:52 AM
To: address@hidden
Subject: RE: [Jailkit-users] Jailkit questions

 

Hi Anson,

Look inside {jail}/bin, {jail}/usr/bin, in your case I think {jail} is /home/jail, so:
/home/jail/bin
/home/hail/usr/bin
Remove anything from in there you do not want. This should work fine as the jail innitialises outside of the jail so shouldn't be using any commands from within the jail :)

HTH

> From: address@hidden
> To: address@hidden
> Date: Thu, 19 Nov 2009 13:16:31 +0800
> Subject: [Jailkit-users] Jailkit questions
>
> Hello Oliver,
>
> A thank you for this great piece of code.
> I do have one question however.
>
> I have setup the jail using the following:
>
> mkdir /home/jail
> chown root:root /home/jail
>
> MODIFIED jk_init.ini like so -
> ---------------------------------------------------------------------------
> [basicshell]
> comment = bash based shell with several basic utilities
> paths = /bin/sh, /bin/bash, /bin/false, /etc/motd, /etc/issue,
> /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
> users = root
> groups = root
> includesections = netbasics, uidbasics
> ---------------------------------------------------------------------------
>
>
> jk_init -v -j /home/jail basicshell
> jk_jailuser -m -j /home/jail example
>
> /home/jail/etc/passwd looks like this:
> sample:x:1000:1000::/home/sample:/bin/bash
>
> Well it works... mostly!
> Most attempts to do anything end up with a "bad command etc etc..."
>
> However, "cd" "pwd" "kill" etc still work...
> I'm guessing it's because they are tied in to the core bash shell functions
> somehow.
> Is there anyway to disable all these and any other "core" functions that
> don't have to exist in /bin/bash?
>
> I'm guessing one way to go around it would be to create a .bashrc that would
> create aliases with the same command names to "divert" the real function?
> Like a "kill" alias that would actually do nothing. Have not tried it yet
> but was hoping for something better from you.
> I'm sure I missed something as I've only been using Linux for about 2 months
> but have setup a VPS for a few friends (who need port forwarding SSH but
> don't need to do anything inside the VPS)
>
> Thanks again for your great code and seasons greetings in advance to your
> family!
> Anson
>
>
>
> _______________________________________________
> Jailkit-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/jailkit-users


View your other email accounts from your Hotmail inbox. Add them now.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]