05. May 2010 · 11 comments · Categories: Linux

Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

rssh support chrooting option. If you want to chroot users, use chrootpath option. It is used to set the directory where the root of the chroot jail will be located. This is a security feature.

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default home directory is /home/pensacola normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. chroot allows to restrict file system access and locks down user to their own directory.

Configuring rssh chroot

#Chroot directory: /users.
Note: If possible mount /users filesystem with the noexec/nosuid option to improve security.

# Required directories in jail:

  • /users/dev – Device file
  • /users/etc – Configuration file such as passwd
  • /users/lib – Shared libs
  • /users/usr – rssh and other binaries
  • /users/bin – Copy default shell such as /bin/csh or /bin/bash

# Required files in jail at /users directory (default for RHEL / CentOS / Debian Linux):

  • /etc/ld.so.cache
  • /etc/ld.so.cache.d/*
  • /etc/ld.so.conf
  • /etc/nsswitch.conf
  • /etc/passwd
  • /etc/group
  • /etc/hosts
  • /etc/resolv.conf
  • /usr/bin/scp
  • /usr/bin/rssh
  • /usr/bin/sftp
  • /usr/libexec/openssh/sftp-server OR /usr/lib/openssh/sftp-server
  • /usr/libexec/rssh_chroot_helper OR /usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
  • /bin/sh or /bin/bash (default shell)

Note: Limit the binaries which live in the jail to the absolute minimum required to improve security. Usually /bin/bash and /bin/sh is not required but some system may give out error.

A note about jail file system

Note: The files need to be placed in the jail directory (such as /users) in directories that mimic their placement in the root (/) file system. So you need to copy all required files. For example, /usr/bin/rssh is located on / file system. If your jail is located at /users, then copy /usr/bin/rssh to /users/usr/bin/rssh. Following instuctions are tested on:

  • FreeBSD
  • Solaris UNIX
  • RHEL / Redhat / Fedora / CentOS Linux
  • Debian Linux

Building the Chrooted Jail

Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh

Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .
Open /usres/group and /users/passwd file and remove root and all other accounts.

Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .
# cp /bin/bash .

Copy all shared library files

The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp

linux-gate.so.1 =>  (0x00456000)

libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)

libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)

libutil.so.1 => /lib/libutil.so.1 (0x008ba000)

libz.so.1 => /usr/lib/libz.so.1 (0x00110000)

libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)

libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)

libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)

libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)

libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)

libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)

libdl.so.2 => /lib/libdl.so.2 (0x00123000)

libnss3.so => /usr/lib/libnss3.so (0x00569000)

libc.so.6 => /lib/libc.so.6 (0x00b6c000)

libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)

libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)

/lib/ld-linux.so.2 (0x00525000)

libplc4.so => /usr/lib/libplc4.so (0x008c9000)

libplds4.so => /usr/lib/libplds4.so (0x00133000)

libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)

libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)

libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)

libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)

You need to copy all those libraries to /lib and other appropriate location. However, I recommend using this automated script called l2chroot:
# cd /sbin
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chroot
Open l2chroot and set BASE variable to point to chroot directory (jail) location:
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh
# l2chroot /bin/bash

Modify syslogd configuration

The syslog library function works by writing messages into a FIFO file such as /dev/log. You need to pass -a /path/to/chroot/dev/log option. Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you’re going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog
Find line that read as follows:
Append -a /users/dev/log
SYSLOGD_OPTIONS=”-m 0 -a /users/dev/log”
Save and close the file. Restart syslog:
# /etc/init.d/syslog restart
If you are using Debian / Ubuntu Linux apply changes to /etc/default/syslogd file.

Set chroot path

Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf
Set chrootpath to /users
Save and close the file. If sshd is not running start it:
# /etc/init.d/sshd start

Add user to jail

For example, add user pensacola in chrooted jail with the following command:
# useradd -m -d /users/pensacola -s /usr/bin/rssh pensacola
# passwd pensacola
Now pensacola can login using sftp or copy files using scp:

sftp pensacola@my-server.com

pensacola@my-server.com’s password:

sftp> ls

sftp> pwd

Remote working directory: /pensacola

sftp> cd /tmp

Couldn’t canonicalise: No such file or directory

User pensacola is allowed to login to server to transfer files, but not allowed to browse entire file system.

References: http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html#comments


  1. Some of the details associated with this write-up happen to be beneficial however had myself asking, did they seriously suggest that? One point I have to say is definitely your writing skills are very excellent and I will probably be returning back again for any new blog post you produce, you could possibly have a brand-new fan. I book-marked your web page for reference.

  2. I really thought i’d guide and let you realize your websites is handy for pointed out the helpful method.I genuinely love your blog.In the right way, the posting is in actuality the top on this really worth whilst subject. I concur together with your ideas and will consistently appear forward for your coming messages. Merely saying thanks is not going to just be sufficient, for that amazing lucidity in the advice. I will quickly grab your rss feed to stay informed of any updates.Trustworthy give good results and significantly achievements inside your efforts and company opportunities.Anyways keep up the superior efforts.Many thanks.

  3. Wow!, this was a real quality post. In theory I’d like to write like this too – taking time and real effort to make a good article… but what can I say… I keep putting it off and never seem to get something doneeducation degree

  4. Nice submit! GA can also be my biggest earning. Nevertheless, it’s not just a a lot.

  5. Simply want to say your article is as tonishing. The clearness in your post is simply spectacular and i can assume you are an expert on this subject. Well with your permission allow me to grab your rss feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.

  6. I really believed i’d write and let you realize your information sites is handy for disclosed the important secret.I certainly appreciate your blog.Accurately, the content is in experience one of the best on this really worth while subject. I concur with your data and will eagerly appear forward to your arriving enhancements. Pretty much saying thanks is not going to just be adequate, for that phenomenal lucidity in your own article writing. I will right away get your rss feed to remain abreast of any updates.Reputable efforts and a good deal achievements in your own operate and home business efforts.Automatically preserve up the beneficial perform.Thank you.

  7. hey great information your site contains will return when I have time to read more.

  8. I just wanted to comment your blog and say that I really enjoyed reading your blog post here. It was very informative and I also digg the way you write! Keep it up and I’ll be back to read more soon mate

  9. Okay article. I just became aware of your blog and desired to say I have really enjoyed reading your opinions. Any way I’ll be subscribing in your feed and Lets hope you post again soon.

  10. Okay article. I just became aware of your blog and desired to say I have really enjoyed reading your opinions. Any way I’ll be subscribing in your feed and Lets hope you post again soon.

  11. genuinely beneficial perspective on the subject and extremely well written, this certainly has place a spin on my day, a number of thanks from the USA and retain up the very good work

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>