So lets start with something simple ;)
CHROOT
A chroot is a simple mechanism available on most (?all?) unix platforms for securing access to system resources. In this instance a process (or account) has restricted access to the system by creating a 'jail', which contains only those directories, files and binaries that process (or account) is allowed to access. While the chroot is a simple mechanism, setting up a chroot can be a fairly complicated process which is made much simpler through the use of the 'jailkit' package.
This is very useful for protecting some services such as 'bind' so that in the event of a remote compromise there is limited access to the system for the supposed hacker. It's also useful for providing remote access to people (partners, businesses etc) where allowing access to the entire system is not ideal.
An example is an 'sftproot', restricting user access to only be able to copy files to a select set of directories. This functionality can be enforced via command scripts in an aithorized_keys file, I find the chroot to be more secure and faster to setup. There are also a number of sites that outline how to configure this manually and I'm sure you can google these, in this instance I'm going to look at using the 'jailkit' to automate the setup of an sftp account.
The jailkit package has been around for a while and is still being actively maintained:
http://olivier.sessink.nl/jailkit/
Pre-assembled packages are available from multiple locations, if you use any of the Redhat or Centos distributions you can find these at http://pkgs.repoforge.org/jailkit/.
For this example imagine the following scenario:
Widget Inc requires a login for one of it's partner firms so that files can be exchanged between the companies. These files will be automatically transferred using 'scp/sftp' with certificate based authentication. Care needs to be taken to ensure this account is secured to prevent access to any other system functionality or resources.
It's a simple but fairly common scenario. It's worth noting that I have used the same setup for automated backups via rsync and it works well but that would be a different discussion.
In this instance the base system is:
- OS: Centos 6.3
- Chroot User: widgetinc
- Chroot Path: /opt/sftproot/widgetinc
Start by installing the 'jailkit' from the above URL:
$rpm -ivh http://pkgs.repoforge.org/jailkit/jailkit-2.11-1.el6.rf.x86_64.rpm
You can inspect the package contents via:
$rpm -ql jailkit
and read the man pages at your leasure. To create the sftproot we need to create the config file section in /etc/jailkit/jk_init.ini:
[scp]
comment = ssh secure copy
paths = /usr/bin/scp
includesections = netbasics, uidbasics
devices = /dev/urandom
[sftp]
comment = ssh secure ftp
paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
# on solaris
#paths = /usr/lib/ssh/sftp-server
To initialise the 'jail' with support for both 'scp' and 'sftp':
$mkdir /opt/sftproot
$chown root:root /opt/sftproot
$chmod 0755 /opt/sftproot
$jk_init -j /opt/sftproot scp
$jk_init -fj /opt/sftproot sftp
$jk_init -fj /opt/sftproot jk_lsh
$mkdir /opt/sftproot/home
The Jail environment is ready for use, create the user account:
$jk_addjailuser /opt/sftproot widgetinc
You can now set a password on the 'widgetinc' user ($passwd widgetinc) or drop any ssh keys in /opt/sftproot/home/widgetinc/.ssh/authorized_keys and start using the account.
An important part I _did_ forget..
Add a section to /etc/jailkit/jk_lsh.ini for the user. Also add it to /opt/sftproot/etc/jailkit/jk_lsh.ini if the chroot has already been created:
[widgetinc]
paths=/usr/lib,/usr/bin
executables=/usr/lib/sftp-server,/usr/bin/scp
allow_word_expansion=0
umask=002
Nice, simple, and reasonably secure ;)
J.
