HPE Community
Operating System - HP-UX
1834536 Members
3504 Online
110069 Solutions
New Discussion

chroot problem

 
Mauro Gatti
Valued Contributor

‎07-22-2004 08:54 PM

‎07-22-2004 08:54 PM

chroot problem

Hi all, I'm trying to chroot an user following HP-UX Secure Shell and chroot-ed environments istruction but I'm not able to get a chroot environment.
In effect if I do a "cd /" from this user I go to system /.
This is the passwd user line:

sutluser:JnDXJTJ6E00gw:103:105::/oradata/ITSMS/utl_file/./:/usr/bin/sh



Could You help me?

Thank you
Ubi maior, minor cessat!
0 Kudos
Reply
8 REPLIES 8
Rita C Workman
Honored Contributor

‎07-23-2004 12:08 AM

‎07-23-2004 12:08 AM

Re: chroot problem

Try changing his shell from /usr/bin/sh to something restricted, like:
/usr/bin/rksh

Rgrds,
Rita
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎07-23-2004 01:14 AM

‎07-23-2004 01:14 AM

Re: chroot problem

Hi,

Have you added this user at guestgroup defined into /etc/ftpd/ftpaccess file?

Rgds.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎07-24-2004 06:36 AM

‎07-24-2004 06:36 AM

Re: chroot problem

To create a chrooted environment you need to duplicate the bits of the OS you are going to give access to. Eg. If you just wanted a user to run "ls" you would create a jail/bin directory and then make a copy of "ls" in here, and then create any other directories such as "/jail/lib". Here is a sample script I wrote for an AIX system, the names might be a bit different, but the principles the same:

JAIL=/home/jail
cd $JAIL
mkdir bin
chown root bin
cp /bin/ls $JAIL/bin/ls
chmod 111 $JAIL/bin/ls
chmod 555 $JAIL/bin
chgrp system $JAIL/bin
echo "Made $JAIL/bin directory."

#Create a /usr/bin directory
mkdir usr
chown root usr
mkdir usr /bin
chown root usr/bin
# make $JAIL/etc directory
mkdir etc
chown root etc
chmod 555 etc
chgrp system $JAIL/etc
if [ -f /etc/nls/ctab/default ]
then
mkdir etc/nls
mkdir etc/nls/ctab
cp /etc/nls/ctab/default etc/nls/ctab/default
chmod 2755 $JAIL/etc/nls
chmod 2755 $JAIL/etc/nls/ctab
chown root $JAIL/etc/nls
chgrp system $JAIL/etc/nls
chown root $JAIL/etc/nls/ctab
chgrp system $JAIL/etc/nls/ctab
chown root $JAIL/etc/nls/ctab/default
chgrp system $JAIL/etc/nls/ctab/default
fi
echo "Made $JAIL/etc directory."

# make $JAIL/pub directory
mkdir pub
chmod 777 pub
chgrp system $JAIL/pub
echo "Made $JAIL/pub directory."

# make $JAIL/lib directory
mkdir lib
chmod 555 lib
chgrp system $JAIL/lib
cp /lib/libc.a lib/libc.a
cp /lib/libcurses.a lib/libcurses.a
cp /lib/libcrypt.a lib/libcrypt.a
echo "Made $JAIL/lib directory."

# make $JAIL dev/null entry
mkdir dev
#do equiv of mknod dev/null c 2 2
/usr/sbin/mknod dev/null c $(ls -l /dev/null | awk '{print $5, $6}' | tr -d ,)
chmod 555 dev
chown root dev
chgrp system dev
echo "Made $JAIL/dev/null entry."

# make $JAIL message catalog directory
mkdir usr
mkdir usr/lpp
mkdir usr/lpp/msg
mkdir usr/lpp/msg/$LANG
chmod 555 usr
chown root usr
chgrp system usr
chmod 555 usr/lpp
chown root usr/lpp
chgrp system usr/lpp
chmod 555 usr/lpp/msg
chown root usr/lpp/msg
chgrp system usr/lpp/msg
chmod 555 usr/lpp/msg/$LANG
chown root usr/lpp/msg/$LANG
chgrp system usr/lpp/msg/$LANG
if [ -f /usr/lpp/msg/$LANG/ls.cat ]
then
cp /usr/lpp/msg/$LANG/ls.cat usr/lpp/msg/$LANG/ls.cat
fi
echo "Made $JAIL/usr/lpp/msg/$LANG directory."

# fix up captive user's root directory
chmod 555 $JAIL
chown root $JAIL
====

# Test jail
chroot /home/jail /bin/ls -la /
0 Kudos
Reply
Mauro Gatti
Valued Contributor

‎07-25-2004 06:44 PM

‎07-25-2004 06:44 PM

Re: chroot problem

Rita, I can't user restricted shell
Jose Maria, I did!
Andrew, thank you - In effect in the HP document there is a similar procedure to chroot an user.
Wath I didn't undertstand is the use of "/./" in /etc/passwd file.
Ubi maior, minor cessat!
0 Kudos
Reply
Fabio Ettore
Honored Contributor

‎07-25-2004 07:06 PM

‎07-25-2004 07:06 PM

Re: chroot problem

Ciao Mauro,

hope that reply by Andrew helped you.
/./ in /etc/passwd just indicates the jump between the home directory of the user and the effective directory that the user will see on login.
Then the his/her home directory is /oradata/ITSMS/utl_file/ but he/she will see just /.

HTH.

Best regards,
Fabio
WISH? IMPROVEMENT!
0 Kudos
Reply
Mauro Gatti
Valued Contributor

‎07-25-2004 07:35 PM

‎07-25-2004 07:35 PM

Re: chroot problem

OK Fabio.
I followd HP-UX Secure Shell and chroot-ed environments
http://docs.hp.com/hpux/onlinedocs/T1471-90011/00/00/13-con.html
for sftp.
Despite I can't able to chroot my user.
If I try to connect via sftp doing a "cd /" and a "ls" I see my server's root directory and not my user "jail".
Perhaps I miss some hidden steps?
Ubi maior, minor cessat!
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎07-25-2004 07:50 PM

‎07-25-2004 07:50 PM

Re: chroot problem

Hi,

What about of ftpd definition into /etc/inetd.conf

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -a

"-a" activate the usage of /etc/ftpd/ftpaccess file definition. (man ftpd)

Then restart the inetd services:
#inetd -c

Rgds.
0 Kudos
Reply
Mauro Gatti
Valued Contributor

‎07-25-2004 07:54 PM

‎07-25-2004 07:54 PM

Re: chroot problem

Jose, ftp in effect works fine chrooting user but I need to use sftp!
Ubi maior, minor cessat!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.