Wilder_Admin
asked on
Red Hat 6.5 chroot over ssh for shell users not sftp
I need to jail some users in a automounter directory and additionally to allow only a list of commands. So i decided the right is to chroot these users over ssh.
The used os ist red hat 6.5 and i am not allowed to use third party packages. So my approach is of use the pam_chroot module:
Here are my Configs: (for better to read i deleted all what is commented out)
File: /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This sshd was compiled with PATH=/usr/local/bin:/bin:/ usr/bin
Protocol 2
SyslogFacility AUTHPRIV
StrictModes yes
MaxAuthTries 4
IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentic ation no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AllowTcpForwarding no
X11Forwarding yes
UsePrivilegeSeparation no
ClientAliveCountMax 0
# Example of overriding settings on a per-user basis
Match Group users
ChrootDirectory /chroot/fileservice
File: /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
session required pam_chroot.so debug
File: /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0027
session required pam_chroot.so
File: /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username_regex chroot_dir
#matthew /home
testuser /
Debug: ssh -v -v testuser@XXXXXX
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXX [XXXXX] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-excha nge-sha256 ,diffie-he llman-grou p-exchange -sha1,diff ie-hellman -group14-s ha1,diffie -hellman-g roup1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.c om,ssh-dss -cert-v01@ openssh.co m,ssh-rsa- cert-v00@o penssh.com ,ssh-dss-c ert-v00@op enssh.com, ssh-rsa,ss h-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2 56-ctr,arc four256,ar cfour128,a es128-cbc, 3des-cbc,b lowfish-cb c,cast128- cbc,aes192 -cbc,aes25 6-cbc,arcf our,rijnda el-cbc@lys ator.liu.s e
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2 56-ctr,arc four256,ar cfour128,a es128-cbc, 3des-cbc,b lowfish-cb c,cast128- cbc,aes192 -cbc,aes25 6-cbc,arcf our,rijnda el-cbc@lys ator.liu.s e
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 @openssh.c om,hmac-sh a2-256,hma c-sha2-512 ,hmac-ripe md160,hmac -ripemd160 @openssh.c om,hmac-sh a1-96,hmac -md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 @openssh.c om,hmac-sh a2-256,hma c-sha2-512 ,hmac-ripe md160,hmac -ripemd160 @openssh.c om,hmac-sh a1-96,hmac -md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-excha nge-sha256 ,diffie-he llman-grou p-exchange -sha1,diff ie-hellman -group14-s ha1,diffie -hellman-g roup1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2 56-ctr,arc four256,ar cfour128,a es128-cbc, 3des-cbc,b lowfish-cb c,cast128- cbc,aes192 -cbc,aes25 6-cbc,arcf our,rijnda el-cbc@lys ator.liu.s e
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2 56-ctr,arc four256,ar cfour128,a es128-cbc, 3des-cbc,b lowfish-cb c,cast128- cbc,aes192 -cbc,aes25 6-cbc,arcf our,rijnda el-cbc@lys ator.liu.s e
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 @openssh.c om,hmac-sh a2-256,hma c-sha2-512 ,hmac-ripe md160,hmac -ripemd160 @openssh.c om,hmac-sh a1-96,hmac -md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 @openssh.c om,hmac-sh a2-256,hma c-sha2-512 ,hmac-ripe md160,hmac -ripemd160 @openssh.c om,hmac-sh a1-96,hmac -md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUES T(1024<102 4<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'iumg032' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug2: bits set: 529/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gss api-with-m ic,passwor d
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
testuser@XXX's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.c om
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confi rm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confi rm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Oct 23 08:47:48 2014 from XXXX
__________________________ __________ __________ __________ _________
XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXXXX
__________________________ __________ __________ __________ _________
/bin/bash: Permission denied
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Connection to XXXXX closed.
Transferred: sent 1912, received 3120 bytes, in 0.0 seconds
Bytes per second: sent 186500.2, received 304330.9
debug1: Exit status 1
# chroot /chroot/fileservice/
bash-4.1# ls
bin dev etc home lib lib64 net proc tmp usr var
bash-4.1#
# ls -lh
total 36K
drwxr-x--- 2 root root 4.0K Oct 21 10:26 bin
drwxr-xr-x 17 root root 3.7K Oct 21 09:00 dev
drwxr-x--- 82 root root 4.0K Oct 22 10:42 etc
drwxrwxr-x 3 root root 4.0K Oct 21 10:52 home
drwxr-xr-x 3 root root 4.0K Oct 22 08:25 lib
drwxr-xr-x 3 root root 4.0K Oct 22 08:25 lib64
drwxr-xr-x 2 root root 4.0K Oct 20 13:46 net
dr-xr-xr-x 108 root root 0 Oct 21 09:00 proc
drwxrwxrwt 2 root root 4.0K Oct 21 15:41 tmp
drwxr-x--- 4 root root 4.0K Oct 22 08:43 usr
drwxr-x--- 4 root root 4.0K Oct 21 16:35 var
bin # ls -lh
total 1.2M
-rwxr-xr-x 1 root root 918K Oct 21 10:26 bash
-rwxr-x--- 1 root root 48K Oct 21 10:26 cat
-rwxr-x--- 1 root root 28K Oct 21 10:26 echo
-rwxr-x--- 1 root root 115K Oct 21 10:26 ls
-rwxr-x--- 1 root root 57K Oct 21 10:26 rm
lib64]# ls -lh
total 2.6M
-rwxr-xr-x 1 root root 154K Oct 21 10:26 ld-linux-x86-64.so.2
drwxr-xr-x. 9 root root 12K May 15 09:32 lib64
-rwxr-xr-x 1 root root 34K Oct 21 10:26 libacl.so.1
-rwxr-xr-x 1 root root 21K Oct 21 10:26 libattr.so.1
-rwxr-xr-x 1 root root 19K Oct 21 10:26 libcap.so.2
-rwxr-xr-x 1 root root 1.9M Oct 21 10:26 libc.so.6
-rwxr-xr-x 1 root root 23K Oct 21 10:26 libdl.so.2
-rwxr-xr-x 1 root root 143K Oct 21 10:26 libpthread.so.0
-rwxr-xr-x 1 root root 46K Oct 21 10:26 librt.so.1
-rwxr-xr-x 1 root root 122K Oct 21 10:26 libselinux.so.1
-rwxr-xr-x 1 root root 136K Oct 21 10:26 libtinfo.so.5
lib64]# ldd /chroot/fileservice/bin/ba sh
linux-vdso.so.1 => (0x00007fff043b2000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
/lib64/ld-linux-x86-64.so. 2 (0x00000036c3800000)
So the chroot itself is working the ssh is working but the /bin/bash permission denied permitted the working of the chroot environment. Is there someone who can help out there?
The used os ist red hat 6.5 and i am not allowed to use third party packages. So my approach is of use the pam_chroot module:
Here are my Configs: (for better to read i deleted all what is commented out)
File: /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This sshd was compiled with PATH=/usr/local/bin:/bin:/
Protocol 2
SyslogFacility AUTHPRIV
StrictModes yes
MaxAuthTries 4
IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentic
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AllowTcpForwarding no
X11Forwarding yes
UsePrivilegeSeparation no
ClientAliveCountMax 0
# Example of overriding settings on a per-user basis
Match Group users
ChrootDirectory /chroot/fileservice
File: /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
session required pam_chroot.so debug
File: /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0027
session required pam_chroot.so
File: /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username_regex chroot_dir
#matthew /home
testuser /
Debug: ssh -v -v testuser@XXXXXX
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXX [XXXXX] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-excha
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.c
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-excha
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes2
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUES
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'iumg032' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug2: bits set: 529/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gss
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
testuser@XXX's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.c
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confi
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confi
debug2: shell request accepted on channel 0
Last login: Thu Oct 23 08:47:48 2014 from XXXX
__________________________
XXXXXXXXXXXXXXXXXXXXXXXXXX
__________________________
/bin/bash: Permission denied
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Connection to XXXXX closed.
Transferred: sent 1912, received 3120 bytes, in 0.0 seconds
Bytes per second: sent 186500.2, received 304330.9
debug1: Exit status 1
# chroot /chroot/fileservice/
bash-4.1# ls
bin dev etc home lib lib64 net proc tmp usr var
bash-4.1#
# ls -lh
total 36K
drwxr-x--- 2 root root 4.0K Oct 21 10:26 bin
drwxr-xr-x 17 root root 3.7K Oct 21 09:00 dev
drwxr-x--- 82 root root 4.0K Oct 22 10:42 etc
drwxrwxr-x 3 root root 4.0K Oct 21 10:52 home
drwxr-xr-x 3 root root 4.0K Oct 22 08:25 lib
drwxr-xr-x 3 root root 4.0K Oct 22 08:25 lib64
drwxr-xr-x 2 root root 4.0K Oct 20 13:46 net
dr-xr-xr-x 108 root root 0 Oct 21 09:00 proc
drwxrwxrwt 2 root root 4.0K Oct 21 15:41 tmp
drwxr-x--- 4 root root 4.0K Oct 22 08:43 usr
drwxr-x--- 4 root root 4.0K Oct 21 16:35 var
bin # ls -lh
total 1.2M
-rwxr-xr-x 1 root root 918K Oct 21 10:26 bash
-rwxr-x--- 1 root root 48K Oct 21 10:26 cat
-rwxr-x--- 1 root root 28K Oct 21 10:26 echo
-rwxr-x--- 1 root root 115K Oct 21 10:26 ls
-rwxr-x--- 1 root root 57K Oct 21 10:26 rm
lib64]# ls -lh
total 2.6M
-rwxr-xr-x 1 root root 154K Oct 21 10:26 ld-linux-x86-64.so.2
drwxr-xr-x. 9 root root 12K May 15 09:32 lib64
-rwxr-xr-x 1 root root 34K Oct 21 10:26 libacl.so.1
-rwxr-xr-x 1 root root 21K Oct 21 10:26 libattr.so.1
-rwxr-xr-x 1 root root 19K Oct 21 10:26 libcap.so.2
-rwxr-xr-x 1 root root 1.9M Oct 21 10:26 libc.so.6
-rwxr-xr-x 1 root root 23K Oct 21 10:26 libdl.so.2
-rwxr-xr-x 1 root root 143K Oct 21 10:26 libpthread.so.0
-rwxr-xr-x 1 root root 46K Oct 21 10:26 librt.so.1
-rwxr-xr-x 1 root root 122K Oct 21 10:26 libselinux.so.1
-rwxr-xr-x 1 root root 136K Oct 21 10:26 libtinfo.so.5
lib64]# ldd /chroot/fileservice/bin/ba
linux-vdso.so.1 => (0x00007fff043b2000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
/lib64/ld-linux-x86-64.so.
So the chroot itself is working the ssh is working but the /bin/bash permission denied permitted the working of the chroot environment. Is there someone who can help out there?
ASKER
# chroot /chroot/fileservice/ bash
bash-4.1# ldd /bin/bash
linux-vdso.so.1 => (0x00007fff9adff000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
/lib64/ld-linux-x86-64.so. 2 (0x00000036c3800000)
bash-4.1# ldd /bin/bash
linux-vdso.so.1 => (0x00007fff9adff000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
/lib64/ld-linux-x86-64.so.
ls -ld /chroot/fileservice
can user trespass ./bin/ ?
can user trespass ./bin/ ?
ASKER
]# ls -ld /chroot/fileservice
drwxr-xr-x 13 root root 4096 Oct 21 16:22 /chroot/fileservice
# chroot /chroot/fileservice/ bash
bash-4.1# ls
bin dev etc home lib lib64 net proc tmp usr var
bash-4.1# cd bin
bash-4.1# ls
bash cat echo ls rm
Is this the information about trespassing bin? Or what exactly?
drwxr-xr-x 13 root root 4096 Oct 21 16:22 /chroot/fileservice
# chroot /chroot/fileservice/ bash
bash-4.1# ls
bin dev etc home lib lib64 net proc tmp usr var
bash-4.1# cd bin
bash-4.1# ls
bash cat echo ls rm
Is this the information about trespassing bin? Or what exactly?
i meant...
ls -ld /chroot/fileservice/*
ls -ld /chroot/fileservice/*
ASKER
]# ls -ld /chroot/fileservice/*
drwxr-x--- 2 root root 4096 Oct 21 10:26 /chroot/fileservice/bin
drwxr-xr-x 17 root root 3780 Oct 21 09:00 /chroot/fileservice/dev
drwxr-x--- 82 root root 4096 Oct 22 10:42 /chroot/fileservice/etc
drwxrwxr-x 3 root root 4096 Oct 21 10:52 /chroot/fileservice/home
drwxr-xr-x 3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib
drwxr-xr-x 3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib64
drwxr-xr-x 2 root root 4096 Oct 20 13:46 /chroot/fileservice/net
dr-xr-xr-x 107 root root 0 Oct 21 09:00 /chroot/fileservice/proc
drwxrwxrwt 2 root root 4096 Oct 21 15:41 /chroot/fileservice/tmp
drwxr-x--- 4 root root 4096 Oct 22 08:43 /chroot/fileservice/usr
drwxr-x--- 4 root root 4096 Oct 21 16:35 /chroot/fileservice/var
drwxr-x--- 2 root root 4096 Oct 21 10:26 /chroot/fileservice/bin
drwxr-xr-x 17 root root 3780 Oct 21 09:00 /chroot/fileservice/dev
drwxr-x--- 82 root root 4096 Oct 22 10:42 /chroot/fileservice/etc
drwxrwxr-x 3 root root 4096 Oct 21 10:52 /chroot/fileservice/home
drwxr-xr-x 3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib
drwxr-xr-x 3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib64
drwxr-xr-x 2 root root 4096 Oct 20 13:46 /chroot/fileservice/net
dr-xr-xr-x 107 root root 0 Oct 21 09:00 /chroot/fileservice/proc
drwxrwxrwt 2 root root 4096 Oct 21 15:41 /chroot/fileservice/tmp
drwxr-x--- 4 root root 4096 Oct 22 08:43 /chroot/fileservice/usr
drwxr-x--- 4 root root 4096 Oct 21 16:35 /chroot/fileservice/var
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
only to clearfy 755 as permisson to these folders?
ASKER
Nearly done now:
-bash: id: command not found
-bash: id: command not found
-bash: tty: command not found
do i need to copy them into chroot?
-bash: id: command not found
-bash: id: command not found
-bash: tty: command not found
do i need to copy them into chroot?
ASKER
Great help and perfect supported. Thank you so much.
Yes, all commands need to be in chroot.
You can use readonly bind mounts to pass e.g all /bin and all /lib (to me it seems easir to maintain like patching)
You can use readonly bind mounts to pass e.g all /bin and all /lib (to me it seems easir to maintain like patching)
ldd bash