首頁 » 所有內容

Jailkit

由 datahunter 在 五, 04/07/2014 - 13:37 發表

最後更新: 2019-10-04

介紹

Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands.

目錄

  • 安裝(Compile)
  • CMD
      jk_init
      jk_cp
      jk_jailuser
      jk_list
      jk_check
      jk_update
      jk_socketd - 提供 log 功能
      ------------
      jk_chrootsh - Shell
      jk_lsh - Shell
  • Example: Chroot SSH
  • Creating an sftp/scp-only shell in a chroot jail
  • Passing logs to the real system
  • 心得

Install

 

方法1: Centos 6

 * 人手 compile 唔難, 建議用方法2

# repoforge (epel 是沒有 jailkit 的!)

yum install jailkit

方法2: 人手 Compile

yum groupinstall "Development Tools"

wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz

tar -zxf jailkit-2.19.tar.gz

cd jailkit-2.19

./configure --prefix=/usr --sysconfdir=/etc

make; make install

 

CMD

 

jk_init - a utility to quicky create functional jail directories

jk_init -j jail section

  • jail = folder
  • section = service

Section 的設定:

/etc/jailkit/jk_init.ini

[jk_lsh]
comment = Jailkit limited shell
paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
users = root
groups = root
need_logsocket = 1
includesections = uidbasics

[sftp]
comment = ssh secure ftp with Jailkit limited shell
paths = /usr/lib/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
emptydirs = /svr

....

Opts:

-f, --force         # Force overwriting of existing files

-v, --verbose    # Will give verbose output

-l, --list            # List available sections in the config file

...
rsync
scp - ssh secure copy
sftp - ssh secure ftp
ssh - ssh secure shell
...

i.e.

jk_init -j /home/chroot_ssh ssh

tree -L 2 /home/chroot_ssh

/home/chroot_ssh
├── dev
│   ├── null
│   ├── tty
│   └── urandom
├── etc
│   ├── group
│   ├── host.conf
│   ├── hosts
│   ├── ld.so.cache
│   ├── ld.so.conf
│   ├── nsswitch.conf
│   ├── passwd
│   ├── protocols
│   ├── resolv.conf
│   └── services
├── lib64 -> usr/lib64
└── usr
    ├── bin
    └── lib64

jk_cp - a utility to copy files including permissions and libraries into a jail

usage:

jk_cp -j jail source

* It will remove any set user id (setuid) or set group id (setgid) permissions

-f --force Force overwriting of existing files

-v --verbose Will give verbose output

jk_jailuser

A utility to put an existing user in a jail

 - change the shell of an existing user <username> to jk_chrootsh

 - change the home directory to <jail>/./<previous-home-directory>

 - add the user to <jail>/etc/passwd

Usage

# -j       This jail should exist, and should have at least <jail>/etc/passwd

jk_jailuser -j  <directory> <username>

# update user 的 shell

jk_cp -v -f /home/ssh_chroot /usr/sbin/usermod

chroot /home/ssh_chroot

usermod -s /bin/bash tim

jk_list - a utility to list all processes in a chroot jail

-w Show wide listing

output

Pid    User       Jail           Command
25322  demo_video /home/sftproot /home/sftproot/usr/libexec/openssh/sftp-server

jk_check - a utility that will check a jail for security problem

-test for setuid (set user id) or setgid (set group id) files

-test for file modifications, using an MD5 checksum on the file in the jail and the same file in the real root

-test for group writable or world writable directories

-test for matching user information in the jail and on the real system

Usage:

jk_check jail

Configure File:

/etc/jailkit/jk_check.ini

# Minimal configfile
[/home/ssh_chroot]
ignorepathoncompare = /home/ssh_chroot/home, /home/ssh_chroot/etc

ignorepathoncompare

files in listed directories are not compared with their non-jail counterparts.

Useful for directories like /etc/ and /home/

where you know you'll have different files inside the jail and outside the jail

i.e.

jk_check

ERROR: user tim has a /./ but does not have the /usr/sbin/jk_chrootsh shell

 

jk_update - a utility to update and cleanup a jail according to changes on the real system

* "dry run" first => avoid unwanted updates, or to avoid files being deleted

jk_update -j <jail>

jk_update -c <section of configfile>

opts:

-d --dry-run

-s <file to skip>

/etc/jailkit/jk_update.ini

[/home/testchroot]
skips = /usr/bin/myscript
hardlinks = 1
directories = /usr, /bin, /lib

jk_chrootsh - a shell that will put the user inside a changed root

* used as a shell for a user

* That user will be put into a changed root.

* Inside  the  chroot-ed  directory,  it will look for /etc/passwd and it will execute the shell for the user from that file.

* setuid root

/etc/passwd

test:x:10000:10000::/home/testchroot/./home/test:/usr/sbin/jk_chrootsh

Inside the chroot-ed directory

test:x:10000:10000::/home/test:/usr/sbin/jk_lsh

* CAP_SYS_CHROOT capability on systems (no setuid bit)

/etc/jailkit/jk_chrootsh.ini

# configured not to read the final shell from the /etc/passwd file in the jail
[group jail2]
skip_injail_passwd_check=1
injail_shell=/bin/bash

Folder owner, group & permission

log

Oct 24 18:07:53 myid jk_chrootsh[19286]: abort, path /home/sftproot/./home/demo_video 
  does not have group owner 500, set option 'relax_home_group' to relax this check

By default jk_chrootsh requires a home directory that has the same group as the primary group from the user,

and requires the home directory to be non-writable for group and others.

/etc/jailkit/jk_chrootsh.ini

[DEFAULT]
relax_home_owner=1
relax_home_group=1
relax_home_group_permissions=1
relax_home_other_permissions=1

jk_lsh - a shell that limits the binaries it will execute

* jk_lsh is not an interactive shell

* used to make rsync-, cvs-, sftp- or scp-only accounts

# make sure jk_lsh.ini is present inside that chroot jail

/etc/jailkit/jk_lsh.ini

[DEFAULT]
executables = /usr/bin/scp, /usr/lib/sftp-server, /usr/bin/rsync
paths = /usr/bin/, /usr/lib
allow_word_expansion = 1

[test]
executables = /usr/bin/scp, /usr/lib/sftp-server
paths = /usr/bin/, /usr/lib
allow_word_expansion = 0
umask = 002

[group test]
executables = /usr/bin/rsync
paths = /usr/bin/
allow_word_expansion = 1
environment=TERM=linux,FOO=bar

* If user test has primary group test, however, he can not execute rsync in the above example.

opts

allow_word_expansion=1

command line 支援 *.txt (*, ?, ~, $)

 

Example: Chroot SSH

 

# 建立 ssh 的 chroot jail - /home/vhosts

jk_init -v -j /home/vhosts ssh

效果:

在 /home/vhosts 內建立了 Folder: dev  etc  lib  usr

# Bash in the chroot jail

jk_cp -v -f /home/vhosts /bin/bash

 * user ssh 後, 只有 bash, 連 ls, cp, mv, rm 都沒有.

# 將 user lock 入 /home

# -j --jail=jail                This jail should exist, and should have at least <jail>/etc/passwd

# -s --shell=shell           The shell to use inside the jail. Defaults to /usr/sbin/jk_lsh

jk_jailuser -j /home/vhosts -s /bin/bash myusername

效果:

# grep myusername /etc/passwd

myusername:x:3414:3414::/home/vhosts/./myusername:/usr/sbin/jk_chrootsh

# grep myusername /home/vhosts/etc/passwd

# 這裡是原本的 home 及原本的 shell

myusername:x:3414:3414::/home/myusername:/bin/bash

# 測試

ssh myusername@server

# 設定 log

/etc/jailkit/jk_socketd.ini

[/home/vhosts/dev/log]
base = 1024
peak = 10240
interval = 2

詳見

 

Example: Creating an sftp/scp-only shell in a chroot jail

 

[1] copy scp, sftp and jk_lsh into the jail

# If jk_init.ini is correct for your system

File(C6): /etc/jailkit/jk_init.ini

# 假設定 jail 是 /home/sftproot

mkdir /home/sftproot

# sftp, scp, limited shell

jk_init -v -j /home/sftproot sftp scp jk_lsh

 

[2] 建立 chroot user

useradd demo_video

Result:

# /etc/passwd:               demo_video:x:500:500::/home/demo_video:/bin/bash

jk_jailuser -m -j /home/sftproot demo_video

-m, --move

Move the contents of the home directory inside the jail.

If in interactive mode, jk_jailuser will ask if the directory should be moved if that is necessary.

In non-interactive mode this option is disabled by default.

Result:

# /etc/passwd:               demo_video:x:500:500::/home/sftproot/./home/demo_video:/usr/sbin/jk_chrootsh
# /home/sftproot/etc/passwd  demo_video:x:500:500::/home/demo_video:/usr/sbin/jk_lsh

[3] 設定 jk_lsh

/home/sftproot/etc/jailkit/jk_lsh.ini

[DEFAULT]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/libexec/openssh/sftp-server
allow_word_expansion=1

[4] Testing

sftp 成功的 log: /var/log/messages

Oct 24 17:57:23 myserver jk_chrootsh[19175]: now entering jail 
  /home/sftproot for user demo_video (500) with arguments -c /usr/libexec/openssh/sftp-server

P.S.

Jail 後 ssh 只對 winscp 的 sftp 提供支援 (用唔到 scp)

 

Passing logs to the real system

 

方式 1 - rsyslog socket

在 chroot 目錄內建立 socket

# Centos7

/etc/sysconfig/rsyslog

SYSLOGD_OPTIONS="-a /srv/sftpjail/dev/log"

方式 2 - jk_socketd

jk_socketd - a daemon to create a rate-limited /dev/log socket inside a chroot

設定: /etc/jailkit/jk_socketd.ini

[/srv/sftpjail/dev/log]
base = 1024
peek = 10240
interval = 2

# base bytes going trough per interval seconds

# Only if in the previous interval the number of bytes has been lower than base,

# peak number of bytes is allowed.

Usage

killall jk_socketd ; jk_socketd

Debug

-n --nodetach do not detach from the terminal and print debugging output

 

心得

 

[1] Give access to files outside the jail

mount -o bind /srv/data /srv/userjail/srv/data

* Symlinks in the jail do not work (absolute path)

 

 

 

 

 

 

»
  • 瀏覽次數: 2576

Creative Commons license icon Creative Commons license icon