Simple & easy way to jail users
I need a simple and easy way to jail users in their home directories in Oneiric. Do you have a simple configuration for jailing users, with full help, or some good web links?
I would be offering an online free public server with 10 to 20 GB free space. I don't know how many users. I want to give them SSH and SFTP so that they can connect through FileZilla.
Solution 1:
Jailkit is a set of utilities that can limit user accounts to a specific directory tree and to specific commands. Setting up a jail is much easier using the Jailkit utilities that doing so 'by hand'. A jail is a directory tree that you create within your file system; the user cannot see any directories or files that are outside the jail directory. The user is jailed in that directory and it subdirectories.
Download & Install:
http://olivier.sessink.nl/jailkit/index.html#download
VERSION=2.20 # from November 2018
cd /tmp
wget https://olivier.sessink.nl/jailkit/jailkit-$VERSION.tar.gz
tar -zxvf jailkit-$VERSION.tar.gz
cd jailkit-$VERSION/
./configure
make
su -
make install
Setting up the jail
Now it’s time to set up the jail directory. Jailed users will see this directory as the root directory of the server. I chose to use /home/jail:
mkdir /home/jail
chown root:root /home/jail
jk_init can be used to quickly create a jail with several files or directories needed for a specific task or profile, (click on it & read full detail ).
jk_init -v /home/jail basicshell
jk_init -v /home/jail netutils
jk_init -v /home/jail ssh
jk_init -v /home/jail jk_lsh
Add a user
Add a new user with a home directory and bash shell, and set the password:
useradd -d /home/jailtest -m jailtest -s /bin/bash
passwd jailtest
Now it’s time to jail this user
use the following command:
jk_jailuser -m -j /home/jail jailtest
Your /etc/passwd
should contain something like this now:
jailtest:x:1001:1001::/home/jail/./home/jailtest:/usr/sbin/jk_chrootsh
Enable bash
By using jk_cp the bash libraries are copied to the jail:
jk_cp -v -f /home/jail /bin/bash
Edit /home/jail/etc/passwd
replace this line:
jailtest:x:1001:1001::test:/usr/sbin/jk_lsh
with this:
jailtest:x:1001:1001::/home/jailtest:/bin/bash
Maintenance
By using jk_update
updates on the real system can be updated in the jail.
A dry-run will show what’s going on:
jk_update -j /home/jail -d
Without the -d argument the real update is performed. More maintenance operations can be found here.
(In case /home/jail/opt
is missing, create it with mkdir -p /home/jail/opt/
And run jk_update -j /home/jail
again)
Give access to other directories
You can mount special folders, that the jail user may acces now. E.g.:
mount --bind /media/$USER/Data/ /home/jail/home/jailtest/test/
Help Taken
http://olivier.sessink.nl/jailkit/howtos_chroot_shell.html
http://olivier.sessink.nl/jailkit/index.html#intro ( a very good help )
This one also
This is been checked & verified , Working Properly
Solution 2:
You can not confine them to /home as they need access to the system binaries and bash and configuration files in /etc
IMO the easiest method of securing users is to use apparmor.
You make a hard link
ln /bin/bash /usr/local/bin/jailbash
You add jailbash to /etc/shells
You then assign jailbash to the users shell, and then write an apparmor profile for jailbash allowing minimal access.
sudo chsh -s /usr/local/bin/jailbash user_to_confine
You will have to write an apparmor profile yourself, but I have a profile you could potentially start with
http://bodhizazen.com/aa-profiles/bodhizazen/ubuntu-10.04/usr.local.bin.jailbash