Wise people learn when they can; fools learn when they must - Arthur Wellesley

Tuesday, 25 April 2017

RHEL6 - 30 - CHROOT JAIL (FTP/SFTP)


RHEL6-30-CHROOT JAIL (FTP/SFTP)

WHAT IS CHROOT-JAIL?

A chroot operation changes the apparent root directory for a running process and its children. It allows you to run a program with a root directory other than /. The program cannot see or access files outside the designated directory tree. Such an artificial root directory is called a chroot jail, and its purpose is to limit the directory access of a potential attacker. The chroot jail locks down a given process and any user ID that it is using so that all they see is the directory in which the process is running. To the process, it appears that the directory in which it is running is the root directory. 

CHROOT - FTP

[root@rhel6-test1 ~]# vim /etc/vsftpd/vsftpd.conf
chroot_local_user=YES

[root@rhel6-test1 ~]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

C:\Users\HP>ftp 192.168.234.200
Connected to 192.168.234.200.
220 (vsFTPd 2.2.2)
User (192.168.234.200:(none)): raman
331 Please specify the password.
Password:
230 Login successful.
ftp> pwd
257 "/"
ftp> ls -ltr
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 501      501       9216000 Jan 12 06:19 f1
-rw-rw-r--    1 501      501       3072000 Jan 12 06:20 f2
-rw-rw-r--    1 501      501       3039232 Jan 12 06:20 f3
226 Directory send OK.
ftp: 180 bytes received in 0.00Seconds 180.00Kbytes/sec.
ftp> cd /
250 Directory successfully changed.
ftp> ls -ltr
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 501      501       9216000 Jan 12 06:19 f1
-rw-rw-r--    1 501      501       3072000 Jan 12 06:20 f2
-rw-rw-r--    1 501      501       3039232 Jan 12 06:20 f3
226 Directory send OK.
ftp: 180 bytes received in 0.00Seconds 60.00Kbytes/sec.
ftp> cd /etc
550 Failed to change directory.
ftp> cd /var
550 Failed to change directory.
ftp>


CHROOT – SFTP

[root@rhel6-test1 ~]# groupadd sshonly
[root@rhel6-test1 ~]# groupadd sftponly
[root@rhel6-test1 ~]# mkdir /chroot-test
[root@rhel6-test1 ~]# mkdir -p /chroot-test/users
[root@rhel6-test1 ~]# chmod -R 755 /chroot-test/users
[root@rhel6-test1 ~]# mkdir /chroot-test/users/testuser1
[root@rhel6-test1 ~]# useradd -d /chroot-test/users/testuser1 -M -g sftponly -s /bin/false testuser1
[root@rhel6-test1 ~]# passwd testuser1
[root@rhel6-test1 ~]# ls -ld /chroot-test/
drwxr-xr-x. 3 root root 4096 Apr 19 18:11 /chroot-test/

[root@rhel6-test1 ~]# ls -ld /chroot-test/users/
drwxr-xr-x. 5 root root 4096 Apr 19 18:12 /chroot-test/users/

[root@rhel6-test1 ~]# ls -ld /chroot-test/users/testuser1
drwxr-xr-x. 2 root root 4096 Apr 19 18:19 /chroot-test/users/testuser1


[root@rhel6-test1 ~]# vi /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftponly
ChrootDirectory /chroot-test/users/%u
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no

[root@rhel6-test1 ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

TEST THE CONFIGURATION:

[root@rhel6-server ~]# sftp testuser1@192.168.234.200
Connecting to 192.168.234.200...
testuser1@192.168.234.200's password:
sftp> pwd
Remote working directory: /
sftp> cd /var
Couldn't canonicalise: No such file or directory
sftp> cd /
sftp> pwd
Remote working directory: /
sftp> ls -la
drwxr-xr-x    2 0        0            4096 Apr 19 12:49 .
drwxr-xr-x    2 0        0            4096 Apr 19 12:49 ..
-rw-------    1 503      504            48 Apr 19 12:52 .bash_history
sftp>

Great, but all perms belong to root. Then what is need of that if “testuser1” can’t create or delete anything.

Solution,

[root@rhel6-test1 ~]# mkdir /chroot-test/users/testuser1/userfolder

[root@rhel6-test1 ~]# ls -ld /chroot-test/users/testuser1/userfolder
drwxr-xr-x. 2 root root 4096 Apr 21 12:17 /chroot-test/users/testuser1/userfolder

[root@rhel6-test1 ~]# chown testuser1:sftponly /chroot-test/users/testuser1/userfolder

[root@rhel6-test1 ~]# su - testuser1
-bash-4.1$ ls -l
total 4
-rw-r--r--. 1 testuser1 sftponly    0 Apr 21 12:06 123
drwxr-xr-x. 2 testuser1 sftponly 4096 Apr 21 12:18 userfolder
-bash-4.1$ cd userfolder
-bash-4.1$ touch f1
-bash-4.1$ ls -l
total 4
-rw-r--r--. 1 testuser1 sftponly    0 Apr 21 12:20 f1
-rw-r--r--. 1 testuser1 sftponly 1670 Apr 21 12:18 passwd

Now good.

CHECK THE CONFIGURATION:

[root@rhel6-server ~]# sftp testuser1@192.168.234.200
Connecting to 192.168.234.200...
testuser1@192.168.234.200's password:
sftp> ls -l
-rw-r--r--    1 503      504             0 Apr 21 06:36 123
drwxr-xr-x    2 503      504          4096 Apr 21 06:50 userfolder
sftp> put /root/ifcfg-eth0:1 .
Uploading /root/ifcfg-eth0:1 to /./ifcfg-eth0:1
Couldn't get handle: Permission denied
sftp> cd userfolder
sftp> put /root/ifcfg-eth0:1 .
Uploading /root/ifcfg-eth0:1 to /userfolder/./ifcfg-eth0:1
/root/ifcfg-eth0:1                            100%  202     0.2KB/s   00:00
sftp> ls -l
-rw-r--r--    1 503      504             0 Apr 21 06:50 f1
-rw-r--r--    1 503      504           202 Apr 21 06:53 ifcfg-eth0:1
-rw-r--r--    1 503      504          1670 Apr 21 06:48 passwd
sftp>



Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)