Chroot SSH
February 5, 2021 — 0:19

Author: silver  Category: linux  Comments: Off

Example of a minimal config that allows "luser" to only execute "bash" and "ls" in his homedir, after logging in via ssh (Debian/Ubuntu).

Of course there are other ways to accomplish this like linux ns/cgroups, sandboxes such as bubblewrap, firejail or by using containers (gvisor) or microvm’s.

/etc/passwd:

luser:x:1003:1003::/app:/bin/bash

/etc/group:

prison:x:1004:luser

/etc/ssh/sshd_config:

# Optional: do not chroot source ip range 43.21.*
# Match User luser Address 43.21.*
#   ChrootDirectory none

Match User luser
  ChrootDirectory /home/luser/jail

AllowUsers [email protected]

homedir:

drwxr-xr-x     root     root     /home/luser/
drwxr-x---     root   prison     /home/luser/jail

drwxr-xr-x     root     root     /home/luser/jail/etc
drwxr-xr-x     root     root     /home/luser/jail/bin
drwxr-xr-x     root     root     /home/luser/jail/dev
drwxr-xr-x     root     root     /home/luser/jail/lib
drwxr-xr-x     root     root     /home/luser/jail/lib64
drwxr-xr-x     root     root     /home/luser/jail/usr

drwxr-x---     luser    luser    /home/luser/jail/app

lrwxrwxrwx     root     root     /app -> /home/luser/jail/app

dev (mknod):

crw-r--r--   1 root     root       5,   0   /home/luser/jail/dev/tty
crw-r--r--   1 root     root       1,   8   /home/luser/jail/dev/random
crw-r--r--   1 root     root       1,   5   /home/luser/jail/dev/zero
crw-r--r--   1 root     root       1,   3   /home/luser/jail/dev/null

etc files:

-rw-r--r--   1 root     root    /home/luser/jail/etc/passwd (copy from /etc)
-rw-r--r--   1 root     root    /home/luser/jail/etc/group  (copy from /etc)

bin files:

drwxr-xr-x   2 root     root    /home/luser/jail/bin
-rwxr-xr-x   1 root     root    /home/luser/jail/bin/bash
-rwxr-xr-x   1 root     root    /home/luser/jail/bin/ls

lib files:

-rwxr-xr-x  root     root       /home/luser/jail/lib/x86_64-linux-gnu/libpthread.so.0
-rw-r--r--  root     root       /home/luser/jail/lib/x86_64-linux-gnu/libtinfo.so.6
-rw-r--r--  root     root       /home/luser/jail/lib/x86_64-linux-gnu/libdl.so.2
-rw-r--r--  root     root       /home/luser/jail/lib/x86_64-linux-gnu/libpcre.so.3
-rwxr-xr-x  root     root       /home/luser/jail/lib/x86_64-linux-gnu/libc.so.6
-rw-r--r--  root     root       /home/luser/jail/lib/x86_64-linux-gnu/libselinux.so.1
-rw-r--r--  root     root       /home/luser/jail/lib/x86_64-linux-gnu/libnss_files.so.2
drwxr-xr-x  root     root       /home/luser/jail/lib/terminfo

lib64 files:

-rwxr-xr-x   root     root       /home/luser/jail/lib64/ld-linux-x86-64.so.2

usr/bin files:

drwxr-xr-x   root     root       /home/luser/jail/usr/bin
-rwxr-xr-x   root     root       /home/luser/jail/usr/bin/dircolors







We use Matomo free and open source web analytics (opt-out)