rssh in a chroot jail - howto

How to set up a chroot jail for rssh. The hard part wasn't getting the chroot jail to work properly, instead it was the configuration file (rssh.conf) that threw me off. Here's to hoping that someone won't have the same problems as did I.

Obviously, this is written for slackware (9.1). I'm running rssh 2.1.1.

Why?

I wanted to fence off some users who only needed to access a virtual apache server (to upload files) because un-chroot'ed sftp allows them to see the entire system (which may be confusing to them). The other option was WebDAV, but I chose to go this route maybe because I like ssh better.

These users were configured such that they only had access to the section of the virtual server that they needed to see. They do not need shell access, hence rssh, but sftp and scp are both allowed.

Howto

Setting up chroot jails for rssh is actually not too difficult. Here are the steps that I took. Before you start, you may want to do some background reading at the rssh homepage, and this other page that I found with a nice summary of what to do. I based my setup on that.

There are two major steps to setting up rssh chroot jails: setting up a chroot environment, and configuring rssh to use the chroot environment.

Finally, finish off by modifying httpd.conf to point the virtual server to a location inside the jail. Since apache isn't run inside the jail, it doesn't even know about the existence of the jail. Everything looks like the normal file system to it.

setting up the chroot environment

Setting up a chroot environment is supposed to be difficult. It used to involve quite a bit of repetitive work with ldd to determine file dependencies, but not anymore: Jail Chroot Project makes it quite easy. Obviously, this isn't perfect software, but it works very nicely if you don't do anything stupid with it.

First, download and install the Jail Chroot Project files (As of this writing, version 1.9a was out, but it gave me problems, so I went back to version 1.9), then setup the chroot environment. The following are the commands that I used.

From my /home directory (and as root), but it can really be anywhere:

• mkjailenv chroot_jail

• addjailsw chroot_jail -P rssh

• addjailsw chroot_jail -P scp

• addjailsw chroot_jail -P sftp-server

• cp /etc/passwd chroot_jail/etc

• cp /etc/group chroot_jail/etc

Technically, you can get away with using modified version of passwd and group, but I didn't do so because I didn't really care that the chroot environment knew about the existence of other users in the system. They can't get to them anyway. The passwd and group files are only necessary to map numerical ids from the file systems, to the correct user and group names.

Next, create proper home directories for the jailed users inside chroot_jail.

Finally, edit /etc/passwd so that the jailed users have their path set to home inside the chroot_jail directory. For example:

jail_user1:x:1000:100:jailed user,,,:/home/chroot_jail/home/user1:/usr/bin/rssh
jail_user2:x:1000:100:jailed user,,,:/home/chroot_jail/home/user2:/usr/bin/rssh

Of course, you'll have to change the user and group number (1000 and 100) to match the real users in your system. Also, rssh might be somewhere else too.

configuring rssh

Configuring rssh is now easy because the chroot jail is set up. Following is an example configuration line from my rssh.conf:

user=jail_user1:022:11:/home/chroot_jail
user=jail_user2:022:11:/home/chroot_jail

The 022 is the umask. Since my users use winscp (winscp's scp doesn't work with rssh, but sftp does), it really doesn't make a difference what this is. The 11 following allows jail_user1 to use both scp and sftp. /home/chroot_jail is the location of the chroot jail. Notice that both jail_user1 and jail_user2 are set to /home/chroot_jail. This way, they share a jail environment and can interact inside the jail (given proper permissions).

At first, I thought that the last argument wasn't just the location of the chroot_jail, but it also needed the path to the chroot program too, so I had "/usr/bin/chroot /home/chroot_jail" there for the longest time (which didn't work). This was because the example per-user line looked like this:

#user=rudy:011:11:"/usr/local/chroot dir" # both with chroot

In the example, the chroot jail directory has a space in it. That's why it's quoted. I thought at first that they were actually two separate arguments since the entire line can be quoted.

Note that you can still use per-user chroot jails (which is what I did) without making everyone use chroot jails (by setting the chrootpath variable in rssh.conf).