December 3, 2008, 8:01 am
Let’s say for example we want to chroot the user someuser to their home directory /home/someuser. You will need to edit /etc/proftpd.conf and add the lines below to the bottom of the file.
DefaultRoot /home/someuser someuser
Let’s quickly explain the line above. DefaultRoot is the parameter used by proftpd to enable the jail functionality. someuser is the primary group of all users being chrooted (by default this is the same as the username). /home/someuser is the directory where the user will be jailed.
Save the file and restart proftp.
sudo /etc/init.d/proftpd stop
sudo /etc/init.d/proftpd start
And you’re all done.
November 18, 2008, 8:15 am
This mini HowTo will describe in quick and clear steps how to enforce a chroot environment for regular user ftp sessions with the default ftp daemon that comes with the base system, and how to compile
ftpd with internal ls.
Continue reading ‘Chroot ftpd (mini)HOWTO on FreeBSD’ »
August 31, 2008, 12:55 pm
I had to set up a chrooted user account with scp-Access to let people upload files to a server in order not to let them browse the whole filesystem.
All the tutorials I found on the Internet described only the process of patching either the openssh-sources or installing a separate program to be used as a Shell.
So Wolfgang Fuschlberger wrote this Script which does all the work automatically to set up a working chroot-jail.
View the source
Download the file make_chroot_jail.sh.
Continue reading ‘Howto Setup a chroot jail for ssh with Linux’ »
June 5, 2008, 8:05 am
Irssi is a popular IRC client. Its a very popular client for small window managers like fluxbox. This short howto will walk you though the steps for setting up a jail that only has a few commands in it and will help create a much safer IRC enviroment for you. There are a couple things you will need to have installed before we get started. First you need irssi, next you will need jail. First step is to install jail and irssi, so that irssi will work from your regular linux or unix install.
Continue reading ‘Put irssi in a chroot jail’ »
June 3, 2008, 8:33 am
It is assumed that you already know how to configure and use BIND (the Berkeley Internet Name Domain). If not. It is also assumed that you have a basic familiarity with compiling and installing software on your UNIX-like system.
This document describes some extra security precautions that you can take when you install BIND. It explains how to configure BIND so that it resides in a “chroot jail,” meaning that it cannot see or access files outside its own little directory tree. We shall also configure it to run as a non-root user.
The idea behind chroot is fairly simple. When you run BIND (or any other process) in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this document, we’ll set BIND up to run chrooted to the directory chroot/named. Well, to BIND, the contents of this directory will appear to be/ the root directory. Nothing outside this directory will be accessible to it. You’ve probably encounted a chroot jail before, if you’ve ever used ftp to log into a public system.
Because the chroot process is much simpler with BIND 9, I have started to expand this document slightly, to include more general tips about securing a BIND installation. Nevertheless, this document is not (and is not intended to be) a complete reference for securing BIND. If you do only what is outlined in this document, you’re not finished securing your nameserver!
The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND. It is for the same reason that we run BIND as a non-root user.
This should be considered as a supplement to the normal security precautions (running the latest version, using access control, etc.), certainly not as a replacement for them.
Continue reading ‘How to install Bind DNS in a chroot jail’ »
