--- libpam-chroot-0.9.orig/Makefile +++ libpam-chroot-0.9/Makefile @@ -4,8 +4,10 @@ CFLAGS=-fPIC -O2 -Wall -Werror -pedantic CPPFLAGS=-I. LDFLAGS=-x --shared -lpam +DESTDIR=/ OUT=pam_chroot.so +CONF=chroot.conf all: $(OUT) @@ -16,4 +18,5 @@ rm -f *.o $(OUT) install: - install -s -o0 -g0 -m755 $(OUT) /lib/security + install -s -o0 -g0 -m755 $(OUT) $(DESTDIR)/lib/security + install -m640 $(CONF) $(DESTDIR)/etc/security --- libpam-chroot-0.9.orig/chroot.conf +++ libpam-chroot-0.9/chroot.conf @@ -1,6 +1,13 @@ # /etc/security/chroot.conf -# format: +# This file determines where will pam_chroot restrict the +# users for applications that use this module. +# Users not listed in this configuration file will not +# be chrooted. +# The format of this configuration file is: +# # username chroot_dir +# +# For example: #foo /home/foo # Or, if you've specified use_regex, --- libpam-chroot-0.9.orig/pam_chroot.c +++ libpam-chroot-0.9/pam_chroot.c @@ -133,7 +133,7 @@ } else if(!strncmp(argv[i], "onerr=", 6)) { if(!strcmp(argv[i] + 6, "succeed")) { opts->flags = opts->flags & (~_PAM_OPTS_NOTFOUNDFAILS); - } else if(!strcmp(argv[i] + 9, "fail")) { + } else if(!strcmp(argv[i] + 6, "fail")) { opts->flags = opts->flags | _PAM_OPTS_NOTFOUNDFAILS; } else { _pam_log(LOG_ERR, "bad config option: \"%s\"", argv[i]); --- libpam-chroot-0.9.orig/debian/changelog +++ libpam-chroot-0.9/debian/changelog @@ -0,0 +1,66 @@ +libpam-chroot (0.9-1) unstable; urgency=low + + * New upstream release (Closes: #250791) + - fix memory leaks, expanded user/group regex support (0.8) + - security checks for conf file & chroot directories (0.9) + * Since new upstream is in sourceforge, adjusted debian/copyright and + added homepage to debian/control, and changed debian/watch + (not enabled SF since it will not work with uscan) + * Removed 'configure' target from debian/rules as it is not used. + * Install the new 'TROUBLESHOOTING' doc provided upstream. + + -- Javier Fernandez-Sanguino Pen~a Thu, 30 Sep 2004 00:47:27 +0200 + +libpam-chroot (0.6-6) unstable; urgency=low + + * Correct parsing of the config option 'onerr' with the patch + provided by Rene Konasz (Closes: #232808) + + -- Javier Fernandez-Sanguino Pen~a Mon, 7 Jun 2004 10:24:36 +0200 + +libpam-chroot (0.6-5) unstable; urgency=low + + * Added information in README.Debian regarding how to configure OpenSSH to + use libpam-chroot and mention explicitly Privilege Separation breakage + (Closes: #173258) + * Added more information in the configuration file chroot.conf + + -- Javier Fernandez-Sanguino Pen~a Sun, 11 Jan 2004 18:37:39 +0100 + +libpam-chroot (0.6-4) unstable; urgency=low + + * Updated Standard-Version + * Fixed lintian warnings + * Added uscan's watch file + * Removed all of dh_make example files + + -- Javier Fernandez-Sanguino Pen~a Tue, 28 Oct 2003 02:01:42 +0100 + +libpam-chroot (0.6-3) unstable; urgency=low + + * Provided template for setup-chroot as well as an rsync example thanks to + Andres Salomon (Closes: #150368) + + -- Javier Fernandez-Sanguino Pen~a Mon, 2 Sep 2002 21:00:27 +0200 + +libpam-chroot (0.6-2) unstable; urgency=low + + * Fixed Maintainer address (Closes: #147824) + + -- Javier Fernandez-Sanguino Pen~a Thu, 23 May 2002 13:36:19 +0200 + +libpam-chroot (0.6-1) unstable; urgency=low + + * Initial Release. + * I was up until 4 AM but I was finally able to have it working in + Debian! + * Added a README.Debian to explain how it works since the installation + process will not add any lines to existing /etc/pam.d/ files + (applications) + * Provided examples on how to setup an environment for users using + /bin/login (console) in /usr/share/doc/libpam-chroot/examples + including a script that builds the proper environment (took me + some time of stracing to figure it needed the /dev/tty files) + + -- Javier Fernandez-Sanguino Pen~a Wed, 1 May 2002 01:24:40 +0200 + --- libpam-chroot-0.9.orig/debian/copyright +++ libpam-chroot-0.9/debian/copyright @@ -0,0 +1,33 @@ +This package was debianized by Javier Fernandez-Sanguino Peņa + on Wed, 1 May 2002 01:24:40 +0200. + +It was downloaded from +http://www.kernel.org/pub/linux/libs/pam/pre/modules/ +AFAIK RedHat ships with an old copy available at +ftp://ferret.lmh.ox.ac.uk/users/weejock/pam_chroot/ +Newer versions are available at http://sourceforge.net/projects/pam-chroot/ + + +Upstream Authors: +This version of pam_chroot was originally written by +Matthew Kirkwood (weejock@ferret.lmh.ox.ac.uk) +and then heavily modified by + - Ed Schmollinger (schmolli@frozencrow.org). + - Heiko Hund + - John Newbigin + + +Copyright: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You can find a copy of the GNU GPL license in your Debian GNU/Linux + system under /usr/share/common-licenses/ --- libpam-chroot-0.9.orig/debian/dirs +++ libpam-chroot-0.9/debian/dirs @@ -0,0 +1,2 @@ +etc/security +lib/security --- libpam-chroot-0.9.orig/debian/README.Debian +++ libpam-chroot-0.9/debian/README.Debian @@ -0,0 +1,132 @@ +libpam-chroot for Debian +------------------------ + +This package has not been thoroughly tested by Debian (security wise), +however, it is provided in the hope that it will be useful for some +environments. + +RedHat distributes a pam_chroot.so module along with its PAM modules +(last I looked version 0.74) however the source code is not the same +(but might be derived from the same base). + +To use this module you need to: + +a) modify a PAM-aware application by editing it's file in /etc/pam.d/ +For local access this application could be login, xdm, kdm, su or +sudo. For remote access this application could be ssh, ftp.. Try +adding (as the last line): + +# Test Chroot features +session required pam_chroot.so debug + +(the debug option will printout progress of the module to syslog) + +b) Set the proper chroot environment for each user. +(this is quite tricky if you ask me :) For an example of how +to setup an environment for 'login' take a look at the files under +/usr/share/doc/libpam-chroot/examples/. + +Other applications might be more difficult to setup (the more complex +the application the worst). + +If you find it difficult to setup a complex chroot you might want to +setup a minimal version of a Debian installation (using 'debootstrap') +and then removing those applications unneded for your environment +(specifically, remove _all_ setuid applications). You might even want +to use some automatic systems to setup chroots like 'makejail'. + +c) Configure /etc/security/chroot.conf + +Detailed info: +-------------- +(based on the RedHat's README for Linux-PAM 0.74) + +Operation: +When the calling application attempts to open a session, pam_chroot +opens /etc/security/chroot.conf and searches for a line of the form: + +user directory + +where the "user" listed can be either a real username or a +regular expression (if you are using the 'use_regex' option). If the +PAM_USER for whom the session is being opened matches, +the module will attempt to chroot() to the given directory. + +Optional arguments: +"debug" Log debug messages to syslog. +"onerr=" Values can be "succeed" or "fail". The action to take if + the configuration file cannot be opened, the chroot() + fails, or the user does not match any of the expressions + listed in the configuration file. Default is "succeed". + +(for more options see /usr/share/doc/libpam-chroot/options) + +Other Notes: The calling application must be executing with root +privileges in order to be able to chroot() at all (see the chroot(2) +manpage). + +Warning: If configured incorrectly, this module may potentially render +the service unusable and, under some circumstances, pose a security +risk. + +Setting up OpenSSH with libpam-chroot +------------------------------------- + +Many systems want to setup a restricted remote access to a system in +which users are confined to their user directories, but are unable to +"see" the whole system. If you want to develop this using OpenSSH you +will need to: + +0) Setup a chroot environment for your users. Make sure that +environment includes the standard tools they will need (like their +shell) and that it also includes a /dev directory with the /dev/ptmx +and /dev/pty* devices and the /dev/pts/ subdirectory (runnig MAKEDEV +in the /dev directory of the chrooted environment should be +sufficient). + +Note: This environment is similar to the 'login' environment detailed +under /usr/share/doc/libpam-chroot/examples + +1) Add this line to /etc/pam.d/ssh (should be the last line) + session required pam_chroot.so debug + +2) Configure /etc/security/chroot.conf so that the users you determine + are chrooted to the directory you setup previously. You might want to have + independent directories for different users so that they will not be + able to see neither the whole system nor each other's. + +3) If you are running a newer (post-3.4) version of OpenSSH that uses + Privilege Separation you need to disable it. If you don't do this +you will see: + + $ ssh -l user server + user@server's password: + Connection to server closed by remote host. + Connection to server closed. + + This is because the ssh daemon, which is running as 'sshd', will not + be able to make the chroot() system call. Change the (default) line: + + UsePrivilegeSeparation yes + + to + + UsePrivilegeSeparation no + +Notice that this will lower the security of your system since the +OpenSSH server will run as 'root' user. This means that if a remote +attack is found against OpenSSH an attacker will get 'root' +priviledges instead of 'sshd', thus compromising the whole system. + +If you are using a kernel that implements Mandatory Access Control +(RSBAC/SElinux) you can avoid changing this configuration just by +granting the 'sshd' user priviledges to make the chroot() system call. + +Of course, you could just chroot() the daemon in the init.d script to +the chroot environment you have setup, but then you wouldn't need +pam-chroot at all. + + -- + Javier Fernandez-Sanguino + Sun, 11 Jan 2004 18:57:35 +0100 + --- libpam-chroot-0.9.orig/debian/control +++ libpam-chroot-0.9/debian/control @@ -0,0 +1,22 @@ +Source: libpam-chroot +Section: devel +Priority: optional +Maintainer: Javier Fernandez-Sanguino Pen~a +Build-Depends: libpam0g-dev, debhelper (>> 3.0.0) +Standards-Version: 3.6.1 + +Package: libpam-chroot +Architecture: any +Depends: ${shlibs:Depends} +Description: Chroot Pluggable Authentication Module for PAM + This package includes a special (but not thoroughly tested) PAM + module to provide chrooted (restricted) environments for users. + The module tries to provide a transparent wrapper around the + average user, one that puts them in a fake file-system (eg, their + '/' is really /some/where/else). + . + In order to setup this environment in Debian please read the + README.Debian as well as the detailed example provided in + /usr/share/doc/libpam-chroot/examples + . + Homepage: http://sourceforge.net/projects/pam-chroot/ --- libpam-chroot-0.9.orig/debian/rules +++ libpam-chroot-0.9/debian/rules @@ -0,0 +1,60 @@ +#!/usr/bin/make -f +# debian/rules for libpam-chroot +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This is the debhelper compatability version to use. +export DH_COMPAT=3 + +build: build-stamp +build-stamp: + dh_testdir + $(MAKE) + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + -$(MAKE) clean + dh_clean + +install: build + dh_testdir + dh_testroot + dh_installdirs + + # Add here commands to install the package into debian/libpam-chroot + $(MAKE) install DESTDIR=$(CURDIR)/debian/libpam-chroot + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot +# dh_movefiles + +# dh_installdebconf + dh_installdocs options TROUBLESHOOTING + dh_installexamples example/* +# dh_installpam + dh_installchangelogs + dh_link + dh_strip + dh_compress + dh_fixperms + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- libpam-chroot-0.9.orig/debian/watch +++ libpam-chroot-0.9/debian/watch @@ -0,0 +1,7 @@ +version=2 +# Original location +http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_chroot-(.*)\.tar\.gz \ + debian uupdate +# Current location (will not work, due to the way SF handles this) +#ftp://ftp.sf.net/pub/sourceforge/p/pa/pam-chroot/pam_chroot-(.*).tar.gz \ +# debian uupdate --- libpam-chroot-0.9.orig/example/setup-chrootdir-rsync.sh +++ libpam-chroot-0.9/example/setup-chrootdir-rsync.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# Copyright (C) 2002 Andres Salomon +# +# Create a chroot environment for allowing users to rsync. +# This script is placed in the public domain. Do with it what +# you will. + +PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin" +DIRECTORIES="bin dev lib usr/bin usr/lib" +FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2 + bin/bash lib/libncurses.so.5 lib/libdl.so.2 + usr/bin/rsync lib/libpopt.so.0 lib/libresolv.so.2" + +if test -z "$1"; then + echo "Usage: $0 " 1>&2 + exit 1 +fi + +id=`id -u` +if test "$id" -gt 0; then + echo "Error: this script requires root (for mknod)!" 1>&2 + exit 1 +fi + +dir=$1 +curdir=`pwd` + +# Create directory structure +mkdir -p $dir +cd $dir +for d in $DIRECTORIES; do + mkdir -p $d +done + +# Add files +for f in $FILES; do + cp /$f $f +done + +# And devices.. +if test -d dev; then + cp /dev/MAKEDEV dev + cd dev && ./MAKEDEV std && rm -f MAKEDEV +fi + + +cd $curdir + +exit 0 --- libpam-chroot-0.9.orig/example/README.example +++ libpam-chroot-0.9/example/README.example @@ -0,0 +1,36 @@ + +This is a sample configuration for the pam_chroot module. + +In order to make this work you need to: + +1.- use setup-chrootdir.sh to create a directory in which +the user will be chrooted (let's call it CHROOTDIR) +A sample layout like the one it creates is provided in the +chrooted-directory-tree.txt file + +WARNING! Make sure to have an open console in which to +become superuser in case you mangle the files and cannot +log-on to the system later on! + +2.- configure /etc/security/chroot.conf so that a given user +(USERCHROOTED) is chrooted to CHROOTDIR when entering (in the +sample configuration file CHROOTDIR=/chroot/directory) + +3.- add the following line to /etc/pam.d/login +session required pam_chroot.so debug + +4.- create USERCHROOTED in the system (/etc/passwd et al.) and +have his home directory be /home/test +(real directory=CHROOTDIR/home/test) + +5.- add the neccesary .profile, .cshrc, .bash_profile files to +the CHROOTDIR/home/test directory (fix permissions to your own +needs/policy) + +6.- Try to enter the system as USERCHROOTED. You should be +restricted to CHROOTDIR and have only a limited number of +utilies (setup-chrootdir only provides 'ls') + +If it does not work check the syslog files to see the messages +related to PAM (should include pam_chroot[XXXX]: session messages +due to the 'debug' option being set) --- libpam-chroot-0.9.orig/example/chroot.conf +++ libpam-chroot-0.9/example/chroot.conf @@ -0,0 +1,3 @@ +# /etc/security/chroot.conf +test /chroot/directory + --- libpam-chroot-0.9.orig/example/setup-chrootdir-shell.sh +++ libpam-chroot-0.9/example/setup-chrootdir-shell.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +# Given a (non-existant) directory +# creates a chroot environment so users can login +# and have limited movements + +# (c) 2002 Javier Fernandez-Sanguino Peņa + +[ -z "$1" ] && { + echo "Usage $0 directory" + exit 1 +} +id=`/usr/bin/id -u` + +[ "$id" -gt 0 ] && + echo "WARNING: Needs to be run as root (for mknod to work)" + +dir=$1 + +[ -e "$dir" ] && { + echo "ERROR: $dir exists. Please specify a non-existant directory" + exit 1 +} + +curdir=`/bin/pwd` +/bin/mkdir -p $dir +cd $dir +for i in bin dev lib home/test ; do + /bin/mkdir -p $i +done + +# Procedure: +# Hard link for files and just copy simbolyc links, +# should work ok in the chroot + +# Bin directory (minimal set of binaries) +for cmd in ls pwd true false rbash bash ; do + if [ -f /bin/$cmd -a ! -L /bin/$cmd ] ; then + /bin/ln /bin/$cmd bin/ + fi + if [ -L /bin/$cmd ] ; then + cp -a /bin/$cmd lib/ + fi +done + +# Libraries (for previous binaries) +for lib in /lib/ld-linux* /lib/libc.* /lib/libdl* /lib/librt* /lib/ncurse* /lib/libpthread* ; do + if [ -f $lib -a ! -L $lib ] ; then + /bin/ln $lib lib/ + fi + if [ -L "$lib" ] ; then + cp -a $lib lib/ + fi +done + +# Devices +cd dev +# We need as many tty's as consoles +/bin/mknod -m 644 tty1 c 4 1 +/bin/mknod -m 644 tty2 c 4 2 +/bin/mknod -m 644 tty3 c 4 3 +/bin/mknod -m 644 tty4 c 4 4 +/bin/mknod -m 644 tty5 c 4 5 +/bin/mknod -m 644 tty6 c 4 6 +# Some special nodes, just for fun +/bin/mknod -m 444 urandom c 1 9 +/bin/mknod -m 666 zero c 1 5 +/bin/mknod -m 666 null c 1 3 +# Warning: since we do not have the /dev/log socket the +# 'debug' option of the PAM module will not work once chrooted + +# Finish and get back were we started +cd $curdir + +exit 0 --- libpam-chroot-0.9.orig/example/setup-chrootdir-template.sh +++ libpam-chroot-0.9/example/setup-chrootdir-template.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +# Copyright (C) 2002 Andres Salomon +# +# Template for setup-chrootdir-XX.sh scripts + +PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin" +# Directories to include in the chroot go here +DIRECTORIES="bin dev " +# Files to copy over to the chroot are included here +FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2" + +if test -z "$1"; then + echo "Usage: $0 " 1>&2 + exit 1 +fi + +id=`id -u` +if test "$id" -gt 0; then + echo "Error: this script requires root (for mknod)!" 1>&2 + exit 1 +fi + +dir=$1 +curdir=`pwd` + +# Create directory structure +mkdir -p $dir +cd $dir +for d in $DIRECTORIES; do + mkdir -p $d +done + +# Add files +for f in $FILES; do + cp /$f $f +done + +# And devices.. +if test -d dev; then + cp /dev/MAKEDEV dev + cd dev && ./MAKEDEV std && rm -f MAKEDEV +fi + + +cd $curdir + +exit 0 --- libpam-chroot-0.9.orig/example/chrooted-directory-tree.txt +++ libpam-chroot-0.9/example/chrooted-directory-tree.txt @@ -0,0 +1,38 @@ +/home/test/ +|-- bin +| |-- bash +| |-- ls +| |-- rbash +| `-- sh +|-- dev +| |-- null +| |-- tty1 +| |-- tty2 +| |-- tty3 +| |-- tty4 +| |-- tty5 +| |-- tty6 +| |-- tty7 +| |-- urandom +| `-- zero +|-- home +| `-- test +| |-- .alias +| |-- .bash_history +| |-- .bash_profile +| |-- .bashrc +| |-- .cshrc +| `-- .profile +|-- lib + |-- ld-linux.so.2 + |-- libc.so.6 + |-- libdl-2.2.5.so + |-- libdl.so.2 + |-- libncurses.so.4 + |-- libncurses.so.4.2 + |-- libncurses.so.5 + |-- libncurses.so.5.2 + |-- libpthread-0.9.so + |-- libpthread.so.0 + |-- librt-2.2.5.so + `-- librt.so.1