--- libpam-chroot-0.9.orig/Makefile +++ libpam-chroot-0.9/Makefile @@ -3,17 +3,20 @@ CC=gcc CFLAGS=-fPIC -O2 -Wall -Werror -pedantic CPPFLAGS=-I. -LDFLAGS=-x --shared -lpam +LDFLAGS=-shared +DESTDIR=/ OUT=pam_chroot.so +CONF=chroot.conf all: $(OUT) %.so: %.o - ld $(LDFLAGS) -o $@ $< + $(CC) $(LDFLAGS) -o $@ $< -lpam clean: rm -f *.o $(OUT) install: - install -s -o0 -g0 -m755 $(OUT) /lib/security + install -s -o0 -g0 -m755 $(OUT) $(DESTDIR)/lib/security + install -m640 $(CONF) $(DESTDIR)/etc/security --- libpam-chroot-0.9.orig/TROUBLESHOOTING +++ libpam-chroot-0.9/TROUBLESHOOTING @@ -6,7 +6,7 @@ Note that all of the following assumes that you have put pam_chroot into debug mode (add the "debug" option to the pam_chroot line in the appropriate /etc/pam.d file) and that syslogd is configured to put -auth.debug messages in some known location (/var/log/messages, +auth.notice and auth.debug messages in some known location (/var/log/messages, /var/adm/messages, /var/adm/syslog/syslog.log, etc.) Under normal operation, pam_chroot will output something similar to the @@ -42,8 +42,8 @@ appropriate /etc/pam.d file, or it might be that PAM is not being used at all. (For example, you might have set 'UsePAM no' in your /etc/ssh/sshd_config.) It might also be that syslogd is not running or - is not configured to report auth.debug messages in the file that you're - looking for them in. + is not configured to report auth.notice and auth.debug messages in the + file that you're looking for them in. There are a multitude of reasons that PAM might not be being used, and they're usually application configuration issues, rather than issues with PAM itself. --- libpam-chroot-0.9.orig/chroot.conf +++ libpam-chroot-0.9/chroot.conf @@ -1,6 +1,13 @@ # /etc/security/chroot.conf -# format: +# This file determines where will pam_chroot restrict the +# users for applications that use this module. +# Users not listed in this configuration file will not +# be chrooted. +# The format of this configuration file is: +# # username chroot_dir +# +# For example: #foo /home/foo # Or, if you've specified use_regex, --- libpam-chroot-0.9.orig/pam_chroot.c +++ libpam-chroot-0.9/pam_chroot.c @@ -75,7 +75,7 @@ opts->flags = _PAM_OPTS_NOOPTS; opts->chroot_dir = NULL; - opts->conf = x_strdup(CONFIG); + opts->conf = strdup(CONFIG); if(NULL == opts->conf) { _pam_log(LOG_ERR, "strdup: %s", strerror(errno)); return _PAM_CHROOT_SYSERR; @@ -133,7 +133,7 @@ } else if(!strncmp(argv[i], "onerr=", 6)) { if(!strcmp(argv[i] + 6, "succeed")) { opts->flags = opts->flags & (~_PAM_OPTS_NOTFOUNDFAILS); - } else if(!strcmp(argv[i] + 9, "fail")) { + } else if(!strcmp(argv[i] + 6, "fail")) { opts->flags = opts->flags | _PAM_OPTS_NOTFOUNDFAILS; } else { _pam_log(LOG_ERR, "bad config option: \"%s\"", argv[i]); @@ -146,7 +146,7 @@ _pam_log(LOG_ERR, "bad config option: \"%s\": chroot dir already set", argv[i]); } else { - opts->chroot_dir = x_strdup(argv[i] + 11); + opts->chroot_dir = strdup(argv[i] + 11); if(NULL == opts->chroot_dir) { _pam_log(LOG_ERR, "strdup: %s", strerror(errno)); } @@ -291,9 +291,9 @@ if(NULL == grp) { _pam_log(LOG_DEBUG, "%s: no grnam for gid %d", opts->module, gids[i]); snprintf(scratch, SCRATCH, "%d", gids[i]); - groups[i] = x_strdup(scratch); + groups[i] = strdup(scratch); } else { - groups[i] = x_strdup(grp->gr_name); + groups[i] = strdup(grp->gr_name); } } groups[i] = NULL; @@ -322,7 +322,7 @@ char save; struct stat st; - path = x_strdup(path); + path = strdup(path); if(NULL == path) { _pam_log(LOG_ERR, "strdup: %s", strerror(errno)); return -1; @@ -382,7 +382,7 @@ return NULL; } - exp = x_strdup(path); + exp = strdup(path); if(NULL == exp) { _pam_log(LOG_ERR, "%s: strdup: %s", opts->module, strerror(errno)); return NULL; @@ -639,10 +639,8 @@ * then pass it to this function */ int _pam_do_chroot(pam_handle_t *pamh, struct _pam_opts *opts) { int err,debug; - char *name; char const *user; - name = NULL; debug = opts->flags & _PAM_OPTS_DEBUG; err = pam_get_user(pamh, &user, NULL); --- libpam-chroot-0.9.orig/debian/watch +++ libpam-chroot-0.9/debian/watch @@ -0,0 +1,4 @@ +version=3 +opts=uversionmangle=s/\.(bz2|gz)// \ +http://sf.net/pam-chroot/pam_chroot-(.*)\.tar\.(bz2|gz) debian uupdate + --- libpam-chroot-0.9.orig/debian/dirs +++ libpam-chroot-0.9/debian/dirs @@ -0,0 +1,2 @@ +etc/security +lib/security --- libpam-chroot-0.9.orig/debian/rules +++ libpam-chroot-0.9/debian/rules @@ -0,0 +1,63 @@ +#!/usr/bin/make -f +# debian/rules for libpam-chroot +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This is the debhelper compatability version to use. +# export DH_COMPAT=5 + +build: build-arch build-indep +build-arch: build-stamp +build-indep: build-stamp + +build-stamp: + dh_testdir + $(MAKE) + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + -$(MAKE) clean + dh_clean + +install: build + dh_testdir + dh_testroot + dh_installdirs + + # Add here commands to install the package into debian/libpam-chroot + $(MAKE) install DESTDIR=$(CURDIR)/debian/libpam-chroot + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot +# dh_movefiles + +# dh_installdebconf + dh_installdocs options TROUBLESHOOTING + dh_installexamples example/* +# dh_installpam + dh_installchangelogs + dh_link + dh_strip + dh_compress + dh_fixperms + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- libpam-chroot-0.9.orig/debian/README.Debian +++ libpam-chroot-0.9/debian/README.Debian @@ -0,0 +1,153 @@ +libpam-chroot for Debian +------------------------ + +This package has not been thoroughly tested by Debian (security wise), +however, it is provided in the hope that it will be useful for some +environments. + +RedHat distributes a pam_chroot.so module along with its PAM modules +(last I looked version 0.74) however the source code is not the same +(but might be derived from the same base). + +To use this module you need to: + +a) modify a PAM-aware application by editing it's file in /etc/pam.d/ +For local access this application could be login, xdm, kdm, su or +sudo. For remote access this application could be ssh, ftp.. Try +adding (as the last line): + +# Test Chroot features +session required pam_chroot.so debug + +(the debug option will printout progress of the module to syslog. Debug +messages go to authpriv.notice) + +b) Set the proper chroot environment for each user. +(this is quite tricky if you ask me :) For an example of how +to setup an environment for 'login' take a look at the files under +/usr/share/doc/libpam-chroot/examples/. + +Other applications might be more difficult to setup (the more complex +the application the worst). + +If you find it difficult to setup a complex chroot you might want to +setup a minimal version of a Debian installation (using 'debootstrap') +and then removing those applications unneded for your environment +(specifically, remove _all_ setuid applications). You might even want +to use some automatic systems to setup chroots like 'makejail'. + +c) Configure /etc/security/chroot.conf + +Detailed info: +-------------- +(based on the RedHat's README for Linux-PAM 0.74) + +Operation: +When the calling application attempts to open a session, pam_chroot +opens /etc/security/chroot.conf and searches for a line of the form: + +user directory + +where the "user" listed can be either a real username or a +regular expression (if you are using the 'use_regex' option). If the +PAM_USER for whom the session is being opened matches, +the module will attempt to chroot() to the given directory. + +Optional arguments: +"debug" Log debug messages to syslog. +"onerr=" Values can be "succeed" or "fail". The action to take if + the configuration file cannot be opened, the chroot() + fails, or the user does not match any of the expressions + listed in the configuration file. Default is "succeed". + +(for more options see /usr/share/doc/libpam-chroot/options) + +Other Notes: The calling application must be executing with root +privileges in order to be able to chroot() at all (see the chroot(2) +manpage). + +Warning: If configured incorrectly, this module may potentially render +the service unusable and, under some circumstances, pose a security +risk. + +Setting up OpenSSH with libpam-chroot +------------------------------------- + +NOTE: OpenSSH supports, since the 4.9 release, the definition of +chrooted enviroments. For more information see the 'ChrootDirectory' +directive in sshd_config (5). + + +Many systems want to setup a restricted remote access to a system in +which users are confined to their user directories, but are unable to +"see" the whole system. If you want to develop this using OpenSSH you +will need to: + +0) Setup a chroot environment for your users. Make sure that +environment includes the standard tools they will need (like their +shell) and that it also includes a /dev directory with the /dev/ptmx +and /dev/pty* devices and the /dev/pts/ subdirectory (runnig MAKEDEV +in the /dev directory of the chrooted environment should be +sufficient). + +Note: This environment is similar to the 'login' environment detailed +under /usr/share/doc/libpam-chroot/examples + +1) Add this line to /etc/pam.d/ssh (should be the last line) + session required pam_chroot.so debug + +2) Configure /etc/security/chroot.conf so that the users you determine + are chrooted to the directory you setup previously. You might want to have + independent directories for different users so that they will not be + able to see neither the whole system nor each other's. + +3) Depending on your OpenSSH version it might work or not. Since 3.6.1p2 + the do_pam_session() function is called after sshd has dropped privs, + since chroot() needs root priviledges it will not work with + Privilege separation on. In newer OpenSSH versions, however, the + PAM code has been modified and do_pam_session is called before + dropping priviledges so it will work even with Privilege separation. + +If you don't need to disable Privilege Separation you will need an /etc/passwd +with the user's UID inside the chroot for Privilege Separation to work +properly. + +If you have Privilege Separation set to on and your OpenSSH version +does not behave properly you will need to disable it. If you don't, +users that try to connect to your server and would be chrooted by +this module will see this: + + $ ssh -l user server + user@server's password: + Connection to server closed by remote host. + Connection to server closed. + + This is because the ssh daemon, which is running as 'sshd', is not + be able to make the chroot() system call. To disable Privilege separation + you have to modify the /etc/ssh/sshd_config configuration file. + Change the (default) line: + + UsePrivilegeSeparation yes + + to + + UsePrivilegeSeparation no + +Notice that this will lower the security of your system since the +OpenSSH server will run as 'root' user. This means that if a remote +attack is found against OpenSSH an attacker will get 'root' +priviledges instead of 'sshd', thus compromising the whole system. + +If you are using a kernel that implements Mandatory Access Control +(RSBAC/SElinux) you can avoid changing this configuration just by +granting the 'sshd' user priviledges to make the chroot() system call. + +Of course, you could just chroot() the daemon in the init.d script to +the chroot environment you have setup, but then you wouldn't need +pam-chroot at all. + + -- + Javier Fernandez-Sanguino + Wed, 27 Oct 2010 02:01:26 +0200 + + --- libpam-chroot-0.9.orig/debian/compat +++ libpam-chroot-0.9/debian/compat @@ -0,0 +1 @@ +5 --- libpam-chroot-0.9.orig/debian/changelog +++ libpam-chroot-0.9/debian/changelog @@ -0,0 +1,118 @@ +libpam-chroot (0.9-4.1) unstable; urgency=low + + * NMU + * Merge changes back from Ubuntu (thanks to Matthias Klose) + - Remove unused variable `name'. Closes: #625374. LP: #831203. + - Revert: + + Build with -fno-stack-protector fix FTBFS + - Link with gcc. + * Lintian cleanups: + - Add ${misc:Depends} + - Add initial build-arch and build-indep rules + - Update Standard-Version (no changes) + + -- Steve McIntyre Fri, 16 Dec 2011 18:07:23 +0000 + +libpam-chroot (0.9-4) unstable; urgency=low + + * Makefile: -lpam should go at the end of the $(LD) invocation + * Change the maintainer's email address + * Document in debian/README.Debian the fact that OpenSSH provides + this feature (since the 4.9 release) + * debian/control: Move homepage to header + * debian/watch: Added watch file + * debian/copyright: + - Convert to UTF-8 + - Add a proper copyright statement and clarify the + upstream authors + - Remove reference to RedHat + + -- Javier Fernandez-Sanguino Pen~a Wed, 27 Oct 2010 01:52:24 +0200 + +libpam-chroot (0.9-3) unstable; urgency=medium + + * This package builds fine with Gcc 4.2 (Closes: #361568) + * Replace x_strdup() with strdup() in pam_chroot.c + * Use debian compatibility version 5 + + -- Javier Fernandez-Sanguino Pen~a Thu, 04 Oct 2007 00:59:53 +0200 + +libpam-chroot (0.9-2) unstable; urgency=low + + * As suggested by Jim Paris, updated the README.Debian file with new + information detailing when might OpenSSH work with pam-chroot and when + you might need to disable Privilege Separation. + Based on his experiments and Darren Tucker's answer to this issue available + at: + http://groups.google.com/groups?&selm=bk371q%24d33%241%40gate.dodgy.net.au + * Following his suggestions modified TROUBLESHOOTING since there is only + one debug message that goes to auth.debug, most of them go to auth.notice + + -- Javier Fernandez-Sanguino Pen~a Wed, 6 Oct 2004 00:10:07 +0200 + +libpam-chroot (0.9-1) unstable; urgency=low + + * New upstream release (Closes: #250791) + - fix memory leaks, expanded user/group regex support (0.8) + - security checks for conf file & chroot directories (0.9) + * Since new upstream is in sourceforge, adjusted debian/copyright and + added homepage to debian/control, and changed debian/watch + (not enabled SF since it will not work with uscan) + * Removed 'configure' target from debian/rules as it is not used. + * Install the new 'TROUBLESHOOTING' doc provided upstream. + + -- Javier Fernandez-Sanguino Pen~a Thu, 30 Sep 2004 00:47:27 +0200 + +libpam-chroot (0.6-6) unstable; urgency=low + + * Correct parsing of the config option 'onerr' with the patch + provided by Rene Konasz (Closes: #232808) + + -- Javier Fernandez-Sanguino Pen~a Mon, 7 Jun 2004 10:24:36 +0200 + +libpam-chroot (0.6-5) unstable; urgency=low + + * Added information in README.Debian regarding how to configure OpenSSH to + use libpam-chroot and mention explicitly Privilege Separation breakage + (Closes: #173258) + * Added more information in the configuration file chroot.conf + + -- Javier Fernandez-Sanguino Pen~a Sun, 11 Jan 2004 18:37:39 +0100 + +libpam-chroot (0.6-4) unstable; urgency=low + + * Updated Standard-Version + * Fixed lintian warnings + * Added uscan's watch file + * Removed all of dh_make example files + + -- Javier Fernandez-Sanguino Pen~a Tue, 28 Oct 2003 02:01:42 +0100 + +libpam-chroot (0.6-3) unstable; urgency=low + + * Provided template for setup-chroot as well as an rsync example thanks to + Andres Salomon (Closes: #150368) + + -- Javier Fernandez-Sanguino Pen~a Mon, 2 Sep 2002 21:00:27 +0200 + +libpam-chroot (0.6-2) unstable; urgency=low + + * Fixed Maintainer address (Closes: #147824) + + -- Javier Fernandez-Sanguino Pen~a Thu, 23 May 2002 13:36:19 +0200 + +libpam-chroot (0.6-1) unstable; urgency=low + + * Initial Release. + * I was up until 4 AM but I was finally able to have it working in + Debian! + * Added a README.Debian to explain how it works since the installation + process will not add any lines to existing /etc/pam.d/ files + (applications) + * Provided examples on how to setup an environment for users using + /bin/login (console) in /usr/share/doc/libpam-chroot/examples + including a script that builds the proper environment (took me + some time of stracing to figure it needed the /dev/tty files) + + -- Javier Fernandez-Sanguino Pen~a Wed, 1 May 2002 01:24:40 +0200 + --- libpam-chroot-0.9.orig/debian/copyright +++ libpam-chroot-0.9/debian/copyright @@ -0,0 +1,43 @@ +This package was debianized by Javier Fernandez-Sanguino Peña + on Wed, 1 May 2002 01:24:40 +0200. + +It was downloaded from http://www.kernel.org/pub/linux/libs/pam/pre/modules/ +(only v 0.6 is available there). Newer versions (0.8 to 0.9) are available at +http://sourceforge.net/projects/pam-chroot/ + +The initial pam-chroot by Matthew Kirkwood was available at +ftp://ferret.lmh.ox.ac.uk/users/weejock/pam_chroot/ +although this is no longer available. A first pre-release of the code can +still be found at the pam-list archives, from 25 Februrary 2000 (see +http://www.redhat.com/archives/pam-list/2000-February/msg00127.html or +http://archives.neohapsis.com/archives/pam-list/2000-02/0092.html) + +Copyright: + (c) 2000 Matthew Kirkwood + (c) 2004-2007 Ed Schmollinger + + +Upstream Authors: +This version of pam_chroot was originally written by Matthew Kirkwood +(weejock@ferret.lmh.ox.ac.uk) and then heavily modified by Ed Schmollinger +(schmolli@frozencrow.org). + +The following have contributed code and/or ideas: + - Heiko Hund + - John Newbigin + + +Copyright: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You can find a copy of the GNU GPL license in your Debian GNU/Linux + system under /usr/share/common-licenses/ --- libpam-chroot-0.9.orig/debian/control +++ libpam-chroot-0.9/debian/control @@ -0,0 +1,21 @@ +Source: libpam-chroot +Section: devel +Priority: optional +Maintainer: Javier Fernandez-Sanguino Pen~a +Build-Depends: libpam0g-dev, debhelper (>> 3.0.0) +Standards-Version: 3.9.2 +Homepage: http://sourceforge.net/projects/pam-chroot/ + +Package: libpam-chroot +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Chroot Pluggable Authentication Module for PAM + This package includes a special (but not thoroughly tested) PAM + module to provide chrooted (restricted) environments for users. + The module tries to provide a transparent wrapper around the + average user, one that puts them in a fake file-system (eg, their + '/' is really /some/where/else). + . + In order to setup this environment in Debian please read the + README.Debian as well as the detailed example provided in + /usr/share/doc/libpam-chroot/examples --- libpam-chroot-0.9.orig/example/setup-chrootdir-rsync.sh +++ libpam-chroot-0.9/example/setup-chrootdir-rsync.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# Copyright (C) 2002 Andres Salomon +# +# Create a chroot environment for allowing users to rsync. +# This script is placed in the public domain. Do with it what +# you will. + +PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin" +DIRECTORIES="bin dev lib usr/bin usr/lib" +FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2 + bin/bash lib/libncurses.so.5 lib/libdl.so.2 + usr/bin/rsync lib/libpopt.so.0 lib/libresolv.so.2" + +if test -z "$1"; then + echo "Usage: $0 " 1>&2 + exit 1 +fi + +id=`id -u` +if test "$id" -gt 0; then + echo "Error: this script requires root (for mknod)!" 1>&2 + exit 1 +fi + +dir=$1 +curdir=`pwd` + +# Create directory structure +mkdir -p $dir +cd $dir +for d in $DIRECTORIES; do + mkdir -p $d +done + +# Add files +for f in $FILES; do + cp /$f $f +done + +# And devices.. +if test -d dev; then + cp /dev/MAKEDEV dev + cd dev && ./MAKEDEV std && rm -f MAKEDEV +fi + + +cd $curdir + +exit 0 --- libpam-chroot-0.9.orig/example/setup-chrootdir-template.sh +++ libpam-chroot-0.9/example/setup-chrootdir-template.sh @@ -0,0 +1,48 @@ +#!/bin/sh + +# Copyright (C) 2002 Andres Salomon +# +# Template for setup-chrootdir-XX.sh scripts + +PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin" +# Directories to include in the chroot go here +DIRECTORIES="bin dev " +# Files to copy over to the chroot are included here +FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2" + +if test -z "$1"; then + echo "Usage: $0 " 1>&2 + exit 1 +fi + +id=`id -u` +if test "$id" -gt 0; then + echo "Error: this script requires root (for mknod)!" 1>&2 + exit 1 +fi + +dir=$1 +curdir=`pwd` + +# Create directory structure +mkdir -p $dir +cd $dir +for d in $DIRECTORIES; do + mkdir -p $d +done + +# Add files +for f in $FILES; do + cp /$f $f +done + +# And devices.. +if test -d dev; then + cp /dev/MAKEDEV dev + cd dev && ./MAKEDEV std && rm -f MAKEDEV +fi + + +cd $curdir + +exit 0 --- libpam-chroot-0.9.orig/example/setup-chrootdir-shell.sh +++ libpam-chroot-0.9/example/setup-chrootdir-shell.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +# Given a (non-existant) directory +# creates a chroot environment so users can login +# and have limited movements + +# (c) 2002 Javier Fernandez-Sanguino Peña + +[ -z "$1" ] && { + echo "Usage $0 directory" + exit 1 +} +id=`/usr/bin/id -u` + +[ "$id" -gt 0 ] && + echo "WARNING: Needs to be run as root (for mknod to work)" + +dir=$1 + +[ -e "$dir" ] && { + echo "ERROR: $dir exists. Please specify a non-existant directory" + exit 1 +} + +curdir=`/bin/pwd` +/bin/mkdir -p $dir +cd $dir +for i in bin dev lib home/test ; do + /bin/mkdir -p $i +done + +# Procedure: +# Hard link for files and just copy simbolyc links, +# should work ok in the chroot + +# Bin directory (minimal set of binaries) +for cmd in ls pwd true false rbash bash ; do + if [ -f /bin/$cmd -a ! -L /bin/$cmd ] ; then + /bin/ln /bin/$cmd bin/ + fi + if [ -L /bin/$cmd ] ; then + cp -a /bin/$cmd lib/ + fi +done + +# Libraries (for previous binaries) +for lib in /lib/ld-linux* /lib/libc.* /lib/libdl* /lib/librt* /lib/ncurse* /lib/libpthread* ; do + if [ -f $lib -a ! -L $lib ] ; then + /bin/ln $lib lib/ + fi + if [ -L "$lib" ] ; then + cp -a $lib lib/ + fi +done + +# Devices +cd dev +# We need as many tty's as consoles +/bin/mknod -m 644 tty1 c 4 1 +/bin/mknod -m 644 tty2 c 4 2 +/bin/mknod -m 644 tty3 c 4 3 +/bin/mknod -m 644 tty4 c 4 4 +/bin/mknod -m 644 tty5 c 4 5 +/bin/mknod -m 644 tty6 c 4 6 +# Some special nodes, just for fun +/bin/mknod -m 444 urandom c 1 9 +/bin/mknod -m 666 zero c 1 5 +/bin/mknod -m 666 null c 1 3 +# Warning: since we do not have the /dev/log socket the +# 'debug' option of the PAM module will not work once chrooted + +# Finish and get back were we started +cd $curdir + +exit 0 --- libpam-chroot-0.9.orig/example/chrooted-directory-tree.txt +++ libpam-chroot-0.9/example/chrooted-directory-tree.txt @@ -0,0 +1,38 @@ +/home/test/ +|-- bin +| |-- bash +| |-- ls +| |-- rbash +| `-- sh +|-- dev +| |-- null +| |-- tty1 +| |-- tty2 +| |-- tty3 +| |-- tty4 +| |-- tty5 +| |-- tty6 +| |-- tty7 +| |-- urandom +| `-- zero +|-- home +| `-- test +| |-- .alias +| |-- .bash_history +| |-- .bash_profile +| |-- .bashrc +| |-- .cshrc +| `-- .profile +|-- lib + |-- ld-linux.so.2 + |-- libc.so.6 + |-- libdl-2.2.5.so + |-- libdl.so.2 + |-- libncurses.so.4 + |-- libncurses.so.4.2 + |-- libncurses.so.5 + |-- libncurses.so.5.2 + |-- libpthread-0.9.so + |-- libpthread.so.0 + |-- librt-2.2.5.so + `-- librt.so.1 --- libpam-chroot-0.9.orig/example/README.example +++ libpam-chroot-0.9/example/README.example @@ -0,0 +1,36 @@ + +This is a sample configuration for the pam_chroot module. + +In order to make this work you need to: + +1.- use setup-chrootdir.sh to create a directory in which +the user will be chrooted (let's call it CHROOTDIR) +A sample layout like the one it creates is provided in the +chrooted-directory-tree.txt file + +WARNING! Make sure to have an open console in which to +become superuser in case you mangle the files and cannot +log-on to the system later on! + +2.- configure /etc/security/chroot.conf so that a given user +(USERCHROOTED) is chrooted to CHROOTDIR when entering (in the +sample configuration file CHROOTDIR=/chroot/directory) + +3.- add the following line to /etc/pam.d/login +session required pam_chroot.so debug + +4.- create USERCHROOTED in the system (/etc/passwd et al.) and +have his home directory be /home/test +(real directory=CHROOTDIR/home/test) + +5.- add the neccesary .profile, .cshrc, .bash_profile files to +the CHROOTDIR/home/test directory (fix permissions to your own +needs/policy) + +6.- Try to enter the system as USERCHROOTED. You should be +restricted to CHROOTDIR and have only a limited number of +utilies (setup-chrootdir only provides 'ls') + +If it does not work check the syslog files to see the messages +related to PAM (should include pam_chroot[XXXX]: session messages +due to the 'debug' option being set) --- libpam-chroot-0.9.orig/example/chroot.conf +++ libpam-chroot-0.9/example/chroot.conf @@ -0,0 +1,3 @@ +# /etc/security/chroot.conf +test /chroot/directory +