This article provides several easy steps that would allow you to create a most basic chroot-ed environment for a user on your Linux/Unix based system. It will really just show the basics of what a chroot jail is like, so that an inexperienced user can have some grounds to start learning and experimenting on their own.
An Ubuntu 10.04 Desktop operating system was used for this example, but the instructions should be applicable to most Linux/Unix based operating systems. So, let’s start:
1. Create the user-to-be-jailed.
In this example, the user will be called michael 
root@server:/chroot# adduser michael
Adding user `michael' ...
Adding new group `michael' (1003) ...
Adding new user `michael' (1003) with group `michael' ...
Creating home directory `/home/michael' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for michael
Enter the new value, or press ENTER for the default
Full Name []: Michael Scofield
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
root@server:/chroot#
Make sure that the michael user has permissions to execute sudo. On the Ubuntu operating system, this can be achieved by adding the user to the admin group – edit the following line in the /etc/group file, by just adding the desired username to the comma separated list:
admin:x:119:user1,user2,michael
2. Set up the folder that will actually represent the “jail”.
Here, I use the following, but it can really be a folder of your choice:
root@station:~# mkdir /chroot
So, the inside of the /chroot folder will be everything that the jailed user will see. This means that we will have to provide some tools in there, unless we want to just jail a user into an empty folder with nothing to do. You can view the chroot as an alternative reality, which resembles the real world (the entire operating system) but only offers a limited amount of capabilities. Depending on the sophistication of the chroot environment, a Linux system directory structure will have to be recreated to a certain extent. Since we are building a simple environment, we will only create what is necessary at this point:
root@station:~# cd /chroot
root@station:/chroot# mkdir bin dev etc etc/pam.d home home/michael lib lib/security var var/log usr usr/bin
3. Now we need to copy into the jail all the software that we want the jailed user to be able to use.
For example, it is highly possible that the following binaries will be needed by a regular user – su, bash, ls, cp, mv, mkdir, rm, touch, cat, whoami, as well as the libraries these programs require. I will illustrate how this is done with an example for one of the binaries and I believe the readers will be able to apply the instructions to the other ones.
I would like my “prisoner” user michael to be able to use the bash shell utility. Here is how I implement this:
-
Find the full path to the bash command:
root@station:~# which bash
/bin/bash -
Copy the command into the /chroot/bin/ folder:
root@station:~# cp /bin/bash /chroot/bin/ -
Locate all the libraries needed by the bash shell utility:
root@station:~# ldd /bin/bash
linux-gate.so.1 => (0x0080a000)
libncurses.so.5 => /lib/libncurses.so.5 (0x00561000)
libdl.so.2 => /lib/libdl.so.2 (0x00eb7000)
libc.so.6 => /lib/libc.so.6 (0x00201000)
/lib/ld-linux.so.2 (0x001e3000) -
Copy these necessary libraries into the /chroot/lib folder:
root@station:~# cp /lib/libncurses.so.5 /chroot/lib/
root@station:~# cp /lib/libdl.so.2 /chroot/lib/
root@station:~# cp /lib/libc.so.6 /chroot/lib/
root@station:~# cp /lib/ld-linux.so.2 /chroot/lib/
The cool thing about ldd is that it provides the full path to the used libraries (e.g. /lib/libncurses.so.5)
Let’s also do the su command since it is very important for the functionality of the chroot jail:
root@station:~# cp /bin/su /chroot/bin/
root@station:~# cp /lib/libpam.so.0 /chroot/lib/
root@station:~# cp /lib/libpam_misc.so.0 /chroot/lib/
root@station:~# cp /lib/libcrypt.so.1 /chroot/lib/
These steps above will pretty much have to be implemented for every program you would like to make available into the jail. You might want to start with the ls command 
4. Add some system configuration files and additional libraries to the chroot:
-
We start with some of the most important files – passwd, group and shadow. Since the only users that we would like to be known are root and the jailed user michael himself, we only add their lines to the corresponding authentication files in the chroot:
root@station:~# cat /etc/passwd | grep michael > /chroot/etc/passwd
root@station:~# cat /etc/passwd | grep root >> /chroot/etc/passwdMy jailed /chroot/etc/passwd file now contains the following:
michael:x:1003:1003::/home/michael:/bin/bash
root:x:0:0:root:/root:/bin/bashNow, the group file:
root@station:~# cat /etc/group | grep michael: > /chroot/etc/group
root@station:~# cat /etc/group | grep root >> /chroot/etc/groupMy jailed /chroot/etc/group file now contains the following:
michael:x:1003:
root:x:0:And the shadow file:
root@station:~# cat /etc/shadow | grep michael > /chroot/etc/shadowIn the jailed /chroot/etc/shadow file, only one line will be present:
michael:$6$D9.tZdVgdRh0XCVQEsaC0:15263:0:99999:7::: -
We copy and edit the nsswitch.conf file, which governs how names are resolved on a Linux system:
root@station:~# cp /etc/nsswitch.conf /chroot/etc/nsswitch.confMake sure that the content of the jailed nsswitch.conf is edited to the following:
passwd: files
group: files
shadow: files
hosts: files
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files -
We copy the configuration files necessary for the PAM system to operate so that authorization in the jail can work:
root@station:~# cp /etc/pam.d/common-account /chroot/etc/pam.d/
root@station:~# cp /etc/pam.d/common-auth /chroot/etc/pam.d/
root@station:~# cp /etc/pam.d/common-session /chroot/etc/pam.d/
root@station:~# cp /etc/pam.d/su /chroot/etc/pam.d/ -
We add some additional libraries required by the PAM and name service switch facilities:
root@station:~# cp /lib/libnss_files.so.2 /chroot/lib/
root@station:~# cp /lib/libnss_compat.so.2 /chroot/lib/
root@station:~# cp /lib/libnss_files.so.2 /chroot/lib/
root@station:~# cp /lib/libnsl.so.1 /chroot/lib/
root@station:~# cp -fa /lib/security/ /chroot/lib/ -
We create a login.defs file into the jail’s etc folder. This file defines some settings for the login process:
root@station:~# touch /chroot/etc/login.defsFor the purpose of this example we need to add only the following line to this file:
SULOG_FILE /var/log/sulogIf we did not do that, the su command would attempt to use the syslog utility, which is not available in our jail and the entire process would fail.
5. Create the script that will actually put our michael user in jail, whenever he logs in to the system.
The script will be called jailshell and will reside in the /bin/ folder, outside of the jail. The content is very simple:
#!/bin/bash
sudo chroot /chroot /bin/su michael
Make sure it is executable:
root@station:/chroot# chmod 755 /bin/jailshell
To put the script in action, we need to edit the /etc/passwd file (the one outside of the jail). Only the following line describing the user michael will be edited by replacing /bin/bash with /bin/jailshell:
michael:x:1003:1003:Michael Scofield,,,:/home/michael:/bin/jailshell
6. Set up michael‘s in-jail home folder .
Actually, the basic functionality of the chroot environment has already been achieved, but we will try to make it a little more pleasant to work with. We start by copying the entire content of the default home folder of our user from out of the chroot to the chroot:
root@station:~# cd /home/michael/
root@station:/home/michael# cp -fa ./ /chroot/home/michael/
The following could also be useful:
root@station:~# cp /etc/bash.bashrc /chroot/etc/
root@station:~# cp /usr/bin/dircolors /chroot/usr/bin/
root@station:~# cp /etc/localtime /chroot/etc/
root@station:~# cp /etc/services /chroot/etc/
root@station:~# cp /etc/protocols /chroot/etc/
root@station:~# cp /usr/bin/groups /chroot/bin/
7. Test the functionality.
Let’s check the results of all the above:
root@station:~# login
station login: michael
Password:
Last login: Fri Oct 21 13:19:21 CST 2011 on pts/0
Linux station 2.6.35-30-generic #60-Ubuntu SMP Mon Sep 19 20:45:08 UTC 2011 i686 GNU/Linux
Ubuntu 10.10
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
michael@station:~$ cd /
michael@station:/$ ls
bin dev etc home lib usr var
michael@station:/$
Well, that’s it I hope it has been useful.
thx. admin
normal user on chroot_jail tutorial plz.
You are most welcome
I do not quite understand your request, though. The current tutorial refers to jailing a normal user…
So once inside the chroot, micheal can no loger sudo right ? I wonder if there is still a way to break this chroot
No, the sudo command is not present inside the chroot jail. Well, it might still be possible to break out of this jail, although I cannot think of a way right now, as this simple chroot environment offers a very limited amount of tools. The more programs you add to the chroot jail, the greater chance your “prisoners” might have of breaking out
When I login as “michael” it asks for a password and then asks for the sudo password as well. Did I miss something?
It depends on how exactly you are loggin in. Please, note that the login command itself requires super user privileges in order to spawn a new login prompt. To avoid that, you may just press Ctrl+Alt+F2 to switch to an unused text console and then you should be able to log into the chroot by just typing “michael” and then his password. No additional passwords should be required.