Skip to content

Comment Feed

14 Responses

  1. thx. admin :)

    normal user on chroot_jail tutorial plz.

    • AdministratorJanuary 2, 2012 @ 5:08 pmReply

      You are most welcome :) I do not quite understand your request, though. The current tutorial refers to jailing a normal user…

  2. So once inside the chroot, micheal can no loger sudo right ? I wonder if there is still a way to break this chroot

    • AdministratorJanuary 11, 2012 @ 12:21 amReply

      No, the sudo command is not present inside the chroot jail. Well, it might still be possible to break out of this jail, although I cannot think of a way right now, as this simple chroot environment offers a very limited amount of tools. The more programs you add to the chroot jail, the greater chance your “prisoners” might have of breaking out :)

      • It is, in fact, possible to break out from a chroot jail but it is difficult if the jail is well-constructed and no way to gain root (i.e. su, sudo, etc…) is provided (keep in mind that privileges escalations are still possible). As far as I remember you will always gonna need to gain root in order to break out and then chroot to another subdirectory, create a raw disk device (mknod), create /dev/mem and edit kernel’s memory or create a new dir in jail then chroot in it and fchdir now you can chdir to the root of the sys.
        Other ways that I can think of are by using hardlinks left in the jail that aim outside or use ptrace to find processes outside the chrooted area in order to attack them.

        Anyway, chroot jails are still a good way to add one (or more) security layer(s) to your system.

  3. When I login as “michael” it asks for a password and then asks for the sudo password as well. Did I miss something?

    • AdministratorMarch 17, 2012 @ 3:03 amReply

      It depends on how exactly you are loggin in. Please, note that the login command itself requires super user privileges in order to spawn a new login prompt. To avoid that, you may just press Ctrl+Alt+F2 to switch to an unused text console and then you should be able to log into the chroot by just typing “michael” and then his password. No additional passwords should be required.

  4. Hi,

    I strictly followed your procedure and so far I think I don’t missed anything…But I am getting error ” su: Authentication failire.. any idea why?

    thanks in advance…

    • AdministratorMay 22, 2012 @ 1:02 amReply

      Hello,

      Usually, the reason for such an error would be the passwd and shadow files. If you are positive that those are correct, then you might be missing some additional authentication libraries in the chroot. I would recommend the following procedure for troubleshooting:

      1. Make sure that you add the strace command and all that it requires to the chroot environment

      2. Enter the jail as root by simply running the chroot /path/to/jail command as root

      3. Now, inside the jail, run the following or a similar command:

      strace -f -e trace=open su michael

      The above command would follow the execution of the su program and display all files that are being opened in the process. You need to look for lines similar to the following, that indicate missing files:

      open(“/lib/security/pam_rootok.so”, O_RDONLY) = -1 ENOENT (No such file or directory)
      open(“/lib/security/pam_env.so”, O_RDONLY) = -1 ENOENT (No such file or directory)
      open(“/lib/security/pam_mail.so”, O_RDONLY) = -1 ENOENT (No such file or directory)

      If you see any missing files, make sure to copy them into the jail.

      Good luck :)

  5. Thanks for your response. Sorry but im not sure if i understand your troubleshooting recommendation correctly. Below is my understanding and please forgive me if Im a bit slow here. :-(

    1. Make sure that you add the strace command and all that it requires to the chroot environment .
    – i copied /usr/bin/strace to /chroot/usr/bin using root. Is this correct?

    2. Enter the jail as root by simply running the chroot /path/to/jail command as root
    – what should be /path/to/jail you are referring? is this /bin/jailshell that i created?

    3. Now, inside the jail, run the following or a similar command:
    - which specific inside jail you are referring? coz my understanding from your procedure, inside jail is the chroot directory that you created where i also create directories dev etc etc/pam.d home home/michael lib lib/security var var/log usr usr/bin . which exact directory i should execute this strace -f -e trace=open su michael ?

    Thanks again…

    • AdministratorMay 23, 2012 @ 2:19 amReply

      1.i copied /usr/bin/strace to /chroot/usr/bin using root. Is this correct? – That is correct.

      2. By /path/to/jail, I meant the folder where you are building the chroot environment, as far as I can see from the previous point of yours, this is /chroot just as it is in the article :) Now, All you need to do is run the following command as root:

      chroot /chroot

      3. Right after the above command, you should execute the strace -f -e trace=open su michael command, it doesn’t matter which folder exactly in the jail you will be in. Once you execute the command, look for the lines indicating missing files. It might be a lot of output :)

  6. premkumarAugust 21, 2013 @ 5:13 pmReply

    if switch to jailed user it asks paasword and sudo password then it provide su:authentication failure message.



Some HTML is OK

or, reply to this post via trackback.

Continuing the Discussion

  1. [...] document.write('[Log in to get rid of this advertisement]'); Hi, I just finished following this tutorial to set up a simple chroot jail on my Ubuntu 12.04 server, and after following all the steps and [...]