This article provides several easy steps that would allow you to create a most basic chroot-ed environment for a user on your Linux/Unix based system. It will really just show the basics of what a chroot jail is like, so that an inexperienced user can have some grounds to start learning and experimenting on their own.

An Ubuntu 10.04 Desktop operating system was used for this example, but the instructions should be applicable to most Linux/Unix based operating systems. So, let’s start:

1. Create the user-to-be-jailed.

In this example, the user will be called michael

[email protected]:/chroot# adduser michael

Adding user `michael' ...

Adding new group `michael' (1003) ...

Adding new user `michael' (1003) with group `michael' ...

Creating home directory `/home/michael' ...

Copying files from `/etc/skel' ...

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

Changing the user information for michael

Enter the new value, or press ENTER for the default

Full Name []: Michael Scofield

Room Number []:

Work Phone []:

Home Phone []:

Other []:

Is the information correct? [Y/n] Y

[email protected]:/chroot#

Make sure that the michael user has permissions to execute sudo. On the Ubuntu operating system, this can be achieved by adding the user to the admin group – edit the following line in the /etc/group file, by just adding the desired username to the comma separated list:

admin:x:119:user1,user2,michael

2. Set up the folder that will actually represent the “jail”.

Here, I use the following, but it can really be a folder of your choice:

[email protected]:~# mkdir /chroot

So, the inside of the /chroot folder will be everything that the jailed user will see. This means that we will have to provide some tools in there, unless we want to just jail a user into an empty folder with nothing to do. You can view the chroot as an alternative reality, which resembles the real world (the entire operating system) but only offers a limited amount of capabilities. Depending on the sophistication of the chroot environment, a Linux system directory structure will have to be recreated to a certain extent. Since we are building a simple environment, we will only create what is necessary at this point:

[email protected]:~# cd /chroot

[email protected]:/chroot# mkdir bin dev etc etc/pam.d home home/michael lib lib/security var var/log usr usr/bin

3. Now we need to copy into the jail all the software that we want the jailed user to be able to use.

For example, it is highly possible that the following binaries will be needed by a regular user – su, bash, ls, cp, mv, mkdir, rm, touch, cat, whoami, as well as the libraries these programs require. I will illustrate how this is done with an example for one of the binaries and I believe the readers will be able to apply the instructions to the other ones.

I would like my “prisoner” user michael to be able to use the bash shell utility. Here is how I implement this:

The cool thing about ldd is that it provides the full path to the used libraries (e.g. /lib/libncurses.so.5)

Let’s also do the su command since it is very important for the functionality of the chroot jail:

[email protected]:~# cp /bin/su /chroot/bin/

[email protected]:~# cp /lib/libpam.so.0 /chroot/lib/

[email protected]:~# cp /lib/libpam_misc.so.0 /chroot/lib/

[email protected]:~# cp /lib/libcrypt.so.1 /chroot/lib/

These steps above will pretty much have to be implemented for every program you would like to make available into the jail. You might want to start with the ls command

4. Add some system configuration files and additional libraries to the chroot:

5. Create the script that will actually put our michael user in jail, whenever he logs in to the system.

The script will be called jailshell and will reside in the /bin/ folder, outside of the jail. The content is very simple:

#!/bin/bash

sudo chroot /chroot /bin/su michael

Make sure it is executable:

[email protected]:/chroot# chmod 755 /bin/jailshell

To put the script in action, we need to edit the /etc/passwd file (the one outside of the jail). Only the following line describing the user michael will be edited by replacing /bin/bash with /bin/jailshell:

michael:x:1003:1003:Michael Scofield,,,:/home/michael:/bin/jailshell

6. Set up michael‘s in-jail home folder .

Actually, the basic functionality of the chroot environment has already been achieved, but we will try to make it a little more pleasant to work with. We start by copying the entire content of the default home folder of our user from out of the chroot to the chroot:

[email protected]:~# cd /home/michael/

[email protected]:/home/michael# cp -fa ./ /chroot/home/michael/

The following could also be useful:

[email protected]:~# cp /etc/bash.bashrc /chroot/etc/

[email protected]:~# cp /usr/bin/dircolors /chroot/usr/bin/

[email protected]:~# cp /etc/localtime /chroot/etc/

[email protected]:~# cp /etc/services /chroot/etc/

[email protected]:~# cp /etc/protocols /chroot/etc/

[email protected]:~# cp /usr/bin/groups /chroot/bin/

7. Test the functionality.

Let’s check the results of all the above:

[email protected]:~# login

station login: michael

Password:

Last login: Fri Oct 21 13:19:21 CST 2011 on pts/0

Linux station 2.6.35-30-generic #60-Ubuntu SMP Mon Sep 19 20:45:08 UTC 2011 i686 GNU/Linux

Ubuntu 10.10

Welcome to Ubuntu!

* Documentation: https://help.ubuntu.com/

[email protected]:~$ cd /

[email protected]:/$ ls

bin dev etc home lib usr var

[email protected]:/$

Well, that’s it I hope it has been useful.