Jail

Introduction
The Jail Chroot Project is an attempt to write a tool that builds a chrooted environment. Much of the following is based closely on the documentation provided at the Program's original homepage. You can just chroot any user who logs in on your server into their home directory, or you can run some services as FTP or SSHD there.

A difficult step when building a chrooted environment is to set up the right libraries and files. Jail comes with a tool that automatically configures and builds all the required files, directories and libraries.

Jail supports lots of interesting features:
 * Support for multiple users in a single chrooted environment.
 * Fully customizable user shell.
 * Support for multiple servers: telnetd, sshd, ftpd...
 * Allows one to run any kind of program as a shell.

How jail interacts with the login process
Before you'll configure Jail, it is wise to know a little about how Jail works.

As you can see in the following diagram, Jail begins by obtaining the user's information from the non-chrooted /etc/passwd. This file indicates that Jail is activated for a user and it also specifies the target directory of the chroot. Jail is activated by using the file "jail" as the user shell in the non-chrooted environment.

When the user logs in, Jail changes the directory to the one specified in the the non-chrooted /etc/passwd file and then calls chroot from this directory, thus creating the chrooted environment. After this call, Jail can only see the files under the chrooted directory. Jail then sets up some environment variables, i.e. the HOME and the SHELL variable that will be used by the real shell.

http://www.jmcresearch.com/projects/jail/img/flow.gif

Jail then gets the user's information from the /etc/passwd file in the chrooted environment, and checks if the user home directory is the same as the user home directory information that was read from the non-chrooted file. If they are the same, then the HOME variable is set to '/'. Otherwise Jail changes to this directory, and changes the HOME variable to this one.

Lastly, Jail sets up enviroment variables again, SHELL is set up with the information read from the chrooted /etc/passwd file. Jail replaces itself with the shell program stored in the SHELL variable, runing the shell.

Adding a normal system user with useradd
You'll probably need the system user in both environments, so you should first add him to the unrestricted environment. Your nick name for the test user used in the examples will be prisoner. All the magic resides on the /etc/passwd file. The line in this file has to fit the uid an gid fields password, etc. The line should look something like this:

Note the /var/chroot field. This is the root directory of the chroot environment for this user. All you need to do with gentoo is this:

Creating the Jail Environment
mkjailenv creates the directories, and generates the basic filesystem layout with the special devices. mkjailenv has been written in perl.

These are the command line arguments: mkjailenv chrootdir

Argument Description: chrootdir           The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file.

Invocation example:

This will create the chrooted enviroment under the directory /var/chroot.

Adding users to the Jail
The tool addjailuser edits the chrooted /etc/passwd automatically and creates the user directories. Addjailuser has been written in perl script.

These are the command line arguments: addjailuser chrootdir userdir usershell username

Argument Description: chrootdir          The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file

userdir            The directory inside the chrooted enviroment when the user will live, in this example, /home/prisoner.

usershell          The user's shell full path (e.g. /bin/bash)

username           The user's name.

In this example, Userinvocation would look like this:

This will add a user under the directory /var/chroot setups the home directory of the prisoner into /home/prisoner, and selects /bin/bash as default shell for the user prisoner. Also edits the chrooted /etc/passwd, /etc/group and /etc/shadow to configure the jail properly.

Adding software to Jail
The tool addjailsw will copy programs and their dependencies (libraries, auxiliar files, special devices) into the right places in the chrooted environment. addjailsw has been written in perl.

These are the command line arguments: addjailsw chrootdir [-D] [-P program args]

Argument Description: chrootdir                   The directory where the chrooted environment will live. It its the home entry in the non-chrooted / etc/passwd file

-P program "args" (optional) Installs the specific program "program" into the chrooted environment. The script uses the "args" parameter to launch the program with the specific arguments needed to allow the program exit nicely so that strace can do its work. See addjailsw's code for in-deep details.

-D                          Shows detailed information

Invocation examples:

or

or

The first example will add the standard programs under the /var/chroot directory. The second example will do the same as the first, but will also show which files are going to be copied in /var/chroot. The third example will install the program bash, and when launched in the strace call, the argument "--version" will be passed to it (so bash will exit immediately). You will definetly need a bash, if you want to login to the chroot jail!!

Gentoo specific
For some reason, the addjailsw tool does not fetch the ld-linux.so.2, which leads to the error "execve: File or Directory doesn't exist", so you need to copy it manually.

but if architecture is amd64 then

That's all, folks! Now you can add whatever you want to the chroot. You can even start another chrooted environment in another directory.

If the chroot environment can access IP address but no domain-name ("Name or service not known") :

but if architecture is amd64 then

Screen in your jail
If you want to run a screen in your jail you must mount the /dev and /dev/pts filesystem in your jail.

and

I did need these too (not sure about security but works):

http://forums.gentoo.org/viewtopic-p-3179496.html

Irssi
Instructions for running the irssi irc client in a chroot jail can be found here.

If you get an error message like:

setupterm failed for TERM=xterm: 0 Can't initialize screen handling, quitting. You can still use the dummy mode with -d parameter

Then try running irssi under a Screen session.

You can find the IP addresses with:

then

outside the jail.

You may also need to do something like

to get extra irssi scripts working.

Credits

 * Thanks to Juan M. Casillas for the program!