Step by Step Installation Guide of Jailkit on Linux

Thanks to http://isystemadmin.com

Step by Step Installation Guide of Jailkit on Linux.

Very often System Admins need to restrict users’ access to the system and they try to deploy various mechanism. Chroot jailed environment is the most popular method to restrict and control the access to the system. But manually setting up a chroot environemt is not easy. Jailkit is a set of utilities to limit user accounts to specific files using chroot.

As claimed by the developer, jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes. In this article we will show you how you can setup your Linux system with jailkit and control your users’ access to the system.

1. Prerequisites

There are some prerequisites before proceeding to the installation. They are:

  1. Source of jailkit should be downloaded first before starting to installation. You can download jailkit from http://olivier.sessink.nl/jailkit/index.html#download
  2. You have the root privileges of the system.
  3. A C compiler (preferred gcc) and make are installed properly along with necessary libraries.
  4. Other general Linux utilities like tar, gzip etc are installed and readily available in the path.

2. Assumptions

Below assumptions are made while follow this guide and instructions:

  1. The source of jailkit are kept in /soft folder. Means create a folder named soft in / folder, download jailkit from http://olivier.sessink.nl/jailkit/index.html#download.
  2. You can edit/create any file in the Linux system.
  3. You have general understanding of Linux system administration including user add/remove, how chroot environment works, file utilities etc. Though this is not a prerequisites to understand and execute the steps described in this document, it will help you to better understand the commands and effects.
  4. The jail folder that we want to put all users is /jailroot. You can use any, of course.
  5. The name of the user, as an example, we want to put in jail is peter.

3. Install the jailkit

3.1. Download the source

Jailkit can be downloaded in bzip2 format or gzip format. Here we are taking bzip2 file. Make sure you have write permission in /soft folder. Lets use wget command to download it-

We are using version 2.13. The latest release is 2.14, but the procedure will be the same. You can use the latest release though.

3.2. Extract and compile it

This portion of the document is very straight forward and simple. Just follow the instructions:

1
2
3
4
5
$ cd /soft
$ tar jxf jailkit-2.13.tar.bz2
$ cd jailkit-2.13
$ ./configure
$ make

3.3. Installation of the jailkit

We are expecting no error occurred in above steps. If any error occurs we will need to fix it accordingly, based on error type and description. We didn’t need the root privilege for any of the above steps, but Installation requires root privileges.

1
2
# cd /soft/jailkit-2.13
# make install

4. Jailkit configuration files

Jailkit installs necessary configuration files in /etc/jailkit folder. File name starts with jk_ prefix. So, if we refer to any configuration file we hope you will get it in /etc/jailkit folder. Good part is that we are not going to change any of the configuration file right at this moment. But later on we may need to change them. Below table tells about the configuration files and their purpose:

Sl. No.

File name

Purpose

1

jk_check.ini

Describes the security parameters to be checked with jk_check utility.

2

jk_chrootsh.ini

Configuration file to instruct jk_chrootsh about the jail settings of the user.

3

jk_init.ini

One of the very critical file for jailkit tools. It tells the jk_init how to create the chroot jail. The default configuration is OK for 32bit environment. But may need to update for 64bit Linux.

4

jk_lsh.ini

This is the configuration file for jail shell jk_lsh.

5

jk_socketd.ini

This file defines how the log socket daemon jk_socketd will treat.

6

jk_uchroot.ini

Stores the settings to grant regular users the right to change root into certain directories; used by jk_uchroot program.

7

jk_update.ini

Describes how the jail will be reconfigured if any change happens in the real system. Used by jk_update, which normally runs in a cron.

5. Creating the Jail

Creating the jail folder is very straight forward. But we may need to configure something to make sure which command sets we will need to add inside the jail. Please check the configuration file jk_init.ini to decide which sets you like. The sets are defined in [ ]. You can create your own sets.  The formats are defined details in jk_init man page.

[basicshell]
comment = bash based shell with several basic utilities
paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep,
users = root
groups = root
[ssh]
comment = ssh secure shell
paths = ssh
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/tty, /dev/null

Let’s say we have decided to add basic shell commands (basicshell set), some editors (editors set) and network utilities (netutils set) for our jail.

Issue below command as root to create the jail. Remember that we have decided in our assumptions that our jail is /jailroot.

1
# jk_init -v -j /jailroot basicshell editors netutils

Great, now our jail folder is ready to host jailed users.

6. Creating a jailed user with interactive shell

As we discussed we will use peter as the jailed user.

6.1. Create System user

Now simply create a system user, peter, with the shell /usr/sbin/jk_chrootsh. Then set a password for peter.

1
2
#  useradd –g users –d /home/peter –s /usr/sbin/jk_chrootsh peter
#  passwd peter

Depending on your Linux distribution and useradd command version, you may need to add –m option after –d </home/username> to create the home directory.

6.2. Migrate the user to jail

Now we will migrate peter to the jail so that he is always restricted to the jailroot folder.

1
# jk_jailuser -m -j /jailroot -v -s /bin/bash peter

The command will also move the home folder from system to the jail folder. You will see some changes in /etc/passwd and /jailroot/etc/passwd files.

sifat:x:1000:100::/home/sifat:/bin/bash
joomla:x:1001:100::/var/www/htdocs/Joomla:/bin/bash
peter:x:1009:100::/jailroot/./home/peter:/usr/sbin/jk_chrootsh

You can see the home folder of peter is now changed /jailroot/./home/peter  which means jk_chrootsh program will consider that /jailroot will be the chroot for peter and his home will be /home/peter in the /jailroot folder.

7. Testing user login with Putty

Now open any login client that your system supports. We prefer putty client. Connect putty with your system and login with peter with proper credential. Try issuing some commands you will feel that you are now under the jail.

1
2
3
4
5
6
7
8
9
login as: peter
peter @ 192.168.179.128's password:
Last login: Mon Apr 16 20:12:23 2012 from 192.168.179.1
Linux 2.5.21.5-smp.
bash-3.1$ pwd
/home/peter
bash-3.1$ ls /
bin dev etc home lib usr
bash-3.1$

8. Addition new commands for jailed users

Very often you will need to add commands for the jailed users which are available to non-jailed users. Issue jk_cp command for properly adding the command. Simply copying them will not be enough for you because there may have some other dependency. Let say we want to add /custom/command command for the jail user we will have to follow:

1
# jk_cp -j /jailroot –v /custom/command

Now /custom/command will be available for any jailed user.

Related Post:

What is a Chroot Jail?

Go Directly to Jail

JailKit : How To Create SSH Jails

 
Advertisements
Posted in Linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: