Chroot jail in FTP?

Similar Messages

• [solved] nginx chroot jail: open() "/run/nginx.pid" Permission denied

  I used the perl script from the nginx wiki to configure chroot jail and also configured the nginx systemd unit file. When I try to start the service I get
  # systemctl start nginx
  Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
  # systemctl status nginx.service
  nginx.service - A high performance web server and a reverse proxy server in chroot jail
  Loaded: loaded (/etc/systemd/system/nginx.service; enabled)
  Active: failed (Result: exit-code) since tis 2013-05-07 20:58:49 CEST; 4s ago
  Process: 418 ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited
  , status=1/FAILURE)
  Executing the ExecStartPre line produces the open error.
  # /usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
  nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
  What could be causing this?
  Here's my nginx.service
  # cat /etc/systemd/system/nginx.service
  [Unit]
  Description=A high performance web server and a reverse proxy server in chroot jail
  After=syslog.target network.target
  [Service]
  Type=forking
  PIDFile=/srv/http/run/nginx.pid
  ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
  ExecStart=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
  ExecReload=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
  ExecStop=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit
  [Install]
  WantedBy=multi-user.target
  /srv/http/run
  # ls -ahl /srv/http/run/
  totalt 8,0K
  drwxr-xr-x 2 root root 4,0K 7 maj 20.53 ./
  dr-x--x--x 9 root root 4,0K 7 maj 20.16 ../
  -rw-r--r-- 1 root root 0 7 maj 20.53 nginx.pid
  edit:
  # chroot --userspec http:http /srv/http /usr/sbin/nginx
  nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
  I tried to change the port to 8080 and got
  # chroot --userspec http:http /srv/http /usr/sbin/nginx
  nginx: [emerg] open("/dev/null") failed (13: Permission denied)
  solution:
  The problem was due to the partition being mounted nodev,nosuid.
  Last edited by seron (2013-05-08 11:25:12)

  I know this post is quite old but I wanted to say thank you to the author that you posted this solution. THANKS!!!

• Chroot-jail password problem

  I've got a running chroot-jail to allow semi-trusted users ssh-access to my webhosting server. The problem is that they can't change their passwords because `passwd` can't access files outside the chroot-jail (as it's suppose to be). I've read about someone solving this using nsswitch.conf and some sort of setup to make it possible for the users to change their passwords.
  The question is basically, how do I get around this problem, making it possible for the logged in users to change their own password?

  Oh what a tangled web we weave.  I read up on keychain and I don't understand what I'm reading.  Right now I cannot download my email on my computer, I can access it through the cloud. I'm sure it will be the same for the other iCloud feathers.   When I go to preferences and select iCloud when ever I try to sign in I get some dialog box it shows up "A keychain cannot be found to store 1076701306.  It doesn't matter whether I reset it or cancel it out iCloud preferences remains grayed out. 
  In keychain access on the left side under keychains and Read's local item, systems, and systems roots.
  When I select local items nothing shows up to the right under the name column even when down under all items is selected nothing shows up.  And nothing shows up to the right when under categories I selected the other options password etc.  On the other hand when I select under keychains systems, systems roots I do get items to show up on the right side under names under all items, passwords, etc.  Where do I start?

• MySQL, to chroot jail or not?

  I didn't know that it was ever considered to be worth it.  This is not a common practice, even in large firms I am not aware of anyone doing this. I saw not worth it.

  Hey Guys,
       We're moving to a new host for our VPS and it's a different OS, (Ubuntu, we're coming from CentOS). 
       On our previous server we chroot jailed mysqld. but now I've been doing some research and there's a bunch of people out there that say it's not even worth it to do it anymore.
       Do you guys think this is true? Should I waste my time setting up the chroot jail? or should I just install it like any other application on the server base?
  This topic first appeared in the Spiceworks Community

• About chroot jails and ACL

  I want to run rtorrent in a chroot jail. Correct me if wrong, but jailing rtorrent would consume much more RAM cause rtorrent will not use libraries that it needs and may be already in memory.
  So I wonder, why people just don't create a new user, install ACL, block everything to that user but read access to /lib and some config files, and execute permission to only the needed binaries. It would be easy to do since as I understand if you block all /bin permissions to the restricted user, all future files there will inherit those permissions. The only problem I see is that if you update, you will have to set some permissions again, easily fixed with a script. ACL seems much more easier to setup than chroot jails!
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  So, why is it that people seem to prefer chroot jails? Does installing ACL has some kind of performance penalty?

  _Mike_ wrote:Does installing ACL has some kind of performance penalty?
  Do you mean Mandatory Access Control? Filesystem ACL is already installed on every Linux system.
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  Chroot jails were not created to be used as a security tool and are very easy to break out of. Filesystem ACL is very limited in scope and also provides little security.
  You might want to look into using Mandatory Access Control (MAC) which is available with TOMOYO Linux, AppArmor, SELinux or SMACK. SELinux is the most powerful, but will take a long time to master. TOMOYO Linux is easier to use and the relevant packages are already in [community]. See the wiki page for more information.
  All MAC implementations have a small degree of performance penalty. SELinux probably has the greatest penalty, but overall you probably won't notice anything with any of the implementations.
  Last edited by jnguyen (2011-04-13 06:48:36)

• SFTP only access in chrooted jail?

  Hi
  I'm trying to make it so a user only has sftp access in a chrooted jail.
  I've tried following a couple walkthroughs with no success
  http://www.macresearch.org/restricted-sftp-mac-os-x-leopard
  http://www.debian-administration.org/articles/590
  This is 10.6.2 Server.
  I created my user and ran the following steps as root.
  chmod g-w /
  chmod g-w /Volumes/HD
  chown root /Volumes/HD
  mkdir /Volumes/HD/user_dir
  chown user /Volumes/HD/user_dir
  chmod 700 /Volumes/HD/user_dir
  I've added this to my sshd.config file:
  # override default of no subsystems
  #Subsystem sftp /usr/libexec/sftp-server
  Subsystem sftp internal-sftp
  Match User user
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /Volumes/HD
  ForceCommand internal-sftp
  Here is what I get when I try to ssh or sftp:
  sftp user@localhost
  Connecting to localhost...
  Password:
  Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
  Connection closed
  Any helps is greatly appreciated.
  Thanks.

  hmmm strange. think i figured it out.
  finall went with
  Subsystem sftp internal-sftp
  Match User user
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /chroot
  ForceCommand internal-sftp
  create a new dir chroot and another dir inside it.
  the Chroot must be own by root and groups or other cannot have write access to any of it.
  the dir i created inside chroot is chmod 700 and owned by my user.
  it looks like because ChrootDirectory must have the directory own by root and unwritable by others, you can't direct your user directly to their locked down dir. they must sftp in to chroot then cd to their folder.
  not sure how to get around this.

• /dev/random and chroot jail

  I have a BIND configuration in a chroot jail - Solaris 10, u8, SPARC.   I need to create a /dev/random device in the jail to go along with the other devices that already exist in the jail (such as /jail/dev/null, etc).  The man page for mknod says "With the advent of physical device naming, it would be preferable to create a symbolic link to the physical name of the device (in the /devices subtree)  rather than using mknod."  Creating a link to the actual device in /devices however would entail a link that leaves the jail, and I always thought any link leaving the jail is not secure.  Any thoughts on this?  Should I use the link as suggested by the man page or use the mknod command within the jail and create the device there?

  I have a BIND configuration in a chroot jail - Solaris 10, u8, SPARC.   I need to create a /dev/random device in the jail to go along with the other devices that already exist in the jail (such as /jail/dev/null, etc).  The man page for mknod says "With the advent of physical device naming, it would be preferable to create a symbolic link to the physical name of the device (in the /devices subtree)  rather than using mknod."  Creating a link to the actual device in /devices however would entail a link that leaves the jail, and I always thought any link leaving the jail is not secure.  Any thoughts on this?  Should I use the link as suggested by the man page or use the mknod command within the jail and create the device there?

• How to chroot a single ftp user in solaris 10

  Hi,
  I need to lock down a single ftp user so they cannot see outside of their home directory. Any advice or guides on the best way to do this?
  Thanks,

  Then you have to create a file /etc/shells (if it does not exist yet) where you have to put in every login shell with which "ftp" is allowed (i.e. if the user with the restricted shell is the only ftp user then the only entry is: /usr/lib/rsh. If you have another user with the Korn shell as login shell and this user should be able to "ftp" then you have to add the Korn shell as well).

• FTP Server chroot

  May be it is easy. In 10.6.8 Server there was a possibility such capability:
  When customer logging in to server with his user name and password (customer was created on Server) he is getting root as /Users/<CustomerLogin>.
  Today I tried to find it, But I see that I can set up only special shares but not simple users directory chroot.
  Can anybody help me with making simple FTP login to server with chrooting to users home directory?

  I ended up just setting the share of the site to a user purely associated/setup for the use of the site. But I am still curious how to setup the SSH chroot jail for "user" group, while allowing the "admin" group full reign on the server. Also still curious on how to configure SFTP to work identical to how FTP is currently functioning.

• Coldfusion chroot

  ok, so I'm trying to integrate cf8 with my apache2 inside of
  a chroot jail. when running this command:
  strace chroot /chroot/apache/
  /opt/coldfusion8/runtime/bin/coldfusion8 -jar jrun.jar -autorestart
  -start coldfusion
  i get this error:
  wait4(-1, Java HotSpot(TM) Server VM warning: Can't detect
  initial thread stack location - find_vma failed
  now, coldfusion is starting as user nobody, i have nobody in
  my /chroot/apache/etc/passwd and /chroot/apache/etc/group. Also
  I've ldd'd all the binary files in in the jre directory and i'm
  pretty sure all the libraries are in my chroot environment, i just
  don't know what else to try.
  Any hints?

  joplinfan wrote:
  > Can anyone tell me what might be wrong with this code
  that is keeping me from
  > being able to upload images through a form upload link?
  I appreciate any help
  > and I am a new to Coldfusion.
  >
  > The error occurred in
  >
  /var/chroot/home/content/W/e/b/WebPro06/html/cf_upload.cfm: line 22
  >
  > 20 : </form>
  > 21 : <cfif isdefined ("form.upload_now")>
  > 22 : <cffile accept="image/gif, image/jpeg,
  image/png" action="upload"
  > destination="/cgi/gdform.cgi" filefield="ul_path"
  > nameconflict="makeunique">Thank you! Your photograph
  has been received by THP.
  > 23 : </cfif>
  > 24 : <p> </p>
  >
  >
  >
  several things may be wrong with it:
  1) destination must be an ABSOLUTE path. use expandpath()
  function to
  get an absolute path from a relative - check the function
  syntax in cf
  reference or livedocs if you need to.
  2) what is "ul_path" you use in the filefield attribute? you
  should put
  the name of the form field of type="file" in there. if
  ul_path is a
  variable you set that holds the name of the file field in
  your form,
  surround it with #.
  as an aside, you may want to put your <cffile ...> code
  inside a <cftry>
  and use <cfcatch> to show an error if a file of wrong
  type has been
  selected. otherwise your users will see an ugly
  non-descriptive CF error
  only.
  Azadi Saryev
  Sabai-dee.com
  http://www.sabai-dee.com

• How to configure BIND (chroot) with systemd

  Hello,
  I'm following guide https://wiki.archlinux.org/index.php/BIND_(chroot). In the end there is only said how to enable service in sysvinit environment. Could someone please tell me how to do this with systemd?
  Thanks

  @toogy: what do you mean exactly by creating a systemd service?
  EDIT: for example, I've this one (in /etc/systemd/system/mynamed.service)
  [Unit]
  Description=Internet domain name server
  After=network.target
  [Service]
  ExecStart=/usr/bin/named -f -u named -4
  ExecReload=/usr/bin/rndc reload
  ExecStop=/usr/bin/rndc stop
  [Install]
  WantedBy=multi-user.target
  And according to 'man named', you can use the '-t' parameter if you want named to run in a chroot (I've never tried it):
  -t directory: Chroot to directory after processing the command line arguments, but before reading the configuration file.
  Warning: This option should be used in conjunction with the -u option, as chrooting a process running as root doesn't enhance security on most systems; the way chroot(2) is defined allows a process with root privileges to escape a chroot jail.
  Last edited by scar (2014-03-18 16:24:55)

• SSH user accounts in a jail.

  I am looking to have ssh users be able to login, but have limited access to things.
  This is specifically for web hosting users.
  Basically, they login, and are in a chrooted jail. They only have a few shell commands (manually copied into their chroot), and cannot leave their user dir.
  Any ideas. I know it has been/can be done. I just don't know how...not having much experience with chrooting and jails.
  I have read some literature on using a special jail shell, and chrooting that..but I really don't have the foggiest on this one..

  Winkie wrote:http://chrootssh.sourceforge.net/index.php?node=docs
  Has anyone tried building a chroot jail with this howto??
  It seems quite simple, but the the problem is in the part where it says to copy certain libraries to /usr/chroot/usr/lib/:  ld.so.1, libc.so.1, libdl.so.1, libgen.so.1, libmp.so.2, libnsl.so.1, libsocket.so.1.
  Some of these are not to be found in arch e.g. libgen.so.1, libsocket.so.1.
  1. Are they necessary to build this jail??

• Installing bind in chroot - regenerate environment [Abandoned]

  I'm working on trying out bind and followed the instructions in the wiki to put that in a chroot jail.  The wiki includes the following:
  Script to regenerate the chroot environment
  I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:
  My installation is generating errors having to do with this script; duplicate files, no such file, etc.  Before I work through why this is happening, I'm wondering why I even need to "regenerate the environment"
  Last edited by timm (2009-08-21 21:24:39)

  I figured out some of this, but it became a
  1.  figure out problem
  2.  take next step
  3.  find new problem
  4.  return to 1
  kind of loop, which wasn't worth the time I was putting into it.  I dropped out of bind and installed dnsmasq.  Easier and does what I need.  I still don't know why you would want to "regenerate the environment", but I guess it will take some studying of chroot at some point.

• Openssh-chroot package is gone.

  Hey everyone. A very strange thing is afoot, the openssh-chroot package seems to be missing from the community repo
  pacman -S openssh-chroot
  error: 'openssh-chroot': not found in sync db
  And, to skip the common recommendations, I'm sure that I do have community enabled in pacman.conf and I've swaped my primary mirrors in mirrorlist to make sure it wasn't a mirror issue. Also, I have done pacman -Sy / pacman -Syu so everything is updated.
  Thanks for the help, guys!

  So then I should just follow a standard setup procedure for a chroot jail, rather than using the ArchWiki? The binaries and scripts the wiki lists are not present, presumably because I lack the openssh-chroot package.

• Dies with signal 11 in a chroot environment

  Hello,
  I found out that JRockit crashes in a chrooted jail environment on
  Linux. The environment that we set up has JRockit,
  glibc, XFree86, core Linux utilities and system files, installed into it. However,
  the
  /proc filesystem is not mounted in for security reasons.
  Details on the system I use:
  Linux 2.4.22-std-smp-alt16 SMP i686
  2 Xeon CPUs (HT enabled, results in 4 virtual CPUs)
  glibc version 2.2.6
  ld version 2.14.90.0.8
  Any ideas on how to counter this? Was /proc non-inclusion a bad idea after all?
  This is the output JRockit's java executable produces (sorry, couldn't find the
  mentioned core file):
  [JRockit] WARNING: could not open /proc/meminfo for reading.
  ===== BEGIN DUMP =============================================================
  JRockit context dump produced after 0 days, 00:00:00 on Sat Apr 10 01:57:18 2004
  If you see this dump, please send it, along with as much
  information as you can on your system setup and the program
  you were running, to [email protected] Please include the
  file jrockit.10165.dump from the current directory in the bug
  report. Thank you.
  A core file will be dumped into /usr/src/RPM/BUILD/xerces-2_6_2.
  Please attach that file to your bug report.
  Error Message: Null pointer exception in native code
  Signal info : si_signo=11, si_code=1
  Version : ari-24879-20031212-1523-linux-ia32
  Threads / GC : Native Threads, GC strategy: parallel

  Hi Mikhail!
  JRockit will run into all sorts of problems if it's unable to access /proc, so
  your safest bet for now should be to map /proc into your chroot jail.
  Cheers //Johan
  Mikhail Zabaluev wrote:
  Hello,
  I found out that JRockit crashes in a chrooted jail environment on
  Linux. The environment that we set up has JRockit,
  glibc, XFree86, core Linux utilities and system files, installed into it. However,
  the
  /proc filesystem is not mounted in for security reasons.
  Details on the system I use:
  Linux 2.4.22-std-smp-alt16 SMP i686
  2 Xeon CPUs (HT enabled, results in 4 virtual CPUs)
  glibc version 2.2.6
  ld version 2.14.90.0.8
  Any ideas on how to counter this? Was /proc non-inclusion a bad idea after all?
  This is the output JRockit's java executable produces (sorry, couldn't find the
  mentioned core file):
  [JRockit] WARNING: could not open /proc/meminfo for reading.
  ===== BEGIN DUMP =============================================================
  JRockit context dump produced after 0 days, 00:00:00 on Sat Apr 10 01:57:18 2004
  If you see this dump, please send it, along with as much
  information as you can on your system setup and the program
  you were running, to [email protected] Please include the
  file jrockit.10165.dump from the current directory in the bug
  report. Thank you.
  A core file will be dumped into /usr/src/RPM/BUILD/xerces-2_6_2.
  Please attach that file to your bug report.
  Error Message: Null pointer exception in native code
  Signal info : si_signo=11, si_code=1
  Version : ari-24879-20031212-1523-linux-ia32
  Threads / GC : Native Threads, GC strategy: parallel