BeanSec Thanksgiving Edition

This year BeanSec’s November meeting falls the day before Thanksgiving. This causes the triumvirate to consider whether to make a special exception and stray from our solid “3rd Wednesday of the Month” formula or try and weather one of the busiest drinking nights of the year. A difficult question that requires some thought and perhaps some background.

One of the most successful aspects of Beansec is the organic and informal setting. It is even more “un” then your average unconference like BarCamp. We don’t even have presentations. People from the industry just sit around and drink. Sometimes they talk shop, sometimes they don’t. Getting everyone to meet was chaotic since we didn’t want to introduce a mailing list or require people to “sign up” in any way. So we introduced the idea that we would meet on a specific night of every month.

So with that in mind we will make the Thanksgiving Edition a sort of “bye” week for the founders. I think I will be the only one even in town and I may or may not make it that night. But I am assured that the Enormous Room will be packed with random people. So if you want to just come out and socialize come hang out at the ER for the night. You will have to buy your own food and alcohol this time around but I promise we will be back in regular form next month.


Creating a chroot environment in Ubuntu Edgey

I searched for a good tutorial on this and ended up cobbling together a few different ones. The article I worked the most from is Chrooted SSH HowTo which shows a general Debian Setup. In fact almost all of the article is applicable to a semi up to date Ubuntu distro. A lot of the commands are either directly from the article cited above or variations of it.

To start with we install the necessary libraries and then download and compile chroot.

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure –exec-prefix=/usr –sysconfdir=/etc/ssh –with-pam
make install

Next create your jail directory. This will be the place your users live in. Remember that the directory must contain all the executables they will need including rudimentary tools like cp, mv, etc. From here on out you are inside of the jail creating and mirroring files.

mkdir /home/chroot/
mkdir /home/chroot/home/
cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

The howto article had a really great script for automating most of the library copying.

APPS=”/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors”
for prog in $APPS; do
cp $prog ./$prog

# obtain a list of related libraries
ldd $prog > /dev/null
if [ “$?” = 0 ] ; then
LIBS=`ldd $prog | awk ‘{ print $3 }’`
for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l
cp /lib/ /lib/ /lib/ ./lib/

You will see an error message about not being able to stat a file (0xffffe000). I will deal with this at the end.

The next step involves copying the passwords of jailed users into the jailed directory along with the root user. The last command will work for any user by simply substituting “root” for the new jailed user (s/root/$user/;)

echo ‘#!/bin/bash’ > usr/bin/groups
echo “id -Gn” >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e “^root” > etc/passwd

You can also create a special jailed group and then use this:
grep /etc/group -e “^root” -e “^users” > etc/group

Once this is done you need to restart the SSH server to make all the changes take effect. If you have remoted into the box to do this make sure you check over everything at LEAST once more. If for some reason you have a bad configuration and your SSH server doesn’t come back up you will be really unhappy.

/etc/init.d/ssh restart

Next we create our chrooted user. The article cited works really well so I’m literally pasting this section (and linking) to it. There is an issue with a bash library and I’ll also show how to get SCP working for the jailed user. Currently SFTP isn’t working for me so I won’t show that.

Even with the chrooted SSH that we have just installed you can log in without being chrooted (which makes sense if you log in as root, for example). Now, how does the chrooted SSH decide whom to chroot and whom not? That’s easy: the chrooted SSH looks up the user who is trying to log in in /etc/passwd. If the user’s home directory in /etc/passwd has a . in it, then the user is going to be chrooted.

Example (from /etc/passwd):

user_a:x:2002:100:User A:/home/user_a:/bin/bash

This user will not be chrooted.

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will be chrooted.

Now we create the user testuser with the home directory /home/chroot/./home/testuser and the group users (which is the default group for users on Debian so you do not have to specify it explicitly):

useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c “testuser” -g users testuser

Then we give testuser a password:

passwd testuser

Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:

grep /etc/passwd -e “^testuser” >> /home/chroot/etc/passwd

We have already copied the users group line from /etc/group to /home/chroot/etc/group so we do not have to do this here again. If you create a chrooted user in another group than users, add this group to /home/chroot/etc/group:

grep /etc/group -e “^othergroup” >> /home/chroot/etc/group

Now try to log in to SSH as testuser. You should be chrooted and not be able to browse files/directories outside /home/chroot.

Initially this won’t work because of the bash issue I mentioned. So to fix this simply run ldd against bash and find the missing library.

ldd /bin/bash => (0xffffe000) => /lib/ (0xb7ee8000) => /lib/tls/i686/cmov/ (0xb7ee5000) => /lib/tls/i686/cmov/ (0xb7db6000)
/lib/ (0xb7f31000)

I forget which library it was now (maybe libncurses?) but don’t worry about The next step is getting SCP to work. So first copy scp to the chrooted bin directory and then make sure the following are in the chrooted lib directory.

ldd /usr/bin/scp => (0xffffe000) => /lib/tls/i686/cmov/ (0xb7fcc000) => /usr/lib/i686/cmov/ (0xb7e9d000) => /lib/tls/i686/cmov/ (0xb7e9a000) => /usr/lib/ (0xb7e86000) => /lib/tls/i686/cmov/ (0xb7e71000) => /lib/tls/i686/cmov/ (0xb7e43000) => /lib/tls/i686/cmov/ (0xb7d14000) => /lib/tls/i686/cmov/ (0xb7d11000)
/lib/ (0xb7fe7000)

Once you are done you should be able to login to your chroot environment and scp files into it. Once I figure out sftp I will post more.