SSH and SFTP Chroot Jail

Let’s get Jailed!

Step 1: Create your chroot directories

I’ve seen a few strategies for this including placing the chroot directory under /var/chroot.

In this case all of the clients on this server have a public_html subdirectory structure under their home directories. To make it easy to see who’s been jailed we’ll put our chroot jail in /home.

#Create our directories
sudo mkdir -p /home/jail/{dev,etc,lib,lib64,usr,bin,home}
sudo mkdir -p /home/jail/usr/bin

#Set owner
sudo chown root:root /home/jail

#Needed for the OpenSSH ChrootDirectory directive to work
sudo chmod go-w /home/jail

Step 1: Choose your commands

We’ll offer a limited set of userspace applications. For these to work you need to copy the binary into its corresponding directory in the jail, as well as copy over any linked dependencies.

Allan Field pointed me to a handy script that can be used for bringing binary dependencies over for a given executable (as opposed to manually – via ldd and copying the results.)

The script can be found here…

We’re going to offer bash, cp, ls, clear, and mkdir to our jailed users (for starters).

#First the binaries
cd /home/jail/bin
sudo cp /bin/bash .
sudo cp /bin/ls .
sudo cp /bin/cp .
sudo cp /bin/mv .
sudo cp /bin/mkdir .

#Now our l2chroot script to bring over dependencies
sudo /bin/bash
sudo /bin/ls
sudo /bin/cp
sudo /bin/mv
sudo /bin/mkdir

(This should really be wrapped up into a single bash script that takes both the binary and its dependencies).

The clear command requires terminal definitions…

# clear command
cd /home/jail/usr/bin
sudo cp /usr/bin/clear .
sudo /usr/bin/clear
#Add terminal info files - so that clear, and other terminal aware commands will work.
cd /home/jail/lib
sudo cp -r /lib/terminfo .

Step 2: Create your user and jail group

Create the jail group sudo groupadd jail

You can either create a new user using sudo adduser --home /home/jail/home/username username, or copy (and then later remove) the home directory of an existing user into the home/jail/home directory.

If you create a new user using sudo adduser --home /home/jail/home/username username – the home directory will be created in the jail, but the user’s home directory in /etc/passwd will need to be edited to return it to /home/username – since the jail root will put home at the root again once the user is logged in.

Now add the user to the jail group sudo addgroup username jail

Step 3: Update sshd_config

We’re going to edit the sshd_config file, removing theForceCommand internal-sftp directive – since we don’t want to limit our users to SFTP (you could maintain a second group and configuration for this).

Match Group jail
    ChrootDirectory /home/jail
    X11Forwarding no
    AllowTcpForwarding no

We’ve chrooted to /home/jail – and both SFTP and SSH logins will default to the user’s home directory below the jail.

Restart the sshd daemon, and you’re ready to go sudo /etc/init.d/ssh restart or service ssh restart

Try logging in via SSH or SFTP, and your jailed user will be dropped into their home directory under /home/jail/home, with a limited set of userspace applications, and no access to the parent environment.

Step 4: Bonus marks – give the user MySQL access

I’d like users to be able to upload and configure a site, including be able to perform mysql dumps and restores. Here’s how to give them a MySQL prompt.

#Binaries for MySQL Client
sudo mkdir /home/jail/usr/local/mysql/bin
cd /home/jail/usr/local/mysql/bin
sudo cp /usr/local/mysql/bin/mysql .
sudo /usr/local/mysql/bin/mysql
cd /home/jail/lib/x86_64-linux-gnu
sudo cp /lib/x86_64-linux-gnu/ .

Note the ‘undiscovered’ dependancy on

Wrapping Up!

This is a nice and simple solution that works thanks to OpenSSH’s built in ChrootDirectory directive. It doesn’t require any modification to the passwd file, and could fairly easily be wrapped up into a consolidated shell scrip for creating, updating and adding applications to the jail.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s