# SSh & chroot

## ruben-

Hi, I use this http://gentoo-wiki.com/HOWTO_Jail howto to get the Jail installed, and almost everything works as it should..

The users can login and only see the home dir and the libs/etc/.. in the chroot environment _BUT_ if they login, and user "cd ..;ls" they can see all the directories of the other users, and get in the home dirs.. How can I restrict this?

- Ruben

----------

## Spindle!

Hi, try applying more restrictive access to home directories.

May be assigning each user his own group and then denying each others access?

Dani Donisa

----------

## ruben-

I used chmod 700 - still the users were able to see what's in the directories..

Isn't there a way in that jail script  that I overlooked?:\

(jailshell - include with cpanelX only shows the logged in user's dir.. any idea?)

- Ruben

----------

## Spindle!

Sorry for this stupid question but you configured the /usr/bin/jail in your system's /etc/passwd (non chrooted), right?

----------

## ruben-

If you mean I add this as shell of the users - yes (useradd -g users -d /var/chroot -s /usr/bin/jail username)

----------

## Spindle!

I cannot see what's wrong. 

You configured the chrooted user as well?

Maybe you should file them a bug: http://sourceforge.net/tracker/?atid=550341&group_id=77476&func=browse

----------

## ruben-

I followed the howto on gentoo wiki exactly..

----------

## Spindle!

After login with a jailed user, tail /var/log/messages and see if there are any errors.

----------

## ruben-

Dec 19 12:15:24 server0 sshd[3929]: Accepted keyboard-interactive/pam for testuser from ::ffff:192.168.1.104 port 43136 ssh2

Dec 19 12:15:24 server0 sshd(pam_unix)[3932]: session opened for user testuser by (uid=0)

----------

## Spindle!

The /var/chroot/etc/passwd, /var/chroot/etc/group /var/chroot/etc/shadow are configured properly?

I mean, they have the values you specified for the jailed users?

Try this: enter as the jailed user and type pwd. It must echo the chroot env not the "real" path.

Edit(2):

----------

## ruben-

It gives "/srv/users/username", but when I go to "/", it does give the chrooted env.

----------

## Spindle!

 *ruben- wrote:*   

> It gives "/srv/users/username"

 

So if you do a cd.. you will end into /srv/users and if you do a ls you will get a /srv/users/username and (if there are more users) see them as well. Right?

----------

## ruben-

Since the homedir is "/srv/users/username" I'll be in that dir when I ssh, when I type "cd ..;ls" I get the list of the user-dris in /srv/users..

When I cd in someones directory I can view all the files.. But I don't want another user to be able to see other user's directory.. Not only NOT view the files, but not even view the usernames..

- Ruben

----------

## Po0ky

Is it possible you need the hardened-sources.. these add advanced security settings for chrooting and other...

----------

## Spindle!

But /srv/users/ is the non chroot home dir for the users?

----------

## ruben-

The home dir on the system is "/var/chroot", but with that shell it opens it goes to "/var/chroot" and uses "/srv/users/username" as home-dir;

----------

## Po0ky

what about permissions... I imagine all users are in the same group... and default users from the same group can list eachothers files...

----------

## ruben-

Permissions is to be able to read the files, I want them to not see the homedirs of others either - as cpanelX's jailshell does..

- Ruben

----------

## Spindle!

If you want to separate the jailed users from the real users (and not to see each others home dirs) then you must chroot their home in a separate dir than the real users (see /home/ for real users and /var/chroot for jailed users). It shoud be your current config.

If you have the jailed user home dirs in the same home dir as the real users, you can only deny reading each other's home dir with fs permission rules (the rwx bits, each user with his own group e.g. test:test, john:john, etc).

----------

## ruben-

Ehum, I don't want the jailed users to see each other's home dir.. The real users aren't visible, that's in /home..

----------

## Spindle!

Ok, I don't know if jail has such a specific option, but you can do the same putting each user within his own group and denying others read, write and execute to his home dir or allow rwx to owner, deny group and others rwx to all their home dirs.

EDIT: Maybe umasking?

----------

