Page 1

Sjoerd's user-chroot-HOWTO 29-10-2001

Introduction

This HOWTO shortly explains how one can chroot a user during login. This means that after the user has logged in, he is restricted to a certain directory. This directory is his new root directory. See the chroot manual for more details about chroot.

Configuration

You have to configure two options:

  • /etc/passwd
  • setting up a chroot directory

Configuring /etc/passwd

ftp:x:604:604:FTP,,,:/pub/ftp/:*
The important thing is the star at the end. This indicates that after login, a chroot is done to the user's directory (here /pub/ftp) and another login session is started.

Note: Two login sessions are started, and the user has to give his password twice if you don't do anything about it.

Setting up the chroot directory

Links are green, dirs are blue.

  • bin/bash
  • bin/login
  • dev/
  • etc/group
  • etc/pam.conf
  • etc/pam.d/
  • etc/passwd
  • etc/shadow
  • lib/ld-2.2.4.so
  • lib/ld-linux.so.2
  • lib/libc-2.2.4.so
  • lib/libc.so.6
  • lib/libcrypt-2.2.4.so
  • lib/libcrypt.so.1
  • lib/libdl-2.2.4.so
  • lib/libdl.so.2
  • lib/libhistory.so.4.2
  • lib/libhistory.so.4
  • lib/libncurses.so.5.2
  • lib/libncurses.so.5
  • lib/libpam.so.0.72
  • lib/libpam.so.0
  • lib/libpam_misc.so.0.72
  • lib/libpam_misc.so.0
  • lib/libreadline.so.4.2
  • lib/libreadline.so.4

You need a login and a shell: /bin/bash and /bin/login. These programs need libraries. You can find out which libraries by executing 

ldd
. Login does also need the pam configuration files and some files in the dev directory. My dev dir contains 
zero
, 
null
and the result of 
/dev/MAKEDEV console
(login reported that it couldn't find my tty).
The links in the lib dir are the same as where I coppied them from.

One can test his rootdir by executing:

  • chroot . /bin/bash
  • chroot . /bin/login
Where . is de directory you want to use for your chroot.