Chroot jail

= Chroot Jail = This is a guide to creating a new chroot jail on a Linux system (e.g. Ubuntu). There may be steps missing from this guide, so please exercise caution.

As root (to ensure correct ownership of dirs):

install -m 755 /jail/ install -m 755 /jail/{bin,dev,etc,lib,proc,usr,tmp,usr/lib} mknod -m 666 /jail/dev/null c 1 3 # create a dummy dev/null file mount -t proc proc /jail/proc cp /etc/ld.so.cache /etc/ld.so.conf /etc/nsswitch.conf /etc/hosts /etc/passwd /jail/etc/

Copy shell - rbash is a restricted version of bash:

cp /bin/rbash /jail/bin/rbash

Copy dependencies of all executables:

ldd /bin/rbash linux-vdso.so.1 => (0x00007fff381b7000)                                   # ignore libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f8ccb56e000) # copy to /jail/lib libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f8ccb36a000)       # copy to /jail/lib libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8ccafaa000)         # copy to /jail/lib /lib64/ld-linux-x86-64.so.2 (0x00007f8ccb79c000)                          # copy to /jail/lib64

Alternatively, use the tool 'l2chroot', which automates this.

NOTE: I have had username-related problems with this approach, and solved it by instead copying all files from lib and lib64 to the jail.

Copy locale stuff to avoid login warnings:

cp -r /usr/lib/locale /jail/usr/lib/

If necesaary, setup jailed shell environment:

vim /jail/etc/profile

sshd
/etc/ssh/sshd_config: Match Group restricted ChrootDirectory /jail/

Create Inmate
New users should belong to the restricted group and use rbash: useradd --gid restricted --no-create-home --shell /bin/rbash

Test
chroot /jail /bin/rbash # shell is relative to jail root