Making a jailed user that’s only able to log-in in Ubuntu

Recently I needed to give someone read-only access to a production database that’s sitting on top a Virtual Private Server (VPS).

Since the database only allows connections from the localhost, you need to establish a SSH tunnel to the VPS using Putty. In order for the tunnel to work, the user has to be logged in. This means a shell has to be opened…

No way I was going to give that special someone access to the file system and no way I was opening up the database so you could connect to it from anywhere. I needed a shell that could only log in, nothing more.

Since I’m kind of a novice to Linux my first guess was to use rbash but after doing some reading (yes, reading… That’s a (Cinama) sin, right?) I found out this was like closing all the doors but with the key still in the lock.

This is what rbash restricts:

  • cd command (Change Directory)
  • PATH (setting/ unsetting)
  • ENV aka BASH_ENV (Environment Setting/ unsetting)
  • Importing Function
  • Specifying file name containing argument ‘/’
  • Specifying file name containing argument ‘-‘
  • Redirecting output using ‘>’, ‘>>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’
  • turning off restriction using ‘set +r’ or ‘set +o’

However, I noticed you could still use vi or nano to read files if you’d knew the exact directory path. Not a risk you’re willing to take.

It seemed there was only one option and that was to jail the user to a chroot environment. Sounds difficult, doesn’t it?

Turns out it wasn’t.

All you need is a script called jailkit

First you’ll need to install it. It’s only available from source, no .deb packages.

I made a jail directory in the home directory and adjusted the permissions so only root has access.

Next you’ll have to do some configuring. The user I would like to have limited access for is called Mark (with a K).

Now we check the passwd file and modify it if necessary (maybe you’re more of a Zsh person. If the user needs to log into the shell using SSH, the shell should be able to use SSH connections. I’ve tried to use rbash there but that did not work.

Be very careful that you config the /etc/passwd file in /home/jail. I’ve lost an hour or so because I tried to edit /etc/passwd and not /home/jail/etc/passwd.

Change it so it looks something like:

And now, the final step, we add basic shell utilities to the jail.

Check the connection with Putty, the user should be able to log in and has nothing more than a shell. Sure he or she can change directories or do stuff but only in his jail, not in the main filesystem.

Leave a Reply

Your email address will not be published. Required fields are marked *