Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! waz's Avatar
    Join Date
    Feb 2012
    New Zealand

    SSH into chroot jail (restricted SSH session)

    I can successfully run a listening Bazaar server in a chroot installation and SSH tunnel the appropriate port (using the process described below), but cannot use bzr+ssh to access the chrooted repsoitory. Does anyone know if it's possible to use bzr+ssh in a chroot environment?


    I've just spend several hours doing something that I thought would be much more simple than it was. I wanted to allow others to access my Bazaar repositories over SSH (bzr+ssh). These users may be people I don't trust much, so I didn't want them to even see what is in the other directories (setting the user's shell to rbash allows them to ls other directories). I've outlined my solution below; it may not be the simplest solution, but it seems to work and may be of use to someone. Perhaps more experienced members could suggest some improvements.

    For the record, I'm using Ubuntu 10.04 LTS, GNU bash version 4.1.5 and OpenSSH_5.3p1 Debian-3ubuntu7.

    I followed the instructions in [{URL}][/{URL}] to create a chrootable Ubuntu installation. I choose to put this in /srv/chroot/lucid/bzr. Here is the relevant extract from my /etc/schroot/schroot.conf:
    description=Ubuntu Lucid for Bazaar
    Of course, I didn't worry about the X server stuff that's discussed in the above link. I realise that a whole new install is complete overkill for what I'm trying to achieve, but, oh well.

    Then I used
    sudo schroot --chroot=lucid
    to jump into the new installation and used
    adduser bzr
    to make a regular user with a regular home directory (that is /home/bzr from the perspective of the new installation, or /srv/chroot/lucid/bzr/home/bzr from the perspective of the parent installation).

    Back in the main (parent) installation, I made a user called bzr and a group called chroot. I made bzr a member of the chroot group (I set bzr's uid to less than 1000 so it wouldn't appear in the login screen).
    root:~# adduser --no-create-home --uid 999 bzr
    Adding user `bzr' ...
    Adding new group `bzr' (999) ...
    Adding new user `bzr' (999) with group `bzr' ...
    Not creating home directory `/home/bzr'.
    Enter new UNIX password: 
    Retype new UNIX password: 
    passwd: password updated successfully
    Changing the user information for bzr
    Enter the new value, or press ENTER for the default
        Full Name []: Bazaar User
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
    Is the information correct? [Y/n] 
    root:~# mkdir /home/bzr
    root:~# sudo usermod -d /home/bzr/ bzr
    root:~# addgroup chroot
    Adding group `chroot' (GID 1006) ...
    root:~# usermod -aG chroot bzr
    root:~# groups bzr
    bzr : bzr chroot
    Note that this bzr user of the parent installation is distinct from the bzr user of the new installation, I just wanted to give it the same user name.

    Next I created some configuration files in bzr's home directory:
    root:~# cd ~bzr
    root:/home/bzr# echo 'schroot --chroot=lucid --directory=/home/bzr --user=bzr
    > exit' > .bashrc
    root:/home/bzr# for i in .bash_profile .bash_login; do echo '. .bashrc' > $i; done
    root:/home/bzr# echo '' > .bash_logout 
    root:/home/bzr# chown root:chroot .
    root:/home/bzr# chmod g+w .
    root:/home/bzr# ls -lsa
    total 28
    4 drwxrwxr-x 2 root chroot 4096 2012-02-05 10:47 .
    4 drwxr-xr-x 9 root root   4096 2012-02-05 17:19 ..
    4 -rw-r--r-- 1 root root     10 2012-02-05 17:28 .bash_login
    4 -rw-r--r-- 1 root root      1 2012-02-05 17:29 .bash_logout
    4 -rw-r--r-- 1 root root     10 2012-02-05 17:28 .bash_profile
    4 -rw-r--r-- 1 root root     61 2012-02-05 17:28 .bashrc
    root:/home/bzr# head .bash*
    ==> .bash_login <==
    . .bashrc
    ==> .bash_logout <==
    ==> .bash_profile <==
    . .bashrc
    ==> .bashrc <==
    schroot --chroot=lucid --directory=/home/bzr --user=bzr
    So, whenever (parent installation's) bzr user tries to log in (either with su or ssh) they will be jailed in /srv/chroot/lucid/bzr as the bzr user of the new installation. When they exit out of the schroot shell, the exit command will be executed, so they can't hang around in a non-chrooted state. Note that the config files are owned by root. I had to allow bzr to write to it's home directory (ssh likes to write a .Xauthority file there), so I did this through its chroot group membership.

    But before this would work, I needed to give bzr permission to run schroot, which is normally only executable as root. This required an edition to /etc/sudoers:
    root:~# echo '
    # Members of chroot group can run schroot
    %chroot chroot=(root) /usr/bin/schroot' >> /etc/sudoers
    Now allow bzr to ssh in:
    root:~# echo '
    AllowUsers bzr' >> /etc/ssh/sshd_config
    Finally, I made new installation's bzr user own its own home directory and installed the bzr programme:
    $ sudo schroot --chroot=lucid --directory=/home/bzr --user=root
    /home/bzr# chown -R bzr: .
    /home/bzr# apt-get install bzr
    But, I have this problem:
    client$ bzr branch bzr+ssh://bzr@server/my_project/trunk test_branch
    bzr@server's password: 
    -bash: line 1: syntax error near unexpected token `('
    -bash: line 1: `bzr message 3 (bzr 1.6)'
    bzr: ERROR: Connection closed: Unexpected end of message. Please check connectivity and permissions, and report a bug if problems persist.
    As a work-around I can successfully run a listening Bazaar server in the chroot installation and forward the appropriate port. To do this, I start a Bazaar server in the chrooted environment
    server$ bzr server --directory=my_project
    listening on port: 4155
    and set up an SSH tunnel to the client computer
    client$ ssh -L4155:localhost:4155 bzr@server
    Now I can issue bzr commands from the client:
    client$ bzr branch bzr://server:4155/trunk test_branch
    It works, but not as nice as using bzr+ssh.
    Does anyone know if it's possible to use bzr+ssh in a chroot environment?
    Last edited by waz; 02-05-2012 at 10:22 PM. Reason: Added work-around solution.

  2. #2
    Just Joined! waz's Avatar
    Join Date
    Feb 2012
    New Zealand
    I think I've finally found a blog post explaining how to do what I wanted (in a less cumbersome way than described above): Configuring a shared repository in Bazaar for users with no shell access | Blog dot Melimato dot Com
    Last edited by jayd512; 02-05-2012 at 11:57 PM. Reason: fixed link

  3. #3
    Just Joined! waz's Avatar
    Join Date
    Feb 2012
    New Zealand
    Maybe some kind mod could fix my links for me?

  4. $spacer_open
  5. #4
    Administrator jayd512's Avatar
    Join Date
    Feb 2008
    Hi, waz.
    As a temporary work around to posting links, check out Question #2 in this page.

    New users, read this first.
    New Member FAQ
    Registered Linux User #463940
    I do not respond to private messages asking for Linux help. Please keep it on the public boards.

  6. #5
    Just Joined! waz's Avatar
    Join Date
    Feb 2012
    New Zealand
    Thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts