chroot gdm

Printable View

10-01-2007
RobinVossen

chroot gdm

Hello all I have been looking for quite a while now about chrooting info.
I found out (almost) how to chroot a shell. But now I need to chroot the user when he wants to login using GDM.
So when the user logged in he enters First a Chroot Jail, then he enters IceWM and then he can do whatever he wants. Run Firefox, Run OOo, Run Thunderbird, Run whatever he wants.
Though the current script I have to chrootjail a users shell doesnt run if its not in a tty (that is what the Xsession Error Log says).
Well, anyone an good idea? Maybe some documents about my problem?
Its just VERY important that the users cant figureout that they arnt alone.
And the Security is Very imporant aswell. (duh)
Maybe it helps knowing people connect to this pc with a VNC Client that is written in Java. (Orginal by Tight VNC and I modded it)

Edit:
I have been doing research in the meanwhile..
I found a couple of things:

Code:

http://www.debian.org/doc/manuals/reference/ch-tips.en.html#s-chroot http://gentoo-wiki.com/HOWTO_startx_in_a_chroot

But well they arnt for my Distro (I know 98% chance that it still works)..
And well at both situations He also has to load x.. With me it is already loaded.
Well, I am working on installing a Fedora Dummy pc to test it out.. (Yea I run Fedora atm)
And, well if someone else finds something.. Please let me know.

Edit2:
After doing more and more research I have figured out how to do it in an inefficient way.
Install YUM and RPM on each account and then install the entire system for each user..
This takes WAY to much drive space since I only have 10 Gig and well I want to add atleast 4 users with a Gig Space each.
So can I link the programs? ln -s/h? (How does this work?)

After trying for a while(Edit 3):
I tryed link() and ln.
Soft and Hard link.
Both dont work.
The hardlink says: "Cross Device" what is bull.. since its on the same HD.. But I think he ments other Partition.
And the Softlink links but when I try to access the file it says: "Too many softlinks". And that doesnt make sence either since that meens that there are more links to that file or something like that right???

How to do it Dirty(Edit 4):
I made it!! ^^ Its working.
But I am doing it in the Dirty way.
I just do

Code:

mount -r -o bind

with nearly all the dirs.
The big problem with that is.. A normal user is jailed.. BUT can go in the entire system.
Its dirty and not secure.. SO how can I link only the files to user needs in the jail?
My answer, Linking.. How to make that work?

I really need this.. And why is this SO hard.. -.-'
I guess I look over something all the time..
(And why can I escape from the jail with exit..? Only root can do that right?)
10-03-2007
RobinVossen

Victory ^^
I slayed the problem.
But now I got another one.
I can login.. No problem..
BUT... I still have a shell problem.
The Shell that x11 runs on crashes..
So, well the Shell I build is:

Code:

if [ "$1" = "-c"] then i=0 PARAMETERS="" do <He crashes as this part.. The error is unexpected token `do' if [ $i -gt 0 ] then PARAMETERS=$PARAMETERS $parameter fi let i++ done sudo /usr/sbin/chroot /home/$USER /bin/su - $USER -c $PARAMETERS else sudo /usr/sbin/chroot /home/$USER /bin/su - $USER fi

Edit:
Ok, well I changed it to just to sudo line for testing.
And well, now it says that sudo can only run in tty.
So, well does that mean that I have a serious problem and that I have to do this way diffrent?

Edit 2:
I tryed Jailkit - chroot jail utilities but that isnt what I am looking for...
I still cant login.. :/
10-05-2007
RobinVossen

Ok, lets try this the entire way around.
Can this be done just when a program starts. So that a user can still only just edit his own files. And open the Programs he is allowed to.
Ok, first we try it with a shellscript:

Code:

ooffice chroot /home/files_allowed_to_edit

Ok, that doesnt work.. lets try it another way..

Code:

chroot /home/files_allowed_to_edit ooffice

Doesnt work either.
Ok well lets put ooffice in the chrootjail

Well that should work.
Maybe someone has a better idea?
I am tinkering on this at the moment. I post all my results asap..

Edit:
Note:

Code:

Maybe chroot cant be used out of the Console... If so I am scr**wed and I have to find another way to do this.. Lets not give up till I know for sure.. (chroot + X11 != Possible)?

But,.. X11 is still running on Console Right?
In Linux its when you put it in Layers like this right:
- Hardware
- Kernel
- Console
- X11
- IceWM
- OpenOffice?
Does somebody know that?

Edit2:
Well, I tryed to chrootfirst and then run OOffice.
I included everything in the chrootjail. Just to know for sure that it works.
And I got this error: Fatal: no entropy gathering module detected to fix this I need to add stuff to the kernel I guess.. Since it has something about Modules.
Lets find out what the problem is. I post more when I know more..

Edit3:
After trying abit more.. Firefox runs!! As does xpdf..
So only ooffice is a b*tch in this.. Though I havnt looked into the module error what so ever.
I really hope I get this done before my holiday.. ^^

Edit4:
VICTORY ^^ Another Mile has been run. The error was that it doesnt have the Random Pool. So well now it does..
/dev/random..
Ok, now I need to make this run in a Smaller Jail. I know I can do this.. (Since Samantha told me)
Well, I post all the new stuff that happens.. ^^

(I remember why I love linux ^^ its giving you so much adrenaline when you are getting something working =D)

Edit5:
What is the minimal needed files for a user to run?
I am looking into that now..

Edit6:
Well, ok I think I am almost stuck again.. :o
The problem is. The Jail works.
The programs works.
They boot.. and... dont show in x.. but in there own little world..
How can I make them show/pop-up in X11?
The Script that I run to get the chroot is:

Code:

sudo /bin/mount -r -o bind /lib /home/$USER/lib sudo /bin/mount -r -o bind /dev /home/$USER/dev sudo /bin/mount -r -o bind /bin /home/$USER/bin sudo /bin/mount -r -o bind /usr /home/$USER/usr sudo /bin/mount -o bind /tmp /home/$USER/tmp sudo /bin/ln -s /etc/passwd /home/$USER/etc/passwd sudo /usr/sbin/chroot /home/$USER

I know this jail is still way to big.
But, its shrinking ;)
Can anyone help me out here? Devils maybe? Moe? Or Redman?

Edit7:
Ok, well I start breaking my head again.. Its been at least 2 hours that I have been looking at this..
So, well ok I have tryed a couple of things. It just simply doenst work.
I really think I cant solve the end mystery myself.. =(
Id hate to ask this.. but Please help.. :(

Edit8:
I made a Video about the problem
well if you want to help me I can send it.
For some reason it doesnt upload at YouTube.. :S
but ok.. Well I am still stuck.. and I have been working on it for another WORK day...