≡ Menu

Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

rssh support chrooting option. If you want to chroot users, use chrootpath option. It is used to set the directory where the root of the chroot jail will be located. This is a security feature.

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default home directory is /home/vivek normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. chroot allows to restrict file system access and locks down user to their own directory.

Configuring rssh chroot

=> Chroot directory: /users.
Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.

=> Required directories in jail:

  • /users/dev - Device file
  • /users/etc - Configuration file such as passwd
  • /users/lib - Shared libs
  • /users/usr - rssh and other binaries
  • /users/bin - Copy default shell such as /bin/csh or /bin/bash

=> Required files in jail at /users directory (default for RHEL / CentOS / Debian Linux):

  • /etc/ld.so.cache
  • /etc/ld.so.cache.d/*
  • /etc/ld.so.conf
  • /etc/nsswitch.conf
  • /etc/passwd
  • /etc/group
  • /etc/hosts
  • /etc/resolv.conf
  • /usr/bin/scp
  • /usr/bin/rssh
  • /usr/bin/sftp
  • /usr/libexec/openssh/sftp-server OR /usr/lib/openssh/sftp-server
  • /usr/libexec/rssh_chroot_helper OR /usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
  • /bin/sh or /bin/bash (default shell)

Tip: Limit the binaries which live in the jail to the absolute minimum required to improve security. Usually /bin/bash and /bin/sh is not required but some system may give out error.

A note about jail file system

Note: The files need to be placed in the jail directory (such as /users) in directories that mimic their placement in the root (/) file system. So you need to copy all required files. For example, /usr/bin/rssh is located on / file system. If your jail is located at /users, then copy /usr/bin/rssh to /users/usr/bin/rssh. Following instuctions are tested on:

  • FreeBSD
  • Solaris UNIX
  • RHEL / Redhat / Fedora / CentOS Linux
  • Debian Linux

Building the Chrooted Jail

Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh

Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .

Open /usres/group and /users/passwd file and remove root and all other accounts.

Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .

OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper

OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .

OR
# cp /bin/bash .

Copy all shared library files

The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp
Output:

     linux-gate.so.1 =>  (0x00456000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
        libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00110000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)
        libdl.so.2 => /lib/libdl.so.2 (0x00123000)
        libnss3.so => /usr/lib/libnss3.so (0x00569000)
        libc.so.6 => /lib/libc.so.6 (0x00b6c000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)
        /lib/ld-linux.so.2 (0x00525000)
        libplc4.so => /usr/lib/libplc4.so (0x008c9000)
        libplds4.so => /usr/lib/libplds4.so (0x00133000)
        libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)

You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
# cd /sbin
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chroot

Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/users"
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server

OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper

OR
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh

OR
# l2chroot /bin/bash

Modify syslogd configuration

The syslog library function works by writing messages into a FIFO file such as /dev/log. You need to pass -a /path/to/chroot/dev/log option. Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you’re going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog
Find line that read as follows:
SYSLOGD_OPTIONS="-m 0"
Append -a /users/dev/log
SYSLOGD_OPTIONS="-m 0 -a /users/dev/log"
Save and close the file. Restart syslog:
# /etc/init.d/syslog restart
If you are using Debian / Ubuntu Linux apply changes to /etc/default/syslogd file.

Set chroot path

Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
Save and close the file. If sshd is not running start it:
# /etc/init.d/sshd start

Add user to jail

As explained eariler, configure rssh user account. For example, add user vivek in chrooted jail with the following command:
# useradd -m -d /users/vivek -s /usr/bin/rssh vivek
# passwd vivek

Now vivek can login using sftp or copy files using scp:

sftp vivek@my-server.com
vivek@my-server.com's password:
sftp> ls
sftp> pwd
Remote working directory: /vivek
sftp> cd /tmp
Couldn't canonicalise: No such file or directory

User vivek is allowed to login to server to trasfer files, but not allowed to browse entier file system.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • Alexis Munyandekwe January 17, 2008, 1:47 am

    Nice article Vivek. However some directories are not even required according to the admin restriction
    It`s better to use less directories in chroot jail account for security reasons.The following directories are enough for files transmission

    /etc
    /usr
    /lib

    Thanks

  • Tomas L. Gomez January 22, 2008, 12:16 pm

    Very nice article!. I have two questions:

    1) Shouldn’t /etc/ld.so.cache.d/* be
    /etc/ld.so.conf.d/*?

    2) In Debian 4.0 and Ubuntu 7.10, I do not
    have the line
    SYSLOGD_OPTIONS=”-m 0″
    Instead, I have the line
    SYSLOGD=””
    What should I do?

  • Ivan August 22, 2008, 7:22 pm

    Very nice article. Plenty of good information.

    only 1 “complaint” if you will…
    the title “configure chroot jail to lock users to their home directory only” leads me to believe the article will show how to “lock users to home”.

    It does not do this. Users are locked to the chroot jail ONLY.

    if my chroot jail is: /home/chroot
    and my users home directors go under that ie:
    /home/chroot/user1

    I’m using sftp only – and I do NOT want my users leaving their home directory. In fact – I don’t even want them to be able to ls another users directory.

    I have seen NO solution that deals with this…
    can this be done?
    (note: modifying the rssh.conf file & restarting services every time a new user is added to the system is not an acceptable solution)

    TIA

  • Stefan September 2, 2008, 9:06 pm

    First of all, thank you very much for the interesting and well written article.

    Eventually i do have a similar question as Ivan before, only that in my case users can backup their data to their home directories using rsync. Is it possible to positively prevent say user1 from accessing data from user2 ?

    Kind regards
    Stefan

  • Benjamin Priestman September 3, 2008, 3:01 am

    I like these pages a lot. Clearly written and frequently right. I spent many hours struggling with this but, judging from other forums, this is a fiddly thing to provide definitive steps for.

    I kept failing with the chroot configuration (on Centos 5). sftp connections would be dropped with no clear errors logged. The problems proved to be down to required files (libz.so.1, for one) that existed as symlinks in the orginal file system. These had been copied into the chroot by the script as files with the name of the links that linked to them. While I would have thought this would work, deleting these files and recreating the symlink set-up manually did the trick.

    Thanks for getting me started!

  • Paul Mitchell February 2, 2009, 10:02 pm

    Hello Folks,
    I’d really like to get the chroot jail set up (we have a need for people to deposit data without
    being able to ssh in). I’m running into two problems, and while I’ve been a solaris admin for a long time, I’m still a beginner with Linux, so I’m probably missing som ething obvious.

    my /etc/rssh.conf states: chrootpath = /altroot, and in this partition, I’ve manually copied a number of files from an earlier scponly install and the contents of this web page. One thing I note is that there’s many missing libraries on my system as compared to what ldd thinks sftp needs.. However, sftp works.

    But when I create a user with rssh as the shell, the following occurs:

    sftp 172.X.X.X
    Connecting to 172.X.X.X...
    pmitchel@172.X.X.X's password:
    Connection closed

    and the obvous error message is:

    Feb  2 16:58:22  ELNDZ01F last message repeated 3 times
    Feb  2 16:58:22  ELNDZ01F sshd[20208]: pam_krb5[20208]: authentication succeeds for 'pmitchel' (pmitchel@ISIS.UNC.EDU)
    Feb  2 16:58:22  ELNDZ01F sshd[20208]: Accepted password for pmitchel from 152.2.102.25 port 40272 ssh2
    Feb  2 16:58:22  ELNDZ01F sshd[20211]: subsystem request for sftp
    Feb  2 16:58:22  ELNDZ01F rssh[20214]: setting log facility to LOG_USER
    Feb  2 16:58:22  ELNDZ01F rssh[20214]: allowing sftp to all users
    Feb  2 16:58:22  ELNDZ01F rssh[20214]: setting umask to 022
    Feb  2 16:58:22  ELNDZ01F rssh[20214]: chrooting all users to /altroot
    Feb  2 16:58:22  ELNDZ01F rssh[20214]: user pmitchel attempted to execute forbidden commands
    Feb  2 16:58:22  ELNDZ01F rssh[20214]: command: /opt/local/ssh/libexec/sftp-server

    My question is, why is rssh invoking /opt/local/ssh/libexec/sftp-server, esspecially as this file doesn’t exist!

    Any help will be appreciated, thanks.

    Paul Mitchell

  • Paul Mitchell February 3, 2009, 7:29 pm

    Addendum to the above:

    Of course, /opt/local/ssh/libexec/sftp-server did exist, and it was pointed to in t he /etc/ssh/sshd_config file. I’ve changed that to: /altroot/opt/local/ssh/libexec/sftp-server
    and copied the executable there.

    I also updated the .etc.rssh.conf file to allowscp and sftp, as follows:

    # Leave these all commented out to make the default action for rssh to lock
    # users out completely…
    allowscp
    allowsftp

    My entry in this file is:
    chrootpath = /altroot
    user=”pmitchel:502:00011:/altroot”

    which should translate to allows sco, sftp, start from altroot.

    Still, I’m getting:

    Feb 3 14:23:46 ELNDZ01F sshd[3591]: Accepted password for pmitchel from 152.X.X.X port 33128 ssh2
    Feb 3 14:23:46 ELNDZ01F sshd[3596]: subsystem request for sftp
    Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting log facility to LOG_USER
    Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing scp to all users
    Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing sftp to all users
    Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting umask to 022
    Feb 3 14:23:46 ELNDZ01F rssh[3597]: chrooting all users to /altroot
    Feb 3 14:23:46 ELNDZ01F rssh[3597]: user pmitchel attempted to execute forbidden commands
    Feb 3 14:23:46 ELNDZ01F rssh[3597]: command: /altroot/opt/local/ssh/libexec/sftp-server

    why?

  • Josef Meile February 4, 2009, 5:07 pm

    Hi Vivek,

    Thanks for your guide, I got it working on debian, but first I need to do some extra steps:
    1. There is no /etc/ld.so.cache.d in debian, so, don’t worry about copying it.
    2. Instead of copying your /etc/passwd and /etc/group files to your chroot folder, just do this:
    touch /passwd
    touch /group
    For jailing you don’t really need to have users and groups inside that files.
    3. The syslog configuration from debian is under /etc/default/syslogd. Instead of a “SYSLOGD_OPTIONS” variable, you have to change “SYSLOGD” instead.
    4. Somewhere on the cybercity howto is written: “Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.”; unfortunatelly, if you set noexec to the filesystem, then the user won’t be allowed to run sftp-server, thus the connection will fail. So, set only nosuid.
    5. suid the original chroot_rssh_chroot_helper command, otherwise, you won’t be able to login in the machine:
    chmod u+s /usr/lib/rssh/rssh_chroot_helper
    Note: A solution for avoding this is explained here:
    Howto create chrooted Openssh SFTP without shell access through rssh:
    http://ubuntuforums.org/showthread.php?t=128206&page=9
    I may try it later
    6. In order to avoid users to browse other people’s stuff, just add this to common-session from the /etc/pam.d folder:
    session required pam_mkhomedir.so debug skel=/etc/skel umask=0077
    So, only the owner will be able to browse the files on a user folder.

  • Josef Meile February 4, 2009, 5:09 pm

    Opps, sorry, on step 2. I meant:
    touch /users/etc/passwd
    touch /users/etc/group

  • Enzo March 5, 2009, 5:43 am

    That’s a lot of bullshit just to restrict a user to a specific directory. Holy shit.

    • Rick November 4, 2011, 2:10 am

      Feel the exact same why *sigh* but client gets what client wants.

  • LT72884 April 7, 2009, 4:59 pm

    I could use some help. I already have a user named publicfiles and a home directory with a crap load of files in it for school. How do i lock it down so when people use winscp, they cant go anywhere in my server BUT the publicfiles folder? Please help. I dont want to add any new users or whatever. Just want to edit the current publicfiles user.

    Thanx

  • Henry May 7, 2009, 6:02 pm

    I followed all the instructions very carefully, and I almost have this working. It seems to work for scp, but when I use SFTP, the session is closed immediately after the log in. The log messages show that the passwd was accepted, but I see this message: “May 5 21:42:38 localhost rssh_chroot_helper[25142]: execv() failed, /usr/libexec/openssh/sftp-server: No such file or directory” The file “/usr/libexec/openssh/sftp-server” does exist, so it canb only be talking about the execv command, which I have found does not exist on my system. What do I do? Did anyone experience this?

  • Henry May 7, 2009, 6:19 pm

    I just found some information in the CHROOT document file, which seems to be exactly what is happening to me. I had not looked at this document previously so let me check it out and see if I can fix this problem I am having.

  • Firesh June 6, 2009, 8:38 am

    hey i been trying to do this chroot thingy for myserver but it gives me some error.

    users cant seem to connect at all. the connection is also terminated by the server.i followed each n every step of wat is written here. everything copied perfectly i doubled check as well.

    but yest this chroot doesnt work. can i know why is tat .. i use debian based server . Ubuntu server 9.04

  • Firesh June 6, 2009, 9:52 am

    ok the explaination did solve some of the problem.

    now i face the same problem henry is facing the execv command. plus my file location is /usr/lib/rssh/rssh_chroot_helper & /usr/lib/openssh/sftp_server

    what should i do next ?

  • shireRom June 28, 2009, 3:58 pm

    For all having the execv problem:

    It happens on amd64 systems.
    Add the following lines to mkchroot.sh:


    #####################################################################
    #
    # set up /dev/log
    #
    mkdir -p "$jail_dir/dev"

    ######### user added code ##############
    # cp some more files
    cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/"
    cp /lib/ld-linux.so.2 "$jail_dir/lib/"
    cp -pR /lib64 "$jail_dir/"
    # make /dev/null
    mknod -m 666 "$jail_dir/dev/null" c 1 3
    ########## end user added code ############

    echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"

    I found the solution here

  • seth July 4, 2009, 8:33 am

    I’m using CentOS 5.3 and when trying to sftp with chroot was getting a No User Found error after successful authentication and chroot… I scoured the web and found this solution:

    Add the following files (note you’ll need to find these files on your system and you will need to change “chroot” in the example to your chroot directory):

    /chroot/lib64/libnss_files.so.2
    /chroot/lib64/ld-linux-x86-64.so.2
    /chroot/lib64/libc.so.6

    AND you also must add each user to the /chroot/etc/passwd file, just copy it from the real /etc/passwd

    • vukasin August 25, 2010, 6:51 am

      I can confirm that this is working.

      I’ve had problem with RHEL5 64-bit and just adding:

      /chroot/lib64/libnss_files.so.2

      did job for me.

      Already have copied files:

      /chroot/lib64/ld-linux-x86-64.so.2
      /chroot/lib64/libc.so.6

      All libs is located under /lib64/ dir.

      I’ve had problem with with connection closed right after successfully authentication of user.

      Here list of files which should be contained in chrooted structure (some binaries can be excluded – depends on requirements):

      /chroot/bin:
      sh

      /chroot/dev:
      log null

      /chroot/etc:
      group hosts ld.so.cache ld.so.conf ld.so.conf.d nsswitch.conf passwd resolv.conf

      /chroot/etc/ld.so.conf.d: (I think that we don’t really need this dir)
      mysql-x86_64.conf

      /chroot/lib: (this is soft link – “ln -s lib64 lib”)
      ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
      libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
      libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1

      /chroot/lib64:
      ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
      libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
      libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1

      /chroot/libexec:
      openssh

      /chroot/libexec/openssh:

      /chroot/usr:
      bin lib lib64 libexec

      /chroot/usr/bin:
      rssh scp sftp sftp-server

      /chroot/usr/lib64:
      lib libgssapi_krb5.so.2 libk5crypto.so.3 libkrb5.so.3 libkrb5support.so.0 libnspr4.so libnss3.so libnssutil3.so libplc4.so libplds4.so libz.so.1

      /chroot/usr/libexec:
      openssh rssh_chroot_helper

      /chroot/usr/libexec/openssh:
      sftp-server

    • Martin December 25, 2010, 1:01 pm

      I too can confirm that this is working.

  • Download Free Photos October 8, 2009, 8:28 am

    I followed all the instructions, but I cannot lock user in his directory ?

    Am I missing something ?

  • Girish December 4, 2009, 11:25 pm

    Vivek,

    I’m trying this on CentOS release 4.8 (Final). The user can’t login if chrootpath and user is defined.

    if I comment out (disable) the chrootpath and user entry, it will allow login but the user is free to roam around. How can I lock the user down to their own directory?

    Any help very much appreciated.

    My rssh.conf is as follows (in this state it does not allow user to login):
    ==================== begin: rssh.conf =================
    logfacility = LOG_USER
    allowscp
    allowsftp
    umask = 022
    chrootpath=/users
    user = ftptester:011:11000:/users/ftptester # whole user string can be quoted
    ==================== end rssh.conf ==============

    The error in /var/log/messages is
    ===========================================================
    Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session opened for user ftptester by (uid=0)
    Dec 4 10:13:34 summitftp-new rssh[13481]: setting log facility to LOG_USER
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing scp to all users
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing sftp to all users
    Dec 4 10:13:34 summitftp-new rssh[13481]: setting umask to 022
    Dec 4 10:13:34 summitftp-new rssh[13481]: line 53: configuring user ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: setting ftptester’s umask to 011
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rdist to user ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rsync to user ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: chrooting ftptester to /users/ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: user ftptester attempted to execute forbidden commands
    Dec 4 10:13:34 summitftp-new rssh[13481]: command: /usr/libexec/openssh/sftp-server
    Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session closed for user ftptester
    ==================

    What am I missing?

    Thanks

    • loshen March 31, 2011, 2:23 pm

      Hi,

      I also get the same error .
      Is it possible to post all of this in a cleaner article ?

      • loshen March 31, 2011, 2:23 pm

        I’m using Centos 5.5

  • Naren Koka December 31, 2009, 2:26 pm

    I have tried this and worked very well on CentOS 5.2. However on CentOS 5.4, it does not work. As soon as I type the password at the sftp prompt, I get the message “Connection closed”.

    I have disabled SELinux. When it did not work, I have done “yum install openssh” and built RSSH from source – that did not help either. Please suggest some help. I added the log file entries below:

    Thank you,
    Naren

    /var/log/messages:
    Dec 31 06:56:06 sftpserver1 rssh[10317]: setting log facility to LOG_USER
    Dec 31 06:56:06 sftpserver1 rssh[10317]: allowing scp to all users
    Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: new session for sftpuserA, UID=500
    Dec 31 06:56:06 sftpserver1 rssh[10317]: allowing sftp to all users
    Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: user's home dir is /sftproot/sftpuserA
    Dec 31 06:56:06 sftpserver1 rssh[10317]: setting umask to 022
    Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: chrooted to /sftproot
    Dec 31 06:56:06 sftpserver1 rssh[10317]: chrooting all users to /sftproot
    Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: changing working directory to /sftpuserA (inside jail)
    Dec 31 06:56:06 sftpserver1 rssh[10317]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server"

    /var/log/secure:
    Dec 31 06:56:05 sftpserver1 sshd[10314]: Accepted password for sftpuserA from 10.8.0.6 port 62566 ssh2
    Dec 31 06:56:05 sftpserver1 sshd[10314]: pam_unix(sshd:session): session opened for user sftpuserA by (uid=0)
    Dec 31 06:56:06 sftpserver1 sshd[10316]: subsystem request for sftp
    Dec 31 06:56:06 sftpserver1 sshd[10314]: pam_unix(sshd:session): session closed for user sftpuserA

  • Brad Bortree March 14, 2010, 12:10 am

    Naren,

    I had the same problem. I tried something from one of the above comments and it worked. Just copy the /lib/libnss_files.so.2 file into your chroot jail. For example, if your chroot jail is “/chroot” then

    cp /lib/libnss_files.so.2 /chroot/lib

    Also remember to copy the entry from /etc/passwd for your user into the chroot jail. For example, if your jailed username is “jaileduser” then

    grep jaileduser /etc/passwd >> /chroot/etc/passwd

    Brad

    • robroy March 2, 2012, 7:33 am

      Thanks for the tip! It helped me too ;)

  • Rolandow April 29, 2010, 9:19 am

    I feel like I’m almost there, but somehow I cannot connect. I don’t see any error in my logfiles. I’m running Debian Lenny. This is what my syslog says:

    Apr 29 11:17:27 jukebox rssh[4960]: setting log facility to LOG_USER
    Apr 29 11:17:27 jukebox rssh[4960]: allowing scp to all users
    Apr 29 11:17:27 jukebox rssh[4960]: allowing sftp to all users
    Apr 29 11:17:27 jukebox rssh[4960]: setting umask to 022
    Apr 29 11:17:27 jukebox rssh[4960]: chrooting all users to /users
    Apr 29 11:17:27 jukebox rssh[4960]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”

    So everything looks okay, but my client still gives me an error.
    Error: Fatal: unable to initialise SFTP on server: could not connect
    Error: Could not connect to server

    • SPM March 13, 2012, 11:33 am

      Me too getting the same error. Can someone give me the fix.

      • SPM March 13, 2012, 12:20 pm

        It worked for me after copying /etc/passwd to /users/etc/passwd. :) :)

  • Nilesh April 29, 2010, 6:20 pm

    Hi vivek,
    I want to offer some users sftp only with a jail. How do I do it ? The above stuff you wrote does more than what I need.

  • gyurman October 24, 2010, 10:08 am

    l2chroot script get error message with dirname and cp command.

  • Khark January 4, 2011, 1:20 pm

    Hi,
    if your system uses rsyslogd and not syslogd you need to specify the parameter $AddUnixListenSocket /users/dev/log for example in a separate config under /etc/rsyslog.d/ .

    I keep mine in a file called: /etc/rsyslog.d/999-chroot-rsyslogd.conf

    This will create the needed log-device for rsyslogd in the chroot.

  • Khark January 4, 2011, 1:21 pm

    Uhm, yeah forgot to add: You need to restart rsyslogd after creating the file :-)
    /etc/init.d/rsyslogd restart will do :-)

  • Danilo Mota April 4, 2011, 2:26 am

    For those who stops at:
    chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”

    The home directory at /chroot/etc/passwd must be relative to system chrooted, and the original file must have the full path if you want sshd find user’s authorized keys and so on.
    Eg:
    # /etc/passwd
    user_sftp:x:505:500::/chroot/home/user_sftp:/usr/bin/rssh
    # /chroot/etc/passwd
    user_sftp:x:505:500::/home/user_sftp:/usr/bin/rssh

    DM

  • Jp April 7, 2011, 4:45 pm

    I have tried everything in RHEL5 64, bit to get this working. I have copied all the binnaries and libs to the same folder structure as vukasin. I have even used the default location in the guide. I dont see any message to do with rssh in my /var/log/messages log.

    Can someone point me to some helpful troubleshooting tips? Or how to work out why users are able to go up levels and see all the folder structures I have created?

  • Zoltan April 7, 2011, 11:00 pm

    I have RHEL5 64, did everything needed and still stuck at
    chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”

    I have the user in the passwd file with relative home directory as Danilo proposed.

    I can run chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as root, no error message (after copied chroot/lib64/libnss_files.so.2).

    Anybody has any other idea?
    Naturally if I remove chrooting from rssh then sftp works fine with this user.

  • Zoltan April 7, 2011, 11:40 pm

    I figured it out, it works now. Actually I didn’t figure out what I did wrong but redid everything from zero and then it worked.
    Altough I believe there are a few typos in the original instructions and also I needed to copy:
    “cp /lib64/libnss_files.so.2 /var/www/lib64/”

    Phuh, it took me 10 hours to figure out all issues,

  • jp April 8, 2011, 9:13 am

    1> To get the rssh system to appear in my log. I followed – Paul Mitchell comment and added the following line to the sshd.conf. “Subsystem sftp /usr/libexec/openssh/sftp-server”

    After which the following shows up in my /var/log/messages

    {code}
    Apr 8 09:15:34 test-ftp rssh[11728]: setting log facility to LOG_USER
    Apr 8 09:15:34 test-ftp rssh[11728]: allowing scp to all users
    Apr 8 09:15:34 test-ftp rssh[11728]: allowing sftp to all users
    Apr 8 09:15:34 test-ftp rssh[11728]: setting umask to 022
    Apr 8 09:15:34 test-ftp rssh[11728]: chrooting all users to /users
    Apr 8 09:15:34 test-ftp rssh[11728]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
    Apr 8 09:15:34 test-ftp kernel: type=1104 audit(1302250534.943:2545183): user pid=11723 uid=0 auid=526 msg=’PAM: setcred acct=”testing” : exe=”/usr/sbin/sshd” (hostname=XX.XX.XX.XX, addr=XX.XX.XX.XX, terminal=ssh res=success)’
    {code}

    2> followed – Danilo Mota advise and made my passwd paths in the file relative to the enviroment.

    I am still getting the errors above.

    3> I copied the nesary files sugested in several comments down. content of my /users folder shown below.

    {code}
    drwx—— 2 root root 4096 Apr 7 16:56 bin
    drwxr-x— 2 root root 4096 Apr 8 09:36 dev
    drwx—— 3 root root 4096 Apr 7 16:43 etc
    lrwxrwxrwx 1 root root 5 Apr 7 16:40 lib -> lib64
    drwxr-xr-x 2 root root 4096 Apr 7 17:02 lib64
    drwxr-xr-x 3 root root 4096 Apr 7 13:35 libexec
    drwxr-xr-x 2 testing testing 4096 Apr 7 20:57 testing
    drwxr-xr-x 5 root root 4096 Apr 7 14:05 usr

    ./bin:
    total 1576
    -rwx—— 1 root root 801512 Apr 7 16:56 bash
    -rwx—— 1 root root 801512 Apr 7 16:56 sh

    ./dev:
    total 0
    srwxr-x— 1 root root 0 Apr 8 09:36 log
    crwxr-x— 1 root root 1, 3 Apr 7 13:35 null

    ./etc:
    total 76
    -rwx—— 1 root root 36 Apr 8 09:49 group
    -rwx—— 1 root root 100 Apr 7 13:37 hosts
    -rwx—— 1 root root 47495 Apr 7 15:40 ld.so.cache
    -rwx—— 1 root root 280 Apr 7 15:39 ld.so.conf
    drwx—— 2 root root 4096 Apr 7 16:43 ld.so.conf.d
    -rwx—— 1 root root 1696 Apr 7 15:40 nsswitch.conf
    -rwx—— 1 root root 74 Apr 8 09:56 passwd
    -rwx—— 1 root root 74 Apr 7 13:37 resolv.conf

    ./etc/ld.so.conf.d:
    total 4
    -rwx—— 1 root root 17 Oct 23 03:23 mysql-x86_64.conf

    ./lib64:
    total 6852
    -rwxr-xr-x 1 root root 139416 Apr 7 14:04 ld-linux-x86-64.so.2
    -rwxr-xr-x 1 root root 10000 Apr 7 16:18 libcom_err.so.2
    -rwxr-xr-x 1 root root 1366272 Apr 7 20:55 libcrypto.so.6
    -rwxr-xr-x 1 root root 48600 Apr 7 20:55 libcrypt.so.1
    -rwxr-xr-x 1 root root 1718120 Apr 7 20:55 libc.so.6
    -rwxr-xr-x 1 root root 23360 Apr 7 20:55 libdl.so.2
    -rwxr-xr-x 1 root root 190976 Apr 7 16:57 libgssapi_krb5.so.2
    -rwxr-xr-x 1 root root 153720 Apr 7 17:01 libk5crypto.so.3
    -rwxr-xr-x 1 root root 9728 Apr 7 16:18 libkeyutils.so.1
    -rwxr-xr-x 1 root root 613896 Apr 7 16:58 libkrb5.so.3
    -rwxr-xr-x 1 root root 35728 Apr 7 17:01 libkrb5support.so.0
    -rwxr-xr-x 1 root root 114352 Apr 7 20:55 libnsl.so.1
    -rwxr-xr-x 1 root root 233112 Apr 7 16:59 libnspr4.so
    -rwxr-xr-x 1 root root 1231352 Apr 7 17:01 libnss3.so
    -rwxr-xr-x 1 root root 53880 Apr 7 16:24 libnss_files-2.5.so
    -rwxr-xr-x 1 root root 53880 Apr 7 16:53 libnss_files.so
    -rwxr-xr-x 1 root root 53880 Apr 8 09:59 libnss_files.so.2
    -rwxr-xr-x 1 root root 123152 Apr 7 17:02 libnssutil3.so
    -rwxr-xr-x 1 root root 17992 Apr 7 16:54 libplc4.so
    -rwxr-xr-x 1 root root 13960 Apr 7 17:00 libplds4.so
    -rwxr-xr-x 1 root root 145824 Apr 7 16:18 libpthread.so.0
    -rwxr-xr-x 1 root root 92736 Apr 7 20:55 libresolv.so.2
    -rwxr-xr-x 1 root root 95464 Apr 7 16:18 libselinux.so.1
    -rwxr-xr-x 1 root root 247496 Apr 7 16:18 libsepol.so.1
    -rwxr-xr-x 1 root root 18152 Apr 7 20:55 libutil.so.1
    -rwxr-xr-x 1 root root 85928 Apr 7 17:00 libz.so.1

    ./libexec:
    total 4
    drwxr-xr-x 2 root root 4096 Apr 7 13:35 openssh

    ./libexec/openssh:
    total 0

    ./testing:
    total 0

    ./usr:
    total 12
    drwxr-xr-x 2 root root 4096 Apr 7 17:03 bin
    drwxr-xr-x 2 root root 4096 Apr 7 14:05 lib64
    drwxr-xr-x 3 root root 4096 Apr 7 16:55 libexec

    ./usr/bin:
    total 252
    -rwxr-xr-x 1 root root 29712 Apr 7 15:05 rssh
    -rwxr-xr-x 1 root root 57504 Apr 7 15:05 scp
    -rwxr-xr-x 1 root root 96280 Apr 7 15:05 sftp
    -rwxr-xr-x 1 root root 53072 Apr 7 17:03 sftp-server

    ./usr/lib64:
    total 2680
    -rwxr-xr-x 1 root root 190976 Apr 7 16:18 libgssapi_krb5.so.2
    -rwxr-xr-x 1 root root 153720 Apr 7 16:18 libk5crypto.so.3
    -rwxr-xr-x 1 root root 613896 Apr 7 16:18 libkrb5.so.3
    -rwxr-xr-x 1 root root 35728 Apr 7 16:18 libkrb5support.so.0
    -rwxr-xr-x 1 root root 233112 Apr 7 16:18 libnspr4.so
    -rwxr-xr-x 1 root root 1231352 Apr 7 16:18 libnss3.so
    -rwxr-xr-x 1 root root 123152 Apr 7 16:18 libnssutil3.so
    -rwxr-xr-x 1 root root 17992 Apr 7 16:18 libplc4.so
    -rwxr-xr-x 1 root root 13960 Apr 7 16:18 libplds4.so
    -rwxr-xr-x 1 root root 85928 Apr 7 20:55 libz.so.1

    ./usr/libexec:
    total 76
    drwxr-xr-x 2 root root 4096 Apr 7 13:45 openssh
    -rwsr-xr-x 1 root root 67691 Apr 7 16:55 rssh_chroot_helper

    ./usr/libexec/openssh:
    total 56
    -rwxr-xr-x 1 root root 53072 Apr 7 15:05 sftp-server
    {code}

    I am not sure what else to do – can anyone else provide any guidance?

  • Zoltan April 8, 2011, 11:23 am

    Hi JP,
    In my case the solution for the same problem was to add /[chrootedlibrary]/lib64/libnss_files.so.2

    But in your case it might be some other lib files missing.

    I would try to run /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
    from shell to see whether I get any error message. You might want to try with different users.

    Also if the user (At least the user number )is not in the /chrootlibrary/etc/passwd file, then you will get the same error as above, but when you run it from shell it will tell you that couldn’t find the user id.

    I hope it helps

    • Nicolas Casallas February 20, 2012, 3:03 pm

      the problem is solved by copying the folder libexeclocated in /users/libexec to /users/usr/libexec.

      Run the command: cp-R usr libexec/

      and try again.

  • Zoltan April 8, 2011, 1:32 pm

    Hi JP,
    Actually I found another possibe reason.
    The rssh_chroot_helper is exeuted from the original folder and not the chrooted one, so you need to make sure that your chroot user has execute access to it.

  • jp April 8, 2011, 2:01 pm

    Hi Zoltan,
    I have changed the user permissions on the original rssh_chroot_helper to root:testing and then performed a chmod to reassert the SetUID.
    I still get the same error and an extrea one when I do this.
    Apr 8 14:55:46 testing-ftp rssh_chroot_helper[5621]: chroot() failed, 2: Operation not permitted
    I have run throught the example 3 times and I know I have added more libs than are nessary at this point.
    I have already copied /libnss_files.so.2 into the rewlative location as shown in my ls –lR above.
    I can’t run the command /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as the testing user as the user is not allowed a shell. While trying to run the command as root. I get the following error
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: new session for root, UID=0
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: user’s home dir is /root
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: couldn’t find /root in chroot jail
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: chrooted to /users
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: changing working directory to / (inside jail)
    Thanks for your help.

  • Zoltan April 8, 2011, 2:47 pm

    What you get as a root is not an error, it just tells that the root user’s home directory is not in the chrooted folder. This is expected
    It seems your rssh is working with root user, so now you just need to figure out why it’s not working with your chroot user.

    Probably one of the necessary lib files, passwd file, sftp-server, rssh_chroot_helper etc file is not readable or executable by that user.
    Unfortunately I couldn’t figure out how to get logging activated to see what is missing, so from this point on you just need to check all these files for proper access rights.

  • Zoltan April 8, 2011, 2:48 pm

    ps.: also make sure that your chroot user exists in the chroot/etc/passw file.

    • ALEX April 12, 2011, 12:09 pm

      JP – /libexec is inside /usr. You can remove libexec from your /chroot dir. That probably won’t fix your problem but it could be messing with something. Other than that, I noticed your permissions in /etc are only operational for root. Try giving read permissions on the files in /etc. If that doesn’t work, change it back.

  • Greg May 19, 2011, 9:41 pm

    When in doubt, verify that the /chroot/dev/null exists. Worked for me.

  • Greg May 20, 2011, 10:24 pm

    I also found MySecureShell to be a superior tool to rssh.
    It solved the issue that Ivan and Stefan warned about.
    Their comments are dated August 22, 2008 & September 2, 2008.

  • Macinville May 30, 2011, 10:43 am

    Hi Vivek,
    In the first few lines, the you instructed


    # mkdir -p /users/libexec/openssh

    and then after that, you said


    # cd /users/usr/libexec/openssh/

    which will,of course, produce an error. I thought I could skip that code, but when I did, upon login it immediately prompted me “Connection closed” without any error whatsoever.

    So what I did was to


    # mkdir -p /users/usr/libexec/openssh

    so I can proceed with


    # cd /users/usr/libexec/openssh/
    # cp /usr/libexec/openssh/sftp-server

    which is, apparently, quite important because after doing so, it let me connect to it.

    Success!

    I am thinking of making a script for CentOS 5.5 based on this. I will post any update about my plan. :)

    Thanks Vivek!

  • Amit July 5, 2011, 8:10 am

    I am getting this error.. please help

    Status: Connected to x.x.x.x
    Error: Connection closed by server with exitcode 1
    Error: Could not connect to server

  • X July 8, 2011, 2:14 am

    Everyone stuck at:

    “… ssh_chroot_helper[4470]: changing working directory to / (inside jail)”

    but then getting a refused connection on your sftp client. *Trust other posters* in that it is a library issue… I thought it was bullshit myself and almost gave up hope (no aparent error on my /var/log/syslog). My last resort was to copy all the files in the /lib folder to the /chroot/lib folder. Use the -p and –preserve=link switches so you preserve permissions and links (otherwise linked libraries will be copied as a file…).

    cp -v -p -d –preserve=link /lib/* /chroot/lib/

    It *will* work… Now it’s a matter of deleting one by one (if you want) and figuring it out the minimum subset required. In my case (Ubuntu 11.04 server):
    ld-2.12.1.so
    ld-linux-x86-64.so.2
    libc-2.12.1.so
    libc.so.6
    libnsl-2.12.1.so
    libnsl.so.1
    libnss_compat-2.12.1.so
    libnss_compat.so.2

    I also followed all previous suggestions in the earlier comments on this site (e.g., adding user to /chroot/etc/passwd… etcetera). Good hunting!

  • Amit July 8, 2011, 5:22 am

    Try to upgrade openSSH version and enjoy the new inbuilt jailroot system. Much easier.

    CyberCiti : please post an article for the same.

  • Solaria July 22, 2011, 8:29 pm

    Got this working on Solaris, works well. Here are some of the errors encountered, and the solutions:

    Error: unknown user xxx

    Occurs during SCP. Missing “nss* lib in chroot, copy /lib/nss_files.so.1 to chroot. (Solaris 10)

    Error: connection closed

    Occurs during SFTP. Missing *ksh* in chroot, copy /bin/ksh and/or /usr/bin/ksh to chroot

    Error: connection closed

    Occurs during SCP on Solaris 9. Missing *nss* lib in chroot, different library path than in Solaris 10. Copy /usr/lib/nss_files.so.1 to chroot.

    Error: rssh_chroot_helper failed, Not owner

    /usr/local/libexec/rssh_chroot_helper must be SUID root

    Error: user attempted to execute forbidden commands; /usr/lib/ssh/sftp-server

    Occurs during SFTP, logged in /var/adm/messages. Target system had both OpenSSH and SolarisSSH, error caused by conflict between rssh config and sshd_config. run ‘/usr/local/bin/rssh -v’ to get sftp server binary path, compare to ‘Subsystem sftp’ path in sshd_config (both config files, OpenSSH and SolarisSSH). Edit sshd_config to match rssh config.

    Found a pretty good script file for setting up the chroot on Solaris…

  • tgutierrez September 9, 2011, 10:56 pm

    Working!!
    This work perfectly,at first I’d connection problems but these problems were fixed just adding /chroot/lib64/libnss_files.so.2.
    I have RHEL 6

    Thanks

  • Gustavo September 10, 2011, 3:36 am

    Very good tutorial, I wonder if there is no way to change the message out to access “This account is restricted by rssh.
    Allowed commands: scp

    If you believe this is in error, please contact your system administrator.

    For another message.

    Thank you for your help. Greetings from Colombia

  • Loshen September 12, 2011, 8:40 am

    In version 5, jailing is now natively supported.
    The problem is that SSH with centos 5.5 lower came with ssh 4.8 < .
    So if you upgrade you will automatically get Jailing.
    I followed these instructions. http://adamsworld.name/chrootjailv5.php

  • Sean Ackley March 22, 2012, 10:21 pm

    Vivek, this is a crazy good utility to use, made my life so much easier when I implemented chroot.

    I ran into one issue, in which certain utilities like “vim” and “file” require support libraries under /usr/share. I also needed to include /usr/share/locale and /usr/share/terminfo (for “vim” for instance.

    Is there a way to check within l2chroot for these support libs as well? It makes the installation a little more bullet proof.

    Thanks so much.

  • Eli Wapniarski April 2, 2012, 9:21 am

    You can confine the user to their home folder by changing permissions on all the folders other than their home folder to 751. As per the example in this article:

    cd /
    chmod 751 users
    cd users
    find . -type d -exec chmod 751 {} \;

    If you need to return the home folder back to normal permissions then:

    chmod 700 vivek
    cd vivek
    find . -type d -exec chmod 755 {} \;

  • Sergios July 18, 2012, 3:20 pm

    If user home is chmod 700
    And internal folders is find . -type d -exec chmod 755 {} \;
    How is possible to readable by apache2 the public_html , or if we execute the username:nobody /home/username/public_html and set the virtual host is can readable by the world ?
    Thank you.

  • TooMeeK May 5, 2013, 12:46 am

    Hi, just discovered problem on 64-bit OS, not copying shared libs:
    l2chroot /usr/bin/scp
    Copying shared files/libs to /home/jails…
    Copying /lib64/ld-linux-x86-64.so.2 /home/jails/lib64…

    when it should be:
    ldd /usr/bin/scp
    linux-vdso.so.1 => (0x00007fff4e35f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffb9ed2e000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ffb9f2cf000)