[ale] Chrooting a user logged in over telnet

Mon Aug 20 17:39:58 EDT 2012

On Aug 17, 2012, at 10:28 PM, Erik Mathis <erik at mathists.com> wrote:
> Yep
> 
> MAKEDEV is the cmd you want
> 
> -Erik-
> 
> On Fri, Aug 17, 2012 at 9:42 PM, Michael Trausch <mike at trausch.us> wrote:
>> Without doing some experimentation, I can't tell you exactly what to do, but
>> basically you need a minimal /dev there. Leave out block devices and so
>> forth so that the environment is (relatively) secure, but note that chroot
>> jails can be easily broken out of.
>> 
>> Also, as an aside; telnet doesn't have to be insecure. If memory serves, it
>> is possible to use Kerberos with Telnet so long as both client and server
>> support it, for both confidentiality and authentication.
>> 
>> On Aug 17, 2012 8:32 PM, "Ted W" <ted at techmachine.net> wrote:
>> 
>> 
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

So, it looks like makedev is not available on the systems I'm working with. The server I'm configuring uses udev and after some digging I discovered that I was just missing one simple command, which makes complete sense in retrospect:

	mount -o bind /dev /chroot/dev

Now, the next issue is with regards to setting a different chroot directory for each user that is logged in to the system. As far as I can tell, xinetd allows for a "server_args" line in the xinetd.conf files. I have the "server" line and "server_args" line setup as follows:

	server		= /usr/bin/chroot
	server_args	= /chroot /usr/sbin/in.telnetd

So far as I can tell, this is telling xinetd to listen on port 23. On connection, execute /usr/bin/chroot with args /chroot and /usr/sbin/in.telnetd. What I would like to accomplish is something similar to the "ChrootDirectory" line in /etc/ssh/sshd_config which, on my system reads:

	ChrootDirectory %h

What I'm attempting to do now to accomplish this is a bit hackish but it's the first thing that popped into my head. Instead of launching "/usr/bin/chroot /chroot /usr/sbin/in.telnetd", xinetd will launch a script that will listen on port 23, on connection it will prompt for the username, run something equivalent to "getent passwd $user | awk -F: '{print $6}'" to obtain the homedirectory fot the user. The script will then run /chroot $homedir /usr/sbin/in.telnetd. I've not yet figured out the logistics of how to do this exactly as a simple bash script doesn't seem to be cutting it. I think this may be the best way to go about it unless there are any other suggestions.

-- 
Ted W. < Ted at Techmachine.net >
Registered GNU/Linux user #413569