In this entry we will see how we create a user on an Ubuntu OS 18.04.3 LTS armv71 on a Raspberry Pi 2 Model B+ that can only access a specific folder by SFTP. This user is encapsulated so that it cannot be moved out of scope to other operating system folders.
All actions must be performed as root or with a sudo. And it is important to note that this OS is 32-bit and the libraries are in the "/lib" folder, not "/lib64".
This user will be called "guest", and therefore we will create a guest folder in "/home":
mkdir -p /home/guest
Inside this folder we create the "dev" folder:
mkdir -p /home/guest/dev/
cd /home/guest/dev/
Then we run the following command to look at its output:
ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}
Which in my case returns to me:
root@vmrp01:/# ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}
crw-rw-rw- 1 root root 1, 3 ene 28 2018 /dev/null
crw-rw-rw- 1 root root 1, 8 ene 28 2018 /dev/random
lrwxrwxrwx 1 root root 15 ene 1 1970 /dev/stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 ene 1 1970 /dev/stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 ene 1 1970 /dev/stdout -> /proc/self/fd/1
crw-rw-rw- 1 root tty 5, 0 ene 28 2018 /dev/tty
crw-rw-rw- 1 root root 1, 5 ene 28 2018 /dev/zero
root@vmrp01:/#
We look at what they start with 'c' in the output and the two numbers that appear before the date and create them with the same values in the "/home/guest/dev" folder with the mknod command:
mknod -m 666 null c 1 3
mknod -m 666 random c 1 8
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
We ensure that the owner of the "/home/guest" folder that boxes the user "guest" has as the owner the user "root" and we give him the correct permissions for this:
chown root:root /home/guest
chmod 0755 /home/guest
Then we create inside "/home/guest" the "bin" folder where we will copy the required shells, which in my case is sh and bash:
mkdir -p /home/guest/bin
cp -v /bin/sh /home/guest/bin/
cp -v /bin/bash /home/guest/bin/
Then we create inside "/home/guest" the "bin" folder where we will copy the required shells, which in my case is sh and bash:
ldd /bin/bash
ldd /bin/sh
Which in my case returns:
root@vmrp01:/proc/self/fd$ ldd /bin/bash
linux-vdso.so.1 (0x7e99b000)
libtinfo.so.5 => /lib/arm-linux-gnueabihf/libtinfo.so.5 (0x76ebe000)
libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0x76eab000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76db3000)
/lib/ld-linux-armhf.so.3 (0x76fcd000)
root@vmrp01:/proc/self/fd$ ldd /bin/sh
linux-vdso.so.1 (0x7ed4e000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76e94000)
/lib/ld-linux-armhf.so.3 (0x76fc9000)
root@vmrp01:/proc/self/fd$
We create the "lib" folder in "/home/guest":
mkdir -p /home/guest/lib
And we copy the required libraries to the folder "/home/guest/lib":
cp -v /lib/arm-linux-gnueabihf/libtinfo.so.5 /home/guest/lib/
cp -v /lib/arm-linux-gnueabihf/libdl.so.2 /home/guest/lib/
cp -v /lib/arm-linux-gnueabihf/libc.so.6 /home/guest/lib/
cp -v /lib/ld-linux-armhf.so.3 /home/guest/lib/
cp -v /lib/arm-linux-gnueabihf/libc.so.6 /home/guest/lib/
Then we create the "etc" folder in "/home/guest" and copy the passwd and group files from the OS:
mkdir /home/guest/etc
cp -vf /etc/{passwd,group} /home/guest/etc/
In order for the user to have certain commands available from the SFTP session we will copy campier from "/bin" the commands "ls", "date" and "mkdir" required in SFTP sessions:
cp -v /bin/ls /home/guest/bin/
cp -v /bin/date /home/guest/bin/
cp -v /bin/mkdir /home/guest/bin/
And we check with the command "ldd" the libraries required for these commands:
ldd /bin/ls
ldd /bin/date
ldd /bin/mkdir
They give me back in my case:
root@vmrp01:/proc/self/fd$ ldd /bin/ls
linux-vdso.so.1 (0x7ef87000)
libselinux.so.1 => /lib/arm-linux-gnueabihf/libselinux.so.1 (0x76ef4000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76dfc000)
/lib/ld-linux-armhf.so.3 (0x76f5d000)
libpcre.so.3 => /lib/arm-linux-gnueabihf/libpcre.so.3 (0x76d9f000)
libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0x76d8c000)
libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0x76d67000)
root@vmrp01:/proc/self/fd$ ldd /bin/date
linux-vdso.so.1 (0x7edb5000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76dce000)
/lib/ld-linux-armhf.so.3 (0x76f01000)
root@vmrp01:/proc/self/fd$ ldd /bin/mkdir
linux-vdso.so.1 (0x7ee61000)
libselinux.so.1 => /lib/arm-linux-gnueabihf/libselinux.so.1 (0x76f1a000)
libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76e22000)
/lib/ld-linux-armhf.so.3 (0x76f77000)
libpcre.so.3 => /lib/arm-linux-gnueabihf/libpcre.so.3 (0x76dc5000)
libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0x76db2000)
libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0x76d8d000)
root@vmrp01:/proc/self/fd$
And I copy the libraries that are required and are not previously copied to "/home/guest/lib":
cp -v /lib/arm-linux-gnueabihf/libselinux.so.1 /home/guest/lib/
cp -v /lib/arm-linux-gnueabihf/libpcre.so.3 /home/guest/lib/
cp -v /lib/arm-linux-gnueabihf/libpthread.so.0 /home/guest/lib
We create the user "guest" with:
useradd guest
We specify a password:
passwd guest
We modify the file "/etc/sshd/sshd_config" by adding or configuring it according to the following:
Match User guest
ChrootDirectory /home/guest
ForceCommand internal-sftp
These three lines specify:
- Match User guest: Specifies that the user "guest" must be caged (chroot jail).
- ChrootDirectory /home/guest: Specifies the path of your cage root. Below that path you cannot access. In addition the files and folders of dev, etc, lib and bin have them accessible but readable because they are from the root user and do not have permissions balance read and run where appropriate.
- ForceCommand internal-sftp: this is the one that only allows sftp session, not an ssh session.
And we restarted the sshd service with:
systemctl restart sshd
Before testing it we create an "sftp" folder within "/home/guest" which is what we will use as the root of the SFTP service:
mkdir -p /home/guest/sftp
The user with this setting will only be able to create directories and manage files within "/sftp2, but not below "/sftp".
