chroot permissions at login

Hi everyone!

I’m trying to get it so that for a particular user, at login, they are chrooted to a specific directory. I’ve set up the directory and everything such that I think it should work. I wrote a new login shell that chroots the user and set it to be the login shell for that user in yast. Everything works great, except that when the user logs in, it asks for two passwords : the user’s password, and then the root password (because chrooting requires su privileges). Is there a way around this? This is what my login shell looks like:

#!/bin/sh
/usr/bin/sudo /usr/bin/chroot /home/raid/dictation /bin/bash

How can I make it so that when that executes, the sudo command doesn’t need authentication?

On 08/11/2011 09:56 AM, hyperutila wrote:
>
> Hi everyone!
>
> I’m trying to get it so that for a particular user, at login, they are
> chrooted to a specific directory. I’ve set up the directory and
> everything such that I think it should work. I wrote a new login shell
> that chroots the user and set it to be the login shell for that user in
> yast. Everything works great, except that when the user logs in, it asks
> for two passwords : the user’s password, and then the root password
> (because chrooting requires su privileges). Is there a way around this?
> This is what my login shell looks like:
>
>
> Code:
> --------------------
> #!/bin/sh
> /usr/bin/sudo /usr/bin/chroot /home/raid/dictation /bin/bash
> --------------------
>
>
> How can I make it so that when that executes, the sudo command doesn’t
> need authentication?

Check ‘man sudoers’. The info can all be entered with YaST.

I suspect that even if you get past the second password with sudo, you will not be able to achieve what you want. Chroot has certain caveats, and will not work for a general user shell, unless you provide enough of an environment under the new root for the process. These include things like /dev/null, /dev/zero, /dev/tty, shared libraries, resolution for id<->names e.g. PAM, logging and more. It’s much easier to chroot a single daemon.

In short chroot is not a “user jail”.

Maybe I don’t quite understand what you were saying, but adding the user to the sudoers list isn’t the problem. The user is able to perform the sudo command, it just requires a password. Or is there some way of setting it up so that it doesn’t require a password in yast? Is that what you were saying? Also, I set up the environment exactly how I want, including the devs, libraries, etc. It works great after the root password is entered, but if the user has to enter the root password, it’s kinda useless. That’s the only issue. How do I get it to execute that chroot command at login without requiring a root password?

On 08/11/2011 01:06 PM, hyperutila wrote:
>
> Maybe I don’t quite understand what you were saying, but adding the user
> to the sudoers list isn’t the problem. The user is able to perform the
> sudo command, it just requires a password. Or is there some way of
> setting it up so that it doesn’t require a password in yast? Is that
> what you were saying? Also, I set up the environment exactly how I want,
> including the devs, libraries, etc. It works great after the root
> password is entered, but if the user has to enter the root password,
> it’s kinda useless. That’s the only issue. How do I get it to execute
> that chroot command at login without requiring a root password?

It is not just the user, but the specific command(s) and arguments.

For example, mine contains the following line:

finger ALL = (root) NOPASSWD:/usr/sbin/iwlist ,/sbin/modprobe ,/usr/bin/make
install,/usr/bin/make modules_install install,/sbin/insmod ,/sbin/rmmod

I can enter all those commands without entering the root password.

I’m not quite sure where you are talking about. What is “mine” referring to in that sentence? Is this a sudoers configuration file? This isn’t part of the shell script, right? So I take it that what you’re doing is saying “These following programs can be run by root without requiring a password.” Correct? I just don’t know where I put that line. Thanks!

On 08/12/2011 05:06 PM, hyperutila wrote:
>
> lwfinger;2374227 Wrote:
>>
>>
>> It is not just the user, but the specific command(s) and arguments.
>>
>> For example, mine contains the following line:
>>
>> finger ALL = (root) NOPASSWD:/usr/sbin/iwlist ,/sbin/modprobe
>> ,/usr/bin/make
>> install,/usr/bin/make modules_install install,/sbin/insmod
>> ,/sbin/rmmod
>>
>> I can enter all those commands without entering the root password.
>
> I’m not quite sure where you are talking about. What is “mine”
> referring to in that sentence? Is this a sudoers configuration file?
> This isn’t part of the shell script, right? So I take it that what
> you’re doing is saying “These following programs can be run by root
> without requiring a password.” Correct? I just don’t know where I put
> that line. Thanks!

Mine, as in the system belonging to me. It was an example. The line came from
/etc/sudoers.

Are you sure you have the expertise needed to set up something like this? Your
questions seem to be those of a noob.

Just go to YaST => Security and Users => Sudo and add to the rules for Sudo.

Yes, I am a noob, but what better way to learn than by doing it? By the way, it works perfectly now. Thank you!

Expermenting is a good way learn. The chroot environment is a isolated stanalone jail. It will require every file that is needed to be inside the chroot. This isn’t practical for user accounts because every command/file has to be within.