On a 64 bit CentOS host I am using script make_chroot_jail.sh
to put a user in a jail, not permitting it to see anything expect it's home at /home/jail/home/user1
.
I did it typing this:
sudo ./make_chroot_jail.sh user1
after, when trying to connect to user1 first i was getting an error like:
/bin/su: user guest does not exist
i have fixed this by copying some missed libraries:
sudo cp /lib64/libnss_compat.so.2 /lib64/libnss_files.so.2 /lib64/libnss_dns.so.2 /lib64/libxcrypt.so.2 /home/jail/lib64/
sudo cp -r /lib64/security/ /home/jail/lib64/
But now, when trying to connect to user1 typing su user1
and then typing it's password, i am getting this error:
could not open session
So the question is how to connect to user1 in this situation?
P.S. Here are the permissions of some files, this might be helpful in order to provide a solution:
-rwsr-xr-x 1 root root /home/jail/bin/su
drwxr-xr-x 4 root root /home/jail/etc
-rw-r--r-- 1 root root /home/jail/etc/pam.d/su
-rw-r--r-- 1 root root /home/jail/etc/passwd
-rw------- 1 root root /home/jail/etc/shadow
UPDATE1
After some modifications i managed to connect to user1, but the session closes immediately!
I guess this a PAM issue, however cant find a way to fix it.
Here the log entry for close action from /val/log/secure
:
Oct 6 15:19:42 localhost su: pam_unix(su:session): session closed for user user1
What makes the session to exit immediately after launching?
Best Answer
To fix the
could not open session
problem, without abandoning make_chroot_jail.sh entirely, you also need to copy the/usr/lib/libcrack*
libraries. Edit the script, where it has:Change to:
Just a quick addendum, the above fixed this problem with 64 bit SuSE - SLES 11 sp2. I also renamed the
$JAILPATH/lib
to$JAILPATH/lib64
. And for that OS, I had to add an empty /etc/profile file in the jail (you can use it to put in a PS1 prompt).