Tuesday, November 01, 2005

Put nx user's in jail

Because in our peoject we want to give access to our servers almost to anybody who manages to register on our webpage security is a big issue. There are some virtualization solutions like Xen, qemu, or virtual machine/pc but since our machines are only used for this task we implemented a more light weight solution like a chroot environment. We used jail from JMC Research for our little project:

I installed dozens of program with addjailsw to make nx and java (we want people to use java and vtk;-) run. Below you will find the programs from my directory structure:


awk cat egrep ln more rm sh uname basename cp grep ls mv rmdir sleep vi bash cut hostname mkdir pwd sed touch


dirname java nxagent nxloadconfig nxprint nxviewer tr expect javac nxclient nxnode nxproxy passwd which head md5sum nxdesktop nxnode-login nxserver ssh xterm id nslookup nxkeygen nxpasswd nxsetup tail

I also copied the whole java directory in /usr/local (including links) and the whole X11R6 directory to /usr/, too. You might need to check if you need all the binaries in /usr/X11R6/bin

I also copied all the NX files wherever they were into to chroot envionment but then deleted in the chroot-nx-home-directory .ssh -- you only need that if you are going to run nx in the jail, too. I am not sure if that is a good idea because then the keys would be theoretically accessible by the users in the jail environment -- unless you would use a second jail for nx...

I have printed the content of the /etc directory below. I just copied the files from the real environment except passwd and groups -- they are maintained by the jail environment's programs. You might also want to edit the sshd directory to not give so many keys away or use more restrictive settings.


ld.so.cache mtab nxserver resolv.conf shadow termcap X11 hosts localtime nsswitch.conf passwd services ssh vimrc

nxserver and X11 are directories.

I also implemented some hack (see here on the mailinglist) into jail to allow essentially the usage of ssh in the jail. You might be able to get by without the patch if you make nx su to the other users.

This is a rough sketch from what I did -- drop me a note if you have questions.

Note: I had trouble opening an xterm in the jail -- there seem to be issues with pty. You can find some information here but that didn't help me. So I ended up linking the Java application I wanted to publish on the web to xterm, e.g. ln -sf /var/chroot/home/vtk/myJava /var/chroot/usr/bin/xterm -- now moznx (see other entry) instead of starting some console window starts my application, too. Of course you can't give users now no access to an xterm anymore -- so thsi won't work for everybody.


Post a Comment

<< Home