Skip to main content

Jailkit and jails - Jailing a user

ThisSuda is arunning basiclike guidepublic tocomputer on the approachinternet and that werequires tookputing tothe creatingpublic user in "jail", making it run much like a chrootcomputer jailin onkiosk Parabolamode. LinuxWe ieare basically whitelisting what a kioskspecific mode . Why do this? Its essentially a way of limiting the amount of harm a person with malicious intent could do given that suda's public facing online side is, when running, accessible to all. So we have to limit whatuser can be run on it ie no compilers , no su, no sudo in other words to try to limit the functions of a user to the basics without compromising the look and feel of what suda has become. If you find errors in this document please point them out.
do.

Jailing a user on suda using jailkit


Primary sources

sources:https://olivier.sessink.nl/jailkit/jailkit.8.html

https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users

Secondary sourcessources:

https://www.howtoforge.com/debian-9-jail-jailkit/


http://www.linuxmisc.com/1-linux-setup/9de37a1b1aca86d8.htm


https://linuxize.com/post/how-to-delete-users-in-linux-using-the-userdel-command/

https://wiki.archlinux.org/title/Linux_console/Keyboard_configuration


A

The basic guide followed was this one guide:
https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users


Rundown:

So1) to begin with downloadDownload Jailkit from the website of the maintainer here https://olivier.sessink.nl/jailkit/index.html#download

2) Extract that and doissue

the usual

./configure ,configure, make and sudo make install.


3)

Next createCreate a none privileged user -(let's call it guest)

sudo useradd -m guest

and4) aadd password for that user

-

sudo passwd guest. guest


Before moving the user to jail or running the jailkit scripts its easier to  go into the guest account as that user and add in the basic scripts for suda and the ctwmrc configuration for ctwm.


5)

Now for the fun bit .


Create a jail

- Sudo

sudo mkdir /home/jail 

and6) thenMake doroot thisthe owner of /home/jail (so no one can write to it)

sudo chown root:root /home/jail


Then populate the jail with the basic things the user will use - remembering that a chroot jail is a little like a virtual machinesystem so whatever we want the user to be able to use must be accessible within the jail. 


7) Use jk_init (one of the scripts provided by jailkit) to transfer basic necessities to the jail

so we do this


sudo jk_init -v /home/jail netutils basicshell jk_lsh

(note no ssh etc)


8) Jail the user

Now we jail our user


sudo jk_jailuser -m -j /home/jail/ guest

And then9) copy the bash libraries to the jail - 

sudo jk_cp -v -f /home/jail /bin/bash


10)

Then editEdit /home/jail/etc/passwd so that this line:

guest:x:1001:1001::/home/guest:/usr/sbin/jk_lsh


Looks like this 


guest:x:1001:1001::/home/guest:/bin/bash


The advantagejk_cp of using jailkit over other methodsscript is that when we use the commandsused to copy over binaries and thingstheir wedependencies need it copies over allinto the dependenciesjail environment so we don’don’t have to godo huntingit throughmanually.

11) Copy additional (suda specific) software to the file system for them.jail


Next we have to add the extra sauce to make everything we want to run run - so we do this


sudo jk_cp -v -j /home/jail/ /usr/bin/xsetroot xfontsel xdotool xdg-settings xclock vim script ffmpeg ffplay ffprobe xterm lxterminal xloadimage scrot xwininfo xxd 

This12) creates copies of those binaries within the jail environment for our user to use.


To get xXorg to run correctly we need the xdg folder and the X11 folder to the /etc/ of the jail as well. 


To copy those over dowe this: issue:


sudo jk_cp -v -j /home/jail/ /etc/xdg

sudo jk_cp -v -j /home/jail/ /etc/X11


13)

and we will also have to createCreate a locale configuration (and a keyboard configuration) otherwise it defaults to c locale which can stop certain things running correctly. 


so do sudo touch /home/jail/etc/vconsole.conf 

and

sudo touch /home/jail/etc/locale.conf

then

sudo nano /home/jail/etc/locale.conf

and- add in the localerequired you want ,locale, in myour case its

LANG=en_GB.UTF-8
 


- edit the console keymap (this doesn't affect xorg)

and then sudo nano /home/jail/etc/vconsole.conf 

and add in this line or for the keymap you want KEYMAP=uk

KEYMAP=uk

Suda-specific notes


Certain

Andscripts that's the jail pretty much set up .


What was found was that to run certain scripts,needed, like sudacam 1 and 2 and the later mantissacam1 and 2  scripts, the original scripts had to be alteredalteredč. , for instance inIn the case of sudacam1.sh it originally read 


lxterminal --geometry=17x18+0+3 -e 'ffplay -f x11grab -follow_mouse centered -framerate 10 -video_size 640x480 -i :0.0'

(which launches an lxterminal within which the command runs and thus the pipe/ffplay window) 


It was found that toTo avoid calling an lxterminal or xterm and the script crashing out or not starting due to other dependencies not being present within the jail environment or hitting the 'get_pty:not enough ptys' error (which for reference is talked about here https://www.linuxquestions.org/questions/linux-desktop-74/get_pty-not-enough-ptys-error-4175533684/)  changing the script to this 


ffplay -f x11grab -follow_mouse centered -framerate 10 -video_size 640x480 -i :0.0 


Worked equally well as it did as originally implemented. The manifesto scriptand neededglitchify no changes norscripts did thenot glitchifyneed script.any changes.



















Back to top