Skip to main content

Jailkit and jails - Jailing a user on suda

This is a basic guide to the approach that we took to creating a chroot jail on Parabola Linux ie a kiosk mode . Why do this? Its essentially a way of limiting the amount of harm a person with malicious intent could do given that suda's public facing online side is, when running, accessible to all. So we have to limit what can be run on it ie no compilers , no su, no sudo in other words to try to limit the functions of a user to the basics without compromising the look and feel of what suda has become. If you find errors in this document please point them out.

Jailing a user on suda using jailkit


Primary sources

https://olivier.sessink.nl/jailkit/jailkit.8.html

https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users

Secondary sources

https://www.howtoforge.com/debian-9-jail-jailkit/

http://www.linuxmisc.com/1-linux-setup/9de37a1b1aca86d8.htm

https://linuxize.com/post/how-to-delete-users-in-linux-using-the-userdel-command/

https://wiki.archlinux.org/title/Linux_console/Keyboard_configuration

The basic guide I followed was this one https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users


So to begin with I downloaded Jailkit from the website of the maintainer here https://olivier.sessink.nl/jailkit/index.html#download

I untarred it and did the usual ./configure , make and sudo make install.


Then I created a none privileged user - sudo useradd guest

and a password for that user - sudo passwd guest.


Before moving the user to jail or running the jailkit scripts I went into the guest account as that user and added in the basic scripts for suda and the ctwmrc configuration for ctwm.


Now for the fun bit .


Create a jail - Sudo mkdir /home/jail

and this

sudo chown root:root /home/jail


Then populate the jail with the basic things the user will use - remembering that a chroot jail is a little like a virtual machine so whatever we want the user to be able to use must be accessible within the jail.


so we do this


sudo jk_init -v /home/jail netutils basicshell jk_lsh

(note no ssh etc)


Now we jail our user


sudo jk_jailuser -m -j /home/jail/ guest

And then copy the bash libraries to the jail -

sudo jk_cp -v -f /home/jail /bin/bash


Then edit /home/jail/etc/passwd so that this line:

guest:x:1001:1001::/home/guest:/usr/sbin/jk_lsh


Looks like this


guest:x:1001:1001::/home/guest:/bin/bash


The advantage of using jailkit over other methods is that when we use the commands to copy over binaries and things we need it copies over all the dependencies so we don’t have to go hunting through the file system for them.


Next we have to add the extra sauce to make everything we want to run run - so we do this


sudo jk_cp -v -j /home/jail/ /usr/bin/xsetroot xfontsel xdotool xdg-settings xclock vim script ffmpeg ffplay ffprobe xterm lxterminal xloadimage scrot xwininfo xxd

This creates copies of those binaries within the jail environment for our user to use. I didnt initially want to add the script binary, but we need this for running the shellscripts that form the heart of suda.


To get x to run correctly we shall install the xdg folder and the X11 folder to the /etc/ of our jail as well.


so this


sudo jk_cp -v -j /home/jail/ /etc/xdg

sudo jk_cp -v -j /home/jail/ /etc/X11


and we will also have to create a locale configuration (and a keyboard configuration) otherwise it defaults to c locale can stop certain things running correctly.


so do sudo touch /home/jail/etc/vconsole.conf

and

sudo touch /home/jail/etc/locale.conf

then

sudo nano /home/jail/etc/locale.conf

and add in the locale you want , in my case its

en_GB.UTF-8 UTF-8


and then sudo nano /home/jail/etc/vconsole.conf

and add in this line or for the keymap you want

KEYMAP=uk


And that's the jail pretty much set up .


What I did find though was that to run certain scripts, like sudacam 1 and 2 and the later mantissacam1 and 2  scripts that I added into my own isos I had to alter those scripts so that instead of , for instance in the case of sudacam1.sh it reading

lxterminal --geometry=17x18+0+3 -e 'ffplay -f x11grab -follow_mouse centered -framerate 10 -video_size 640x480 -i :0.0'

(which launches an lxterminal within which the command runs and thus the pipe/ffplay window) 


I had to change it to avoid calling an lxterminal or xterm and the script crashing out or not starting due to other dependencies not being present or hitting the 'get_pty:not enough ptys' error which for reference is talked about here https://www.linuxquestions.org/questions/linux-desktop-74/get_pty-not-enough-ptys-error-4175533684/


so rather than calling a terminal to start ffmpeg changing the script to this


ffplay -f x11grab -follow_mouse centered -framerate 10 -video_size 640x480 -i :0.0


That worked equally well as it does as originally implemented. The manifesto script needed no changes nor did the glitchify script.



















Back to top