[CentOS] [OT]: scp setup jailed chroot on Centos7

Tue Oct 24 14:40:11 UTC 2017
Valeri Galtsev <galtsev at kicp.uchicago.edu>

[Sorry about "top posting": my OT question arises from the subject..]

Could someone elaborate on the "jail" under CentOS. I'm used to FreeBSD
jails, and as I run CentOS and some other Linuxes for quite some time I
was under impression that there is no such thing as jail under Linux [at
least those flavors I run]. Under Linux I did use in variety of places
chrooted environment, but that only separates stuff on the filesystem
level (and other things such as devices and others accessed via
filesystem). There is no other resource separation (which I'm used to have
control over in case of FreeBSD jail).

Am I wrong, and what am I wrong about?

Valeri

On Tue, October 24, 2017 8:24 am, rainer at ultra-secure.de wrote:
> Am 2017-10-24 12:19, schrieb Adrian Jenzer:
>
>> Hi Rainer
>> I would if I could but external offers only FTP and SCP...
>>
>> Regards Adrian
>
>
> AFAIK, for scp you need a proper shell.
>
> I've done that exactly once (chrooted ssh) and it was such a pain that I
> vowed to never do it again.
>
> The problem is that inside the chroot, you need:
>
>   - nameresolution
>   - a minimal passwd/shadow/group file (or ldap)
>   - maybe for scp, you can get away with a rather minimal device-tree -
> but for actual SSH access, I needed a fairly complete device tree inside
> the chroot (ttys ...).
>   - that was with FreeBSD 10, I never tried it with anything else (due to
> its history with jails, creating functional, limited chroot-environments
> is somewhat in its genes, so to speak)
>
> Somebody sent me the link to these scripts:
>
> https://github.com/codelibre-net/schroot
>
> Maybe you can use those scripts - I've never tried them.
>
>
> Also, there's scp-only:
> https://github.com/scponly/scponly/wiki
>
> Haven't used that in years, either.
> Concern over that one seemed to be that it's "another" shell and nobody
> had apparently done a thorough audit of it.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++