ciscodlink DD-WRT User
Joined: 13 May 2014 Posts: 274
|
Posted: Sat Jul 17, 2021 16:46 Post subject: How to chroot to secure ssh/scp backups. |
|
After some effort I was able to setup a chroot environment to limit where WinSCP (in my case) can access and what commands it can execute. This allows it to access only an attached USB hard drive mounted through the GUI on my ddwrt router.
To accomplish this I use a forced command to run a script in the "Authorized keys" section of "Services"
Code: | command="/jffs/chroot.sh" ssh-rsa.....
|
This runs the script
Code: | #!/bin/sh
touch /tmp/mnt/sda1/PC\ Backup/dev/null
chroot /tmp/mnt/sda1/PC\ Backup/ /bin/ash
rm /tmp/mnt/sda1/PC\ Backup/dev/null |
To setup the chroot
Code: |
mkdir /tmp/mnt/sda1/PC\ Backup
mkdir /tmp/mnt/sda1/PC\ Backup/bin
cd /bin
cp ash chattr chmod cp ln mkdir pwd rmdir busybox chgrp chown echo ls mv rm sh /tmp/mnt/sda1/PC\ Backup/bin
mkdir /tmp/mnt/sda1/PC\ Backup/lib
cp /lib mkdir /tmp/mnt/sda1/PC\ Backup/lib
#this is probably more files than actually needed
mkdir /tmp/mnt/sda1/PC\ Backup/usr
mkdir /tmp/mnt/sda1/PC\ Backup/usr/bin
cp /usr/bin/scp /tmp/mnt/sda1/PC\ Backup/usr/bin
mkdir /tmp/mnt/sda1/PC\ Backup/usr/lib
cp /usr/lib/libshutils.so /tmp/mnt/sda1/PC\ Backup/usr/lib |
|
|