Joined: 13 May 2014
|Posted: Sat Jul 17, 2021 16:46 Post subject: How to chroot to secure ssh/scp backups.
|After some effort I was able to setup a chroot environment to limit where WinSCP (in my case) can access and what commands it can execute. This allows it to access only an attached USB hard drive mounted through the GUI on my ddwrt router.
To accomplish this I use a forced command to run a script in the "Authorized keys" section of "Services"
This runs the script
touch /tmp/mnt/sda1/PC\ Backup/dev/null
chroot /tmp/mnt/sda1/PC\ Backup/ /bin/ash
rm /tmp/mnt/sda1/PC\ Backup/dev/null
To setup the chroot
mkdir /tmp/mnt/sda1/PC\ Backup
mkdir /tmp/mnt/sda1/PC\ Backup/bin
cp ash chattr chmod cp ln mkdir pwd rmdir busybox chgrp chown echo ls mv rm sh /tmp/mnt/sda1/PC\ Backup/bin
mkdir /tmp/mnt/sda1/PC\ Backup/lib
cp /lib mkdir /tmp/mnt/sda1/PC\ Backup/lib
#this is probably more files than actually needed
mkdir /tmp/mnt/sda1/PC\ Backup/usr
mkdir /tmp/mnt/sda1/PC\ Backup/usr/bin
cp /usr/bin/scp /tmp/mnt/sda1/PC\ Backup/usr/bin
mkdir /tmp/mnt/sda1/PC\ Backup/usr/lib
cp /usr/lib/libshutils.so /tmp/mnt/sda1/PC\ Backup/usr/lib