How to allow passwd in chroot – Valuable Tech Notes

I have a multi-user server, which puts a subset of the users in a chroot. I want to allow all users to call passwd in order to change their respective password. Everything else I can think of is either overkill or likely to compromise system-security.

I build my chroot with makejail using the following configuration.

chroot="/var/chroot/sshd"

cleanJailFirst=1
# these are binds to the actual location, hence, we don't want makejail to be tinkering with those.
preserve=["/home","/etc/passwd","/etc/group","/srv"]

testCommandsInsideJail=["bash","sh","ls","pwd","stat","whoami","svnserve -t","locale","localedef","man ssh","man scp","cat","nano","vim","ssh","scp","passwd"]
testCommandsOutsideJail=[]

packages=["coreutils"]

# speed up things a bit
sleepAfterStartCommand=0.8
sleepAfterTest=0.8

As you can see, in testCommandsInsideJail, I listed passwd, but if I login as my testuser (who is inside that chroot), I get:

$ passwd
Changing password for test.
(current) UNIX password: 
passwd: Authentication token manipulation error
passwd: password unchanged

which I don't understand unfortunately (before you ask, yes, I am sure the password I entered is correct). I have found some sites via g, which help me as little as the actual error message.
To my understanding, I am missing some pam module, but I don't know how to add it to the python script that builds the jail.

I am running Ubuntu Server 10.04.

EDIT

I have the actual /etc/passwd bound (via /etc/fstab) to the location of the chroot passwd, which is in /var/chroot/sshd/etc/passwd, so modifications inside the chroot are seen from the outside. I have now also done the same with /etc/shadow, which for some reason I forgot before. So instead of

preserve=["/home","/etc/passwd","/etc/group","/srv"]

I have now

preserve=["/home","/etc/passwd","/etc/shadow","/etc/group","/srv"]

and an additional bind:

# chroot binds
/home       /var/chroot/sshd/home       none    bind    0   0
/etc/passwd /var/chroot/sshd/etc/passwd none    bind    0   0
/etc/shadow /var/chroot/sshd/etc/shadow none    bind    0   0
/etc/group  /var/chroot/sshd/etc/group  none    bind    0   0
/srv        /var/chroot/sshd/srv        none    bind    0   0

If I try to change the password now, I get

$ passwd
Changing password for test.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: Authentication token manipulation error
passwd: password unchanged

So, passwd manages to check the current password, but dies when it comes to setting it.

Best Answer

Even if you do get passwd into the chroot is it going to be useful? The passwd within the chroot is going to update the /etc/passwd or shadow in the chroot, not the system passwd/shadow. You will probably need to tell us more about what exactly you are serving out of this chroot since the details may help us provide you with a better answer.

Best Answer

Related Solutions

Linux – Chrooted user does not start in his home directory and does not load his bash_profiles

Linux – Resetting root password on Slackware (software RAID)

Related Topic