Building a chroot Jail w/scp sftp

I ran across this great script by Wolfgang Fuschlberger that was written sometime ago. It complains with a lot of error messages now but almost does the job - I'm bringing it up to date and will post the revised script here shortly.

What it enables you to do is take existing user accounts on a server and move them into a chroot jail so they can't browse the file system or most other mischief.

Mounting a directory in more than one location

I have a setting where I want to have a user account the user can upload and manage image files to which become accessible to a webserver. But I wanted the user to have only limited access to the server. I first tried setting up a chroot jail for the user but quickly discovered that the webserver (outside the chroot jail) could not follow symlinks inside the jail, even though the files were visible. Before I had totally ruled out being able to do that I ran across this really cool blog somewhere (can't find it now) that showed a different way to solve the problem. I could mount folders in the user's account as folders in the webserver's folders. It was trivial to set up and worked perfectly.

Here's how I did it.

Lets say we have "/home/jail/home/fred/images" such that user Fred is in a chroot jail. We can mount Fred's images directory so it also shows up at "/var/www/fred.com/htdocs/images" with the following:

  mount --bind /var/www/fred.com/htdocs/images /home/jail/home/fred/images

or

  mount -o bind /var/www/fred.com/htdocs/images /home/jail/home/fred/images

Of course, next time the machine gets rebooted it will have to be done again unless you put it in /etc/fstab. Here's the way that's done:

/var/www/fred.com/htdocs/images /home/jail/home/fred/images none bind

Apparently, you can mount files this way as well, though I haven't tried it. Seems like a hard-link would work just as well.

Caveat: this only works if the two locations are in the same file system.