SSH Chroot Using Firejail as Login Shell

Do you have a Linux server? Do users need SSH access to the server? Don’t you wish you didn’t have to hunt down object files for every piece of software you’d like to make available to every single chroot for every single user? Firejail. Yes, Firejail.

Firejail Bash Sandbox

Sandboxes are created automatically for each application launched with Firejail. Without any arguments, Firejail will launch a Bash shell. This means we can use it as a login shell. Let’s create a new user that uses a sandbox by default upon login.

# Create a group for our jailed users
$ groupadd inmate

# Create new user
$ useradd -m -g inmate -s /bin/firejail inmate1

# Give the user a password
$ passwd inmate1

To add Firejail as login shell to an existing user:

### Edit /etc/passwd
$ vi /etc/passwd

# Change
inmate1❌1000💯:/home/inmate1:/bin/bash

# To this
inmate1❌1000💯:/home/inmate1:/bin/firejail

### Or use usermod
$ usermod -s /bin/firejail inmate1

Now test the login shell

$ su -l inmate1

This should fail. Why? Because we haven’t added Bash or any other applications to the sandbox.

Configuring the Sandbox

When Firejail is used as a login shell, it will read the login.users file. Let’s create a profile for our inmate and load it automatically at login.

### Direct Firejail to load a profile for our inmate

$ vi /etc/firejail/login.users

inmate1: --profile=/etc/firejail/inmate.profile

### Now create a profile

$ vi /etc/firejail/inmate.profile

# Remove warnings upon login
quiet

# Load safe defaults
include /etc/firejail/default.profile

# Allow the inmate to use these applications
private-bin bash,ls

At this point, our sandbox is ready to rock! To allow more applications, append them to the end of the “private-bin” option using a comma separated list.

Arch Linux Specifics

Since Arch Linux uses symlinks for a few of the bin directories, harmless warnings will appear to the user. Let’s remove them

### Remove some harmless warnings

$ vi /etc/firejail/disable-common.inc

# Comment out these lines
blacklist /sbin
blacklist /usr/sbin

# They should look like this
# blacklist /sbin
# blacklist /usr/sbin

Well, that was easy! Go ahead and SSH into your sandbox and have a look around.

$ ssh inmate1@mydomain.com

Caveats

You can use this inside an LXC for an added layer of abstraction. If this is the case, your users may see a warning about the inability to mount /sys. This is benign.

Your users will not be able to change their passwords from within the sandbox.

Vim plugins might work or they might not. If your users need to utilize plugins for Vim, you should install the plugins in a working shell then copy the files to each users home directory. Try each plugin one at a time to determine which ones won’t nag you with warnings and errors.

You won’t be able to whitelist directories at your leisure. Firejail only allows certain directories to be mounted as part of the sandbox. If you were hoping to cut down on installations of redundant configuration files like for vim, tmux, or global bash scripts, you may be disappointed and Firejail may not be for you. You will need to install these files for each user within their home directories. It’s probably best to setup the /etc/skel directory in anticipation of creating multiple sandboxed users. One other option would be to mount your redundant directories into the users’ home directories using the “bind” and “ro” options.