* Sunny Dubey (dubeys@voyager.bxscience.edu) [010812 22:17]:
> hey
>
> How would i Chroot a user? I want him to be able to log into the machine
> like any other user, however his home directory would be his root directory,
> and he could do whatever he wants below it. Something like this ..
>
> (must have fixed-width font)
> /home/user --> / <Virtual-Root>
> |
> |->/bin
> |->/usr
> |->/var
>
> and so forth.
>
> Any ideas or pointers would be really appreciated, thanks.
>
> Sunny Dubey
Just a couple of nights ago I did just this for a friend's box. Here was
our strategy (though I can't say with extraordinary confidence that we
did it the Right Way):
Create a suidperl script something like this:
---/usr/local/bin/chroot_user_shell---
#!/usr/bin/suidperl
chdir("/home/matrix");
chroot("/home/matrix");
exec("/bin/bash");
---EOF---
This will be the user's shell in the real world. Then you have to set up
the matrix so that there's a usable system in there. One way is to find
(or roll) statically linked binaries for everything you want in there,
and sketch out at least some limited subset of the FHS. At this point, I
got lazy and thought to myself "wouldn't it be nice to be able to use
dpkg in here to just install new software along with all the required
files?" So I grabbed base2_2.tgz off the debian distribution site and
unpacked it into /home/matrix. Now the matrix had a "real live Debian
system" in it! I could use dpkg and even apt, so I fired up dselect and
started trimming it down to only include a very minimal installation.
One thing I'll warn to be wary of, though: It's not a fully nested
linux, or even a "fully nested" filesystem; it's still a branch of the
real world's filesystem. Be careful to ensure that UIDs line up
correctly between /home/matrix/etc/passwd and /etc/passwd. Ideally,
you'll create users in the matrix with something like
adduser -U <an unused real-world-UID> neo
adduser -U <an unused real-world-UID> trinity
and ensure that there are matching users in /etc/passwd with the same
UIDs. Set their homes to /home/matrix/home/<user> and their shells to
/usr/local/bin/chroot_user_shell
To maintain the matrix, you can use dpkg's --root directive or just
chroot /home/matrix and have at it as you would the real world.
Let me know if you run into any hitches; it probably means my friend
will run into the same obstacles. If anyone else has any suggestions on
how to improve this, or can point out why it's inherently flawed, it's
much appreciated. (So, of course, would be affirmation that this is a
valid, reasonable way of setting it up.)
Cheers,
--
Vineet http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpj_yAZDWxsN.pgp
Description: PGP signature