Re: chroot

To: Martin WHEELER <mwheeler@startext.co.uk>
Cc: debian-isp@lists.debian.org
Subject: Re: chroot
From: Craig Sanders <cas@taz.net.au>
Date: Thu, 28 Dec 2000 11:35:41 +1100
Message-id: <[🔎] 20001228113541.H11734@taz.net.au>
In-reply-to: <[🔎] Pine.LNX.4.21.0012271516290.2715-100000@startext.demon.co.uk>; from mwheeler@startext.co.uk on Wed, Dec 27, 2000 at 03:26:02PM +0000
References: <[🔎] 20001227203841.G11734@taz.net.au> <[🔎] Pine.LNX.4.21.0012271516290.2715-100000@startext.demon.co.uk>

On Wed, Dec 27, 2000 at 03:26:02PM +0000, Martin WHEELER wrote:
> On Wed, 27 Dec 2000, Craig Sanders wrote:
> > read the docs on rbash (restricted bash shell) and set their shell
> > to /bin/rbash in /etc/passwd.
>
> Been there; done that (before posting to the list).  Works as
> expected; but still doesn't make a blind scrap of difference as to
> whether the chroot call is implemented or not.

you don't want a real chroot, otherwise you would have to duplicate
/bin, /usr, /etc, /dev, /var and so on under every user's home
directory. creation and maintainence of this would be an administrative
and security nightmare.

chroot works for ftp logins because the ftp daemon is self-contained -
it doesn't need to run any external programs or access any other part of
the file system.

rbash is the closest practical alternative you'll get to it for a shell
login.

otherwise, a menu that only lets them do certain things.

> > imo, it's not worth the bother - if a user can't be trusted with a
> > shell, then don't give them one.
> 
> I tend to agree with you here.  (Problem is, I can only >>advise<<
> clients on their system configuration -- not tell them what to do.
> And if I can't even get it working on my own system, how am I going to
> do it on theirs?)

you can advise them that giving shell acounts to people they can't trust
is a bad idea and will compromise the security of the system. if they
choose to ignore your advice then that's their problem. make sure you
advise them in writing and preferably get a written acknowledgement of
your advice.

if the reason you need to give shell access to users is for manipulation
of files in the public_html directory, you may want to look at
the webdav module for apache. it's packaged for debian. see also
http://www.webdav.org/

> > sure that all file permissions are correct and that there are no
> > suid root exploitable holes on your system.
>
> Totally agreee; but it looks very much as if the only way to run a
> script to call chroot is via suid.  Not nice.

it's still a bad idea because you'll have to duplicate a useful
filesystem under each user's home directory.

as mentioned before it's much better to just concentrate on securing the
machine and not give shells to users who can't be trusted with one.

craig

--
craig sanders

Reply to:

References:
- Re: chroot
  - From: Craig Sanders <cas@taz.net.au>
- Re: chroot
  - From: Martin WHEELER <mwheeler@startext.co.uk>

Prev by Date: Re: chroot
Next by Date: Re: High Availability..
Previous by thread: Re: chroot
Next by thread: Re: chroot
Index(es):
- Date
- Thread