[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [off-topic?] Chrooting ssh/telnet users?



On Fri, Oct 26, 2001 at 04:35:14PM +0100, Tim Haynes wrote:
> Rishi L Khan <rishi@UDel.Edu> writes:
> 
> > I think the only way to accomplish a chroot IS to include all the files
> > in the jail that the user needs.
> [snip]
> 
> Yes. Somehow, if you're going to run something, it needs to be in the jail.
> Various alternatives to consider for various reasons : busybox, rbash,
> sash.
> What would be nice would be a union-mount, so you could graft a "real" /bin
> on top of /home/foo/bin, and so on. I'm not sure that `mount --bind' is the
> same thing?

mount --bind would work, but you must ask yourself why you bother with
chroot if your just going to bind mount the entire filesystem into the
chroot jail anyway (which is just about what you must do for things to
work properly) when you bind mount /bin and /usr/bin you get all the
suids in those directories in the chroot, you also need /etc for the
global config files many programs use.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpnSrfKIJcCP.pgp
Description: PGP signature


Reply to: