[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [off-topic?] Chrooting ssh/telnet users?

On Fri, Oct 26, 2001 at 04:35:14PM +0100, Tim Haynes wrote:
> Rishi L Khan <rishi@UDel.Edu> writes:
> > I think the only way to accomplish a chroot IS to include all the files
> > in the jail that the user needs.
> [snip]
> Yes. Somehow, if you're going to run something, it needs to be in the jail.
> Various alternatives to consider for various reasons : busybox, rbash,
> sash.
> What would be nice would be a union-mount, so you could graft a "real" /bin
> on top of /home/foo/bin, and so on. I'm not sure that `mount --bind' is the
> same thing?
	Umm... couldn't you have a restricted environment but with
commands hard-linked in it to the proper ones and restricting thoroughly
the hard links? (only rX, no w bits) The problem is how to do this
automatically (and not checking dynamic dependencies one by one...)

> FWIW I had to implement a chroot-jailled login for someone recently; if
> anyone's interested, my attempts at the relevant C, nicked in part from the
> appropriate manpages, are to be found below.
> There is sufficient jiggery-pokery with arg{c,v} in here to allow
>         ssh restricteduser@box "cat > foofile" < localfoofile
> to transfer a file, but not to make scp work. (Don't ask me; don't take
> this code as professional, bug-free, exploit-free or generally anything
> other than rubbish, but it compiles, and it works.)
	Will take a look...



Reply to: