Re: [off-topic?] Chrooting ssh/telnet users?
Ethan Benson <firstname.lastname@example.org> writes:
> > What would be nice would be a union-mount, so you could graft a "real"
> > /bin on top of /home/foo/bin, and so on. I'm not sure that `mount
> > --bind' is the same thing?
> mount --bind would work, but you must ask yourself why you bother with
> chroot if your just going to bind mount the entire filesystem into the
> chroot jail anyway (which is just about what you must do for things to
> work properly) when you bind mount /bin and /usr/bin you get all the
> suids in those directories in the chroot, you also need /etc for the
> global config files many programs use.
It *could* be used to save on disk-space; have one real-system running,
copy that into a /mnt/chroot/ or somesuch, remove all the setuid binaries
and generally secure it as much as poss, then have a set of chroot-ed users
running with directories bind-mounted out of the same /mnt/chroot/. It's
the several users per copy-of-system that would be the win, that way.
Another day, |email@example.com
Another apt-get dist-upgrade |http://spodzone.org.uk/