Re: [off-topic?] Chrooting ssh/telnet users?

To: debian-security@lists.debian.org
Subject: Re: [off-topic?] Chrooting ssh/telnet users?
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 26 Oct 2001 16:35:14 +0100
Message-id: <86r8rqzaiy.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <Pine.SOL.4.31.0110261059430.14743-100000@copland.udel.edu> (Rishi L Khan's message of "Fri, 26 Oct 2001 11:00:46 -0400 (EDT)")
References: <Pine.SOL.4.31.0110261059430.14743-100000@copland.udel.edu>

Rishi L Khan <rishi@UDel.Edu> writes:

> I think the only way to accomplish a chroot IS to include all the files
> in the jail that the user needs.
[snip]

Yes. Somehow, if you're going to run something, it needs to be in the jail.
Various alternatives to consider for various reasons : busybox, rbash,
sash.
What would be nice would be a union-mount, so you could graft a "real" /bin
on top of /home/foo/bin, and so on. I'm not sure that `mount --bind' is the
same thing?

FWIW I had to implement a chroot-jailled login for someone recently; if
anyone's interested, my attempts at the relevant C, nicked in part from the
appropriate manpages, are to be found below.
There is sufficient jiggery-pokery with arg{c,v} in here to allow
        ssh restricteduser@box "cat > foofile" < localfoofile
to transfer a file, but not to make scp work. (Don't ask me; don't take
this code as professional, bug-free, exploit-free or generally anything
other than rubbish, but it compiles, and it works.)

~Tim
-- 
no se encuentra el sistema operativo        |piglet@stirfried.vegetable.org.uk
(seen mid-windows 98 installation)          |http://spodzone.org.uk/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <malloc.h>
#include <string.h>

#define NOBODY (1999)
#define ROOTPATH "/where/ever/"

#define environ NULL

int my_system (const char *command) {
  int pid, status;

  if (!command)
    return 1;

  pid = fork();

  if (pid == -1)
    return -1;

  if (!pid) {
    char *argv[4];
    argv[0] = "sh";
    argv[1] = "-c";
    argv[2] = command;
    argv[3] = 0;
    execve("/bin/sh", argv, environ);
    exit(127);
  }

  do {
    if (waitpid(pid, &status, 0) == -1) {
      if (errno != EINTR)
        return -1;
    } else
      return status;
  } while(1);
}


int main (int argc, char *argv[]) 
{
  int r=0, t=0, i=0;
  char *cmd;
  r=chroot(ROOTPATH);

#if 0
  if(r)
    fprintf(stderr, "Chroot error: %d, %d, [%s]\n\n", r, errno, 
            sys_errlist[errno]); 
#endif

  chdir("/home/someplace");

  setuid(NOBODY);
  setgid(NOBODY);
  seteuid(NOBODY);
  setegid(NOBODY);

#if 0
  fprintf(stderr, "Changed id: U%d G%d EU%d EG%d\n", getuid(), getgid(), 
          geteuid(), getegid());
#endif

  for(i=t=1; i<argc; i++) 
    t+=strlen(argv[i]);

#if 0
  printf("Combined total: %d\n", t);
#endif

  cmd=malloc(t+128);

  strcpy(cmd, "/bin/bash ");

  if(argc>1)
    strcat(cmd, "-c ");
    
  for(i=t=1; i<argc; i++) {
    strcat(cmd, argv[i]);
    strcat(cmd, " ");
  }
  
#if 0
  printf("Built string [%s]\n", cmd);
#endif

  my_system(cmd);

  return 0;
}

Reply to:

Follow-Ups:
- Re: [off-topic?] Chrooting ssh/telnet users?
  - From: Ethan Benson <erbenson@alaska.net>
- Re: [off-topic?] Chrooting ssh/telnet users?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Re: [off-topic?] Chrooting ssh/telnet users?
  - From: Rishi L Khan <rishi@UDel.Edu>

Prev by Date: Re: [off-topic?] Chrooting ssh/telnet users?
Next by Date: Re: [off-topic?] Chrooting ssh/telnet users?
Previous by thread: Re: [off-topic?] Chrooting ssh/telnet users?
Next by thread: Re: [off-topic?] Chrooting ssh/telnet users?
Index(es):
- Date
- Thread