Re: [off-topic?] Chrooting ssh/telnet users?
On Fri, Oct 26, 2001 at 04:35:14PM +0100, Tim Haynes wrote:
> Rishi L Khan <rishi@UDel.Edu> writes:
>
> > I think the only way to accomplish a chroot IS to include all the files
> > in the jail that the user needs.
> [snip]
>
> Yes. Somehow, if you're going to run something, it needs to be in the jail.
> Various alternatives to consider for various reasons : busybox, rbash,
> sash.
> What would be nice would be a union-mount, so you could graft a "real" /bin
> on top of /home/foo/bin, and so on. I'm not sure that `mount --bind' is the
> same thing?
>
Umm... couldn't you have a restricted environment but with
commands hard-linked in it to the proper ones and restricting thoroughly
the hard links? (only rX, no w bits) The problem is how to do this
automatically (and not checking dynamic dependencies one by one...)
> FWIW I had to implement a chroot-jailled login for someone recently; if
> anyone's interested, my attempts at the relevant C, nicked in part from the
> appropriate manpages, are to be found below.
> There is sufficient jiggery-pokery with arg{c,v} in here to allow
> ssh restricteduser@box "cat > foofile" < localfoofile
> to transfer a file, but not to make scp work. (Don't ask me; don't take
> this code as professional, bug-free, exploit-free or generally anything
> other than rubbish, but it compiles, and it works.)
>
Will take a look...
Regards
Javi
Reply to: