[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [off-topic?] Chrooting ssh/telnet users?

Ethan Benson <erbenson@alaska.net> writes:

[snip]
> > What would be nice would be a union-mount, so you could graft a "real"
> > /bin on top of /home/foo/bin, and so on. I'm not sure that `mount
> > --bind' is the same thing?
> 
> mount --bind would work, but you must ask yourself why you bother with
> chroot if your just going to bind mount the entire filesystem into the
> chroot jail anyway (which is just about what you must do for things to
> work properly) when you bind mount /bin and /usr/bin you get all the
> suids in those directories in the chroot, you also need /etc for the
> global config files many programs use.

It *could* be used to save on disk-space; have one real-system running,
copy that into a /mnt/chroot/ or somesuch, remove all the setuid binaries
and generally secure it as much as poss, then have a set of chroot-ed users
running with directories bind-mounted out of the same /mnt/chroot/. It's
the several users per copy-of-system that would be the win, that way.

~Tim
-- 
Another day,                                |piglet@stirfried.vegetable.org.uk
Another apt-get dist-upgrade                |http://spodzone.org.uk/
Reply to: