Re: chroot()ing a user's login
On Sun, Dec 12, 1999 at 12:04:09PM -0500, Nagilum wrote:
> I had read some docs which mentioned that on SysV, you can specify a * in
> the 7th field of the passwd file (thisis from memory, I may be off) and
> that user's login will then be chroot()ed to his home directory.
>
> I was hoping to find a similar functionality in Debian, so I tried the *
> in the 7th field and that didn't work. So then I grabbed the source for
> login (shadow package) and grepped the source for chroot. In
> libmisc/sub.c I found it, along with some commentary:
>
> /*
> * subsystem - change to subsystem root
> *
> * A subsystem login is indicated by the presense of a "*" as
> * the first character of the login shell. The given home
> * directory will be used as the root of a new filesystem which
> * the user is actually logged into.
> */
>
> So, I tried changing a user's login shell to '*/bin/bash' to no avail.
> When I attempt to login, I am asked for the username.. and then I am asked
> for the password twice and booted out.
>
> I also tried replacing /bin/login with a re-compiled version from the
> (slink) source but the same thing happened.
The documentation specifies:
1) Once the user has logged in they are chrooted and asked to login via
that password file _in the chrooted directory_.
2) The shell must be available in the chrooted env (as well as all needed
bianries).
So for this to work, you must have a complete working filesystem in each
home directory (/home/foo/dev /home/foo/bin /home/foo/usr/bin /home/foo/etc
...).
This is not usually what you want for normal users (I've pondered doing
this for the auto builder, but haven't gotten around to it yet).
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org - collinbm@djj.state.va.us - bmc@visi.net '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: