From owner-freebsd-hackers Fri Feb 15 5:20: 6 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from neptune.deep-ocean.net (APastourelles-102-1-2-208.abo.wanadoo.fr [217.128.208.208]) by hub.freebsd.org (Postfix) with ESMTP id 03F5137B400 for ; Fri, 15 Feb 2002 05:19:54 -0800 (PST) Received: by neptune.deep-ocean.net (Postfix, from userid 1000) id 511305EF05; Fri, 15 Feb 2002 14:19:52 +0100 (CET) Date: Fri, 15 Feb 2002 14:19:52 +0100 From: Olivier Cortes To: Walter Hop Cc: freebsd-hackers@freebsd.org Subject: Re: chroot+su idea Message-ID: <20020215141952.B81502@neptune.deep-ocean.local> Mail-Followup-To: Olivier Cortes , Walter Hop , freebsd-hackers@freebsd.org References: <18416867424.20020215140249@binity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <18416867424.20020215140249@binity.com>; from walter@binity.com on Fri, Feb 15, 2002 at 02:02:49PM +0100 X-Operating-System: FreeBSD 4.5-STABLE i386 up 1 day, 19:50, 1 user, load averages: 0.00, 0.00, 0.00 Organization: Deep-Ocean Network X-URL: http://www.deep-ocean.org/ Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG cd /usr/ports less security/chrootuid/pkg-comment A simple wrapper that combines chroot(8) and su(1) into one program gook luck, olivier On Fri, Feb 15, 2002 at 02:02:49PM +0100, Walter Hop wrote: > Hi all, > > just like many people, I want to run my "dangerous" daemons as a > non-root user in a chroot environment. Now, I would usually use the > ``su'', or ``chroot'' tools from the FreeBSD toolset in the creation > of an rc.d script, but the question that puzzles me is how to combine > these two measures? > > 1) su first, then chroot: impossible, as chroot needs to be run by > root, so whenever I su to the user I cannot chroot anymore. > > 2) chroot first, then su: undesired, as I would have to move a suid > root copy of the "su" tool into the chroot; also unpractical as I'd > have to duplicate a lot of files into the chroot to satisfy su. > > Is there a tool available that combines chroot and su? If not, a > chroot capability would be an interesting feature to add to the > FreeBSD ``su'' command in my opinion, e.g. > > % su -l ircd -r /usr/local/ircd -c 'bin/ircd' > > Any ideas or suggestions would be welcomed. If I have overlooked a > current solution for the chroot+su chicken/egg problem, I'd love to > submit a patch for su to add such a chroot parameter, but I could > imagine that the committer team is more conservative than I am. :) > > Thanks! > walter > > -- > Walter Hop | +31 6 24290808 | PGP keyid 0x84813998 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message -- Olivier Cortes GPG 1024/46CE0A51 : 8DB6 A56C 00CA DA0F F77F 86EB E86A 803C 46CE 0A51 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message