From owner-freebsd-isp Mon Oct 11 18:52: 3 1999 Delivered-To: freebsd-isp@freebsd.org Received: from sasknow.com (h139-142-245-96.ss.FiberONE.NET [139.142.245.96]) by hub.freebsd.org (Postfix) with ESMTP id 8E92814CC1 for ; Mon, 11 Oct 1999 18:52:00 -0700 (PDT) (envelope-from freebsd@sasknow.com) Received: from sasknow.com (ntstn [10.0.0.2]) by sasknow.com (8.9.3/8.9.3) with ESMTP id TAA12523; Mon, 11 Oct 1999 19:51:56 -0600 (CST) (envelope-from freebsd@sasknow.com) Message-ID: <38029482.9077F9E9@sasknow.com> Date: Mon, 11 Oct 1999 19:53:06 -0600 From: "Ryan Thompson [FreeBSD]" X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: James Wyatt Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Chroot and ~/bin, ~/etc. Better way? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I consired hard links, as well (and, after reading the other messages in this thread, it appears others have, too :-) The problem, though, still remains that you can't hard link a directory (users' etc directories on my system contain about a dozen files). That makes for a lot of work when adding users or updating files. (even for a script! :-) And, maintenance is still messy. AND, ln won't create hard links across file systems... LET ALONE NETWORK CONNECTIONS :-) So, that pretty much cinches it for me, as home directories can exist on multiple systems, here. And, as James (below) has mentioned... There is still the security issue. And, in a few specialized cases on my system, I have special requirements for the /etc and /bin directories, and, with hard links, maintenance becomes very bothersome. SO.... I hacked together a perl script today :-) Available via anonymous FTP from: ftp://ftp.sasknow.com/perl/makehome.pl Read the notes in the source for installation instructions. Basically, what it does is the following: - Read password entries of all users with UID >= 1000 - Peek in users' home directory for bin/ and etc/. - If an .update flag exists in these directories, and the version is LESS than the version contained in /home/default/*/.update, overwrite the directory with a new copy from /home/default/* (recursive copy). So, no need for hard links. Works across filesystems/network mounts (indeed, even over ftp with a little work, I'm sure :-). Must run as root. It took me about 45 minutes to write, and another hour to document, so don't expect perfection, here, and test before using in production environments. It works great for me, but may not (probably WILL not) work on some systems. Perl 5 required. I'll happily welcome comments, of course, but don't count on support for this program :-) Virtually yours, Ryan James Wyatt wrote: > > We considered having all the ftpgroup users share ~/bin and ~/etc dirs > with linked copys of the files, but figured that if anyone of them could > somehow find a way to update their /bin/ls or something, they could trojan > it for the others. They could also try cracking the other accounts if they > knew of them in the shared password file - though they wouldn't have the > crypted passwords. Obviously symlinks wouldn't work in a chroot()ed env. > > We also couldn't think of anything better to support users changing their > own passwords than having /bin/passwd as their shell. EDI users usually > don't change their passwords often anyway... > > Having something that copied a common one to all user dirsets in the > ftpuser group was the best we could think of at the time... - Jy@ > > On Mon, 11 Oct 1999, Ryan Thompson wrote: > > Hi everybody; > > Hi Dr. Nick! (for Simpsons fans) I'll use a different greeting next time :-) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message