From owner-freebsd-questions Tue Nov 14 2:31:55 2000 Delivered-To: freebsd-questions@freebsd.org Received: from brunel.uk1.vbc.net (brunel.uk1.vbc.net [194.207.2.8]) by hub.freebsd.org (Postfix) with ESMTP id 4478337B479 for ; Tue, 14 Nov 2000 02:31:50 -0800 (PST) Received: from localhost (lloyd@localhost) by brunel.uk1.vbc.net (8.11.0/8.11.0) with ESMTP id eAEAVkb34137; Tue, 14 Nov 2000 10:31:46 GMT X-Authentication-Warning: brunel.uk1.vbc.net: lloyd owned process doing -bs Date: Tue, 14 Nov 2000 10:31:46 +0000 (GMT) From: Lloyd Rennie X-Sender: lloyd@brunel.uk1.vbc.net To: Mike Meyer Cc: questions@freebsd.org Subject: Re: chrooted shell accounts In-Reply-To: <14864.38419.48129.325993@guru.mired.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 13 Nov 2000, Mike Meyer wrote: > Lloyd Rennie types: > > I have been having difficulty chrooting a user's shell on a machine here, > > as detailed below. In this case the user in question is 'derek'. > > derek's shell is /usr/local/bin/derekshell, which is a binary file > > generated by /usr/local/bin/derekshell.c; > > > > void main (int argc, char *argv []) { > > system("/usr/local/bin/derekshell.sh"); > > } > > > > No rocket Science there. /usr/local/bin/derekshell has been added to > > /etc/shells. > > /usr/local/bin/derekshell.sh looks like; > > > > #!/bin/sh > > cd /home/derek > > id # debug purposes > > /usr/sbin/chroot /home/derek /bin/csh > > id # debug purposes > > > > Contrived I know, but more secure to have the binary wrapper when making > > things SUID 0. > > True - but why isn't this a C program? It would be about the same > length as all these things, and remove one complication from the > system. If you wan to do a chroot as part of a shell script, try doing > the chroot in the wrapper, then running the shell script. Which > doesn't help with the problem, I know, but you asked for a simpler way > to do things. s'a good point. > > Permissions are like this; > > > > - -rwsr-xr-x 1 root bin 8808 Nov 1 17:16 /usr/local/bin/derekshell > > - -rw-r--r-- 1 root bin 82 Nov 1 17:16 /usr/local/bin/derekshell.c > > - -rwx------ 1 root wheel 69 Nov 1 17:18 /usr/local/bin/derekshell.sh > > /home/derek/bin looks like; > > > > % ls -l > > total 1200 > > - -r-xr-xr-x 1 derek derek 241664 Nov 1 11:54 csh > > - -r-xr-xr-x 1 derek derek 155648 Nov 1 11:54 ls > > - -r-xr-xr-x 1 derek derek 126976 Nov 1 11:54 ping > > - -r-xr-xr-x 1 derek derek 40960 Nov 1 11:54 pwd > > - -r-xr-xr-x 1 derek derek 16384 Nov 1 11:54 traceroute > > > > If I run /usr/local/bin/derekshell as root, all works perfectly. If I run > > it as user derek (invoking it as derek's shell); > > > > % su - derek > > Password: > > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) > > csh: Permission denied. > > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) > > % > > > > > > What I want to know is (a) why this is not working, and (b) if there is a > > simpler way of doing it. > > Well, the home directory permissions might have something to do with > it. drwxr-xr-x 3 derek derek 512 Nov 1 11:53 /home/derek Replaced my derekshell bin with a new one as you suggested. void main (int argc, char *argv []) { system("cd /home/derek; /usr/sbin/chroot /home/derek /bin/csh"); } However, as you say, this makes no difference. > I'd be interested to know where the message is coming from (is it > csh complaining that something is wrong, or chroot complaining that > something is wrong with /bin/csh). A good question. How the hell do I tell? -- Lloyd Rennie VBCnet GB Ltd lloyd@vbc.net tel +44 (0) 117 929 1316 http://www.vbc.net fax +44 (0) 117 927 2015 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message