From owner-freebsd-isp Tue Oct 12 10:19:38 1999 Delivered-To: freebsd-isp@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id E1BA315178 for ; Tue, 12 Oct 1999 10:19:28 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2882 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 12 Oct 1999 12:15:50 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 12 Oct 1999 12:15:50 -0500 (CDT) From: James Wyatt To: Brian Reichert Cc: "Ryan Thompson [FreeBSD]" , freebsd-isp@FreeBSD.ORG Subject: Re: Chroot and ~/bin, ~/etc. Better way? In-Reply-To: <19991011234206.A24645@numachi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Oct 1999, Brian Reichert wrote: > On Mon, Oct 11, 1999 at 07:53:06PM -0600, Ryan Thompson [FreeBSD] wrote: > > Someone lost my attribution for: > > > We considered having all the ftpgroup users share ~/bin and ~/etc dirs > > > with linked copys of the files, but figured that if anyone of them could > > > somehow find a way to update their /bin/ls or something, they could trojan > > > it for the others. They could also try cracking the other accounts if they > > > knew of them in the shared password file - though they wouldn't have the > > > crypted passwords. Obviously symlinks wouldn't work in a chroot()ed env. > > If you've properly created the chroot'ed account as per suggestions > in ftpd(8), then you will be probably as safe as you can get. If > someone can write to a root-owned file (irrepsective of a chroot'ed > environment), then they can trojan whatever they want, anyway. Depends on what 'they want' and if you hard-link everyone's ~/bin/ls... (bad example, internal ls is fix for this.) If they are not linked, so what? They trojan only that user (might not be them of the account is cracked). If the ~/bin/ls (or another shared binary) is hard-linked to everyone else's, they can get do a lot more. > > > We also couldn't think of anything better to support users changing their > > > own passwords than having /bin/passwd as their shell. EDI users usually > > > don't change their passwords often anyway... > > I would have thought that if you are chroot'ed, then you simply > could not affect your system-wide password. Am I missing something > here? I've worked in environments where we put together a secure > (as in 'https') web server/CGI solution for people to 'log in', as > to affect some (but not all!) fields of their password entry. If they are chroot()ed and the local ~/etc/passwd files have more account names than just theirs, they have more names to try cracking, that's all. They do not contain crypted passwords, of course, and you would never link them to the system /etc/passwd file anyway. Is there anything *wrong* with using /bin/passwd as a shell, since it shouldn't process .*rc or .login or .profile files? I like the ssh/cgi solution, btw, Got Source(tm)? - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message