From owner-freebsd-security Mon Aug 31 08:40:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA06422 for freebsd-security-outgoing; Mon, 31 Aug 1998 08:40:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA06417 for ; Mon, 31 Aug 1998 08:40:44 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [207.49.60.250]) by infowest.com (8.8.8/8.8.8) with ESMTP id JAA29382 for ; Mon, 31 Aug 1998 09:39:45 -0600 (MDT) Message-ID: <35EAC3B6.258A308D@infowest.com> Date: Mon, 31 Aug 1998 09:39:34 -0600 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-STABLE i386) MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: Re: Shell history References: <199808310943.LAA00544@CoDe.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Somebody said: > > >> Sort of an automated chroot thing you can't bypass I guess. And Danny responded: > > >Build a chrooted area with /etc, /bin, /usr/bin, /usr/lib, /usr/libexec > > >files which are necessary. > > >Change inetd to run telnetd.sh and have telnetd.sh do: > > > > > >----- > > >#!/bin/sh > > >cd /newroot > > >/usr/sbin/chroot . exec /usr/libexec/telnetd > > >----- > > > > > >Danny And a third party replied: > > This means that there would be common area for all shell users and I'd > > wonder if root would be restricted to console and ssh perhaps. Then Zahemszky Gabor informed: > In some AT&T Unices (HP, if I know well), this is the job of login: > if that user has a star ``*'' as shell (the /etc/passwd line of that user > is like: > user:passwd:uid:gid:gcos:home:* > ), > than login is chroot to home, and start another login, with a /etc/passwd in > that chrooted environment. Well, with that way, that user has to type > two login/passwd sequence, but I think it's not a bad idea. <> I had to set up a chrooted area for a few users recently, so I wrote a shell wrapper, chrsh. It chroots to the chroot jail then runs a shell or whatever within the jail. See http://www.eq.net/software/chrsh.html for more info. Tis FreeBSD specific. It let me specify which users I wanted chrooted and which I did not, and it lets the users login via telnet or ssh or whatever. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message