Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Nov 2000 13:22:36 +0000 (GMT)
From:      Lloyd Rennie <lloyd@vbc.net>
To:        questions@freebsd.org
Subject:   chrooted shell accounts
Message-ID:  <Pine.BSF.4.10.10011131312350.28019-100000@brunel.uk1.vbc.net>
next in thread | raw e-mail | index | archive | help 

I have been having difficulty chrooting a user's shell on a machine here,
as detailed below.  In this case the user in question is 'derek'.



derek's shell is /usr/local/bin/derekshell, which is a binary file
generated by /usr/local/bin/derekshell.c;

void main (int argc, char *argv []) {
  system("/usr/local/bin/derekshell.sh");
}

No rocket Science there. /usr/local/bin/derekshell has been added to
/etc/shells.

/usr/local/bin/derekshell.sh looks like;

#!/bin/sh
cd /home/derek
id	# debug purposes
/usr/sbin/chroot /home/derek /bin/csh
id	# debug purposes

Contrived I know, but more secure to have the binary wrapper when making
things SUID 0.

Permissions are like this;

-rwsr-xr-x  1 root  bin    8808 Nov  1 17:16 /usr/local/bin/derekshell
-rw-r--r--  1 root  bin      82 Nov  1 17:16 /usr/local/bin/derekshell.c
-rwx------  1 root  wheel    69 Nov  1 17:18 /usr/local/bin/derekshell.sh

/home/derek/bin looks like;

% ls -l
total 1200
-r-xr-xr-x  1 derek  derek  241664 Nov  1 11:54 csh
-r-xr-xr-x  1 derek  derek  155648 Nov  1 11:54 ls
-r-xr-xr-x  1 derek  derek  126976 Nov  1 11:54 ping
-r-xr-xr-x  1 derek  derek   40960 Nov  1 11:54 pwd
-r-xr-xr-x  1 derek  derek   16384 Nov  1 11:54 traceroute

If I run /usr/local/bin/derekshell as root, all works perfectly.  If I run
it as user derek (invoking it as derek's shell);

% su - derek
Password:
uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
csh: Permission denied.
uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
% 


What I want to know is (a) why this is not working, and (b) if there is a
simpler way of doing it.

TIA - please reply direct as I am not currently a list subscriber.

--
Lloyd Rennie                   VBCnet GB Ltd	             lloyd@vbc.net
tel +44 (0) 117 929 1316    http://www.vbc.net    fax +44 (0) 117 927 2015




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10011131312350.28019-100000>