From owner-freebsd-questions Mon Nov 13 5:22:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from brunel.uk1.vbc.net (brunel.uk1.vbc.net [194.207.2.8]) by hub.freebsd.org (Postfix) with ESMTP id 5DCEF37B4D7 for ; Mon, 13 Nov 2000 05:22:38 -0800 (PST) Received: from localhost (lloyd@localhost) by brunel.uk1.vbc.net (8.11.0/8.11.0) with ESMTP id eADDMaJ28847 for ; Mon, 13 Nov 2000 13:22:36 GMT X-Authentication-Warning: brunel.uk1.vbc.net: lloyd owned process doing -bs Date: Mon, 13 Nov 2000 13:22:36 +0000 (GMT) From: Lloyd Rennie X-Sender: lloyd@brunel.uk1.vbc.net To: questions@freebsd.org Subject: chrooted shell accounts Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have been having difficulty chrooting a user's shell on a machine here, as detailed below. In this case the user in question is 'derek'. derek's shell is /usr/local/bin/derekshell, which is a binary file generated by /usr/local/bin/derekshell.c; void main (int argc, char *argv []) { system("/usr/local/bin/derekshell.sh"); } No rocket Science there. /usr/local/bin/derekshell has been added to /etc/shells. /usr/local/bin/derekshell.sh looks like; #!/bin/sh cd /home/derek id # debug purposes /usr/sbin/chroot /home/derek /bin/csh id # debug purposes Contrived I know, but more secure to have the binary wrapper when making things SUID 0. Permissions are like this; -rwsr-xr-x 1 root bin 8808 Nov 1 17:16 /usr/local/bin/derekshell -rw-r--r-- 1 root bin 82 Nov 1 17:16 /usr/local/bin/derekshell.c -rwx------ 1 root wheel 69 Nov 1 17:18 /usr/local/bin/derekshell.sh /home/derek/bin looks like; % ls -l total 1200 -r-xr-xr-x 1 derek derek 241664 Nov 1 11:54 csh -r-xr-xr-x 1 derek derek 155648 Nov 1 11:54 ls -r-xr-xr-x 1 derek derek 126976 Nov 1 11:54 ping -r-xr-xr-x 1 derek derek 40960 Nov 1 11:54 pwd -r-xr-xr-x 1 derek derek 16384 Nov 1 11:54 traceroute If I run /usr/local/bin/derekshell as root, all works perfectly. If I run it as user derek (invoking it as derek's shell); % su - derek Password: uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) csh: Permission denied. uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) % What I want to know is (a) why this is not working, and (b) if there is a simpler way of doing it. TIA - please reply direct as I am not currently a list subscriber. -- Lloyd Rennie VBCnet GB Ltd lloyd@vbc.net tel +44 (0) 117 929 1316 http://www.vbc.net fax +44 (0) 117 927 2015 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message