From owner-freebsd-chat Fri Mar 12 17:26: 6 1999 Delivered-To: freebsd-chat@freebsd.org Received: from o-o.org (o-o.org [207.252.201.100]) by hub.freebsd.org (Postfix) with ESMTP id 19621152FD for ; Fri, 12 Mar 1999 17:25:28 -0800 (PST) (envelope-from licia@o-o.org) Received: from localhost (root@localhost) by o-o.org (8.8.8/8.8.8) with ESMTP id TAA24893; Fri, 12 Mar 1999 19:25:18 -0600 (CST) (envelope-from licia@o-o.org) Date: Fri, 12 Mar 1999 19:25:17 -0600 (CST) From: Licia To: Brett Glass Cc: freebsd-chat@FreeBSD.ORG, fad@o-o.org Subject: Re: added chroot to /usr/bin/login In-Reply-To: <4.1.19990312174003.03fc2490@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 12 Mar 1999, Brett Glass wrote: > I like it! However, I guess my concern would be that assigning a fixed > number (in this case, 80) to the group that gets chrooted might not > be the best way to go. Groups in FreeBSD can contain only a limited > number of users, so this places a limit on the usefulness of the > feature. And if group 80 is already in use, it could require major > modifications to the file system to avoid problems. > I'm glad someone likes it :) This is why it is specifically -login group- 80. This doesn't require any additions to /etc/group to add the user. Simply chpass the user, and change their gid to 80. This will allow an effectively unlimited number of users to be chrooted with no problem. I asked about how to find a good 'reserved group' and got no responses, so I made one up. 80 sounded nice to me :) If it's in use, it's a completely trivial alteration to the patches to change to whatever gid is desired. Just go in and change the 80 to the new gid. > How about something like the /etc/ftpchroot file, where one can list > both users and groups that are chrooted? Or the /etc/skey.access > file, which lets you use the tty, IP address, group membership, > and/or the individual user ID as criteria? (The latter may be overkill > for this situation.) You could probably snag the code right out of > ftpd to implement an etc/loginchroot file. Or it could be made into > a library which ftpd, login, and other programs could share. > > --Brett > For this situation I think really that anything else would be overkill. I'm actually thinking of removing the chroot-group idea, and having it totally based on /etc/login.conf, but for now I think it's ok as it is :) > At 06:01 PM 3/12/99 -0600, Licia wrote: > > > > >I've placed a small patch to /usr/src/usr.bin/login/login.c on my home site > >at http://www.o-o.org/~licia/projects/login/ that adds a simple and fairly > >clean way to chroot users at login time. The 2.2.8R patch is tested, the > >FreeBSD-current patch is anyone's guess, although I think it should probably > >work :) > > > > > > [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf] > > [ Telnet to o-o.org and log in as bbs ] [ ssh -l bbs -C o-o.org ] > > [ A happy user of FreeBSD : http://www.freebsd.org/ ] > > > > main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);} > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-chat" in the body of the message > > [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf] [ Telnet to o-o.org and log in as bbs ] [ ssh -l bbs -C o-o.org ] [ A happy user of FreeBSD : http://www.freebsd.org/ ] main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message