From owner-freebsd-chat Fri Mar 12 17:31:39 1999 Delivered-To: freebsd-chat@freebsd.org Received: from hades.riverstyx.net (unknown [216.94.42.239]) by hub.freebsd.org (Postfix) with ESMTP id 2286F152FC for ; Fri, 12 Mar 1999 17:30:51 -0800 (PST) (envelope-from unknown@riverstyx.net) Received: from localhost (unknown@localhost) by hades.riverstyx.net (8.9.3/8.9.3) with ESMTP id RAA25106; Fri, 12 Mar 1999 17:32:13 -0800 Date: Fri, 12 Mar 1999 17:32:13 -0800 (PST) From: To: Licia Cc: Brett Glass , freebsd-chat@FreeBSD.ORG, fad@o-o.org Subject: Re: added chroot to /usr/bin/login In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just thought I'd mention that 80 is a really common group on a lot of web servers for the http group (and the login group of the http user). On Fri, 12 Mar 1999, Licia wrote: > On Fri, 12 Mar 1999, Brett Glass wrote: > > I like it! However, I guess my concern would be that assigning a fixed > > number (in this case, 80) to the group that gets chrooted might not > > be the best way to go. Groups in FreeBSD can contain only a limited > > number of users, so this places a limit on the usefulness of the > > feature. And if group 80 is already in use, it could require major > > modifications to the file system to avoid problems. > > > > I'm glad someone likes it :) > > This is why it is specifically -login group- 80. This doesn't require any > additions to /etc/group to add the user. Simply chpass the user, and change > their gid to 80. This will allow an effectively unlimited number of users to > be chrooted with no problem. > > I asked about how to find a good 'reserved group' and got no responses, so I > made one up. 80 sounded nice to me :) If it's in use, it's a completely > trivial alteration to the patches to change to whatever gid is desired. Just > go in and change the 80 to the new gid. > > > How about something like the /etc/ftpchroot file, where one can list > > both users and groups that are chrooted? Or the /etc/skey.access > > file, which lets you use the tty, IP address, group membership, > > and/or the individual user ID as criteria? (The latter may be overkill > > for this situation.) You could probably snag the code right out of > > ftpd to implement an etc/loginchroot file. Or it could be made into > > a library which ftpd, login, and other programs could share. > > > > --Brett > > > > For this situation I think really that anything else would be overkill. I'm > actually thinking of removing the chroot-group idea, and having it totally > based on /etc/login.conf, but for now I think it's ok as it is :) > > > > At 06:01 PM 3/12/99 -0600, Licia wrote: > > > > > > > >I've placed a small patch to /usr/src/usr.bin/login/login.c on my home site > > >at http://www.o-o.org/~licia/projects/login/ that adds a simple and fairly > > >clean way to chroot users at login time. The 2.2.8R patch is tested, the > > >FreeBSD-current patch is anyone's guess, although I think it should probably > > >work :) > > > > > > > > > [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf] > > > [ Telnet to o-o.org and log in as bbs ] [ ssh -l bbs -C o-o.org ] > > > [ A happy user of FreeBSD : http://www.freebsd.org/ ] > > > > > > main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);} > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-chat" in the body of the message > > > > > > [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf] > [ Telnet to o-o.org and log in as bbs ] [ ssh -l bbs -C o-o.org ] > [ A happy user of FreeBSD : http://www.freebsd.org/ ] > > main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);} > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-chat" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message