From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 22:23:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E33CF16A4CE for ; Mon, 20 Dec 2004 22:23:49 +0000 (GMT) Received: from sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id A768743D1F for ; Mon, 20 Dec 2004 22:23:49 +0000 (GMT) (envelope-from nigel@sourcefire.com) Received: from sourcefire.com (localhost.sourcefire.com [127.0.0.1]) by sourcefire.com (Postfix) with ESMTP id DB30089934; Mon, 20 Dec 2004 17:23:48 -0500 (EST) Received: from localhost (unknown [10.2.3.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sourcefire.com (Postfix) with ESMTP id 18FC9896EA; Mon, 20 Dec 2004 17:23:48 -0500 (EST) Date: Mon, 20 Dec 2004 16:19:29 -0600 From: Nigel Houghton To: Brett Glass Message-ID: <20041220221928.GA2698@sourcefire.com> Mail-Followup-To: Brett Glass , freebsd-security@freebsd.org References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.2.0.14.2.20041220145924.0624c328@localhost> X-Virus-Scanned: ClamAV using ClamSMTP cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 22:23:50 -0000 On 0, Brett Glass allegedly wrote: > At 02:23 PM 12/20/2004, Nigel Houghton wrote: > > >Is there something wrong with using the scponly shell for the users? > > Mainly that I hadn't heard of it until you mentioned it. ;-) > Thank you! (I knew I could get a quick answer, if there was one, > from the list.) aha, ok, good. > I just tried building it (twice, because the first time I didn't > realize that it required a special variable to be defined before > it would set itself up to chroot users). I'll be testing it shortly > to be sure that the "jails" created by its sample script (which > creates both the user ID and the jail) have everything needed for > FreeBSD. > > It'd be nice if there were a more centralized "chroot" facility > that covered SSH, FTP, and other things as well. > > --Brett Take a look at the Jail project, you'll find it here... http://www.jmcresearch.com/projects/jail/ ..and in ports/sysutils/ along with some other jail tools, it may provide some of the features you are looking for. +-----------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team Stewie: You know, I rather like this God fellow. Very theatrical, you know. Pestilence here, a plague there. Omnipotence ...gotta get me some of that.