From owner-freebsd-chat Fri Mar 12 18:54:30 1999 Delivered-To: freebsd-chat@freebsd.org Received: from o-o.org (o-o.org [207.252.201.100]) by hub.freebsd.org (Postfix) with ESMTP id D68B814C3F for ; Fri, 12 Mar 1999 18:54:26 -0800 (PST) (envelope-from licia@o-o.org) Received: from localhost (root@localhost) by o-o.org (8.8.8/8.8.8) with ESMTP id UAA25753; Fri, 12 Mar 1999 20:54:18 -0600 (CST) (envelope-from licia@o-o.org) Date: Fri, 12 Mar 1999 20:54:17 -0600 (CST) From: Licia To: Terry Lambert Cc: freebsd-chat@FreeBSD.ORG, fad@o-o.org Subject: Re: added chroot to /usr/bin/login In-Reply-To: <199903130229.TAA15918@usr05.primenet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to welcome feedback, I've modified the patches :) no more login group. It's all completely based on /etc/login.conf classes now. If there is a capability called chroot, the value for it is used as the path to chroot to, if there isn't, no chrooting... if there's interest I can add the ~ type expansions to allow a single class to be used for multiple users to be chrooted to their homedirs (trivial hack :) ) and this will easily allow shared chroot environments, although the previous version did too :) Thanks for the feedback, it's very welcome :) On Sat, 13 Mar 1999, Terry Lambert wrote: > > I've placed a small patch to /usr/src/usr.bin/login/login.c on my home site > > at http://www.o-o.org/~licia/projects/login/ that adds a simple and fairly > > clean way to chroot users at login time. The 2.2.8R patch is tested, the > > FreeBSD-current patch is anyone's guess, although I think it should probably > > work :) > > I think the correct way to pursue this would be to put the user's in > a "chroot" login class. You would put the word "chroot" between > the colons in the passwd file entry via "vipw", e.g.: > > test::999:999:chroot:0:0:test user:/A/testuser:/bin/csh > > And then within this class, add the resource limit "rootdir" in addition > to the default, e.g.: > > chroot:\ > :rootdir=~:\ > :tc=default: > > Note: ~ expands to the home directory, $ expands to the username; you > could also do: > > chroot:\ > :rootdir=/jail/$:\ > :tc=default: > > And then use: > > login_getcapstr(3) > > Within login itself to get the string; if present, you chroot to the > target. > > You could also do: > > sharedjail:\ > :rootdir=/usr06/jail/:\ > :tc=default: > > And put users in a shared, but chrooted environment, like so: > > sally::2018:2018:sharedjail:0:0:sally:/users/s/sally:/bin/csh > bob::2019:2019:sharedjail:0:0:bob:/users/b/bob:/bin/csh > > They could interact (and share shared libraries, for example), but > not affect the rest of the system. > > > Terry Lambert > terry@lambert.org > --- > Any opinions in this posting are my own and not those of my present > or previous employers. > [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf] [ Telnet to o-o.org and log in as bbs ] [ ssh -l bbs -C o-o.org ] [ A happy user of FreeBSD : http://www.freebsd.org/ ] main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message