From owner-freebsd-security Sat Feb 10 19:19:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id TAA05223 for security-outgoing; Sat, 10 Feb 1996 19:19:32 -0800 (PST) Received: from fslg8.fsl.noaa.gov (fslg8.fsl.noaa.gov [137.75.131.171]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id TAA05216 for ; Sat, 10 Feb 1996 19:19:27 -0800 (PST) Received: by fslg8.fsl.noaa.gov (5.57/Ultrix3.0-C) id AA24340; Sat, 10 Feb 96 21:19:26 -0600 Received: by emu.fsl.noaa.gov (1.38.193.4/SMI-4.1 (1.38.193.4)) id AA22583; Sat, 10 Feb 1996 20:19:25 -0700 Date: Sat, 10 Feb 1996 20:19:25 -0700 From: kelly@fsl.noaa.gov (Sean Kelly) Message-Id: <9602110319.AA22583@emu.fsl.noaa.gov> To: yankee@anna.az.com Cc: freebsd-security@freebsd.org In-Reply-To: (yankee@anna.az.com) Subject: Re: Need help building jails (fwd) Sender: owner-security@freebsd.org Precedence: bulk >>>>> "Yankee" == az com writes: Yankee> Haven't been able to get chroot to work, any ideas? Although anyone can run /usr/sbin/chroot, the chroot() system call (type ``man 2 chroot'') says This call is restricted to the super-user. so you need to be root to make effective use of /usr/sbin/chroot. So, you probably want a special version of /usr/bin/login that checks a database (perhaps by extending /etc/passwd or /etc/login.access, but maybe a new database to stay compatible) which performs the chroot if a certain field is set. It can do this while it's running as root, before it sets the user ID to the logged-in user. The source code to /usr/bin/login is on the FreeBSD CD-ROM and FTP sites, so hack away. -- Sean Kelly NOAA Forecast Systems Laboratory, Boulder Colorado USA If there's ever an amusement park called Bag World, I bet it would really start to annoy you after a while how they really sort of stretch the definition of "bag." -- Deep Thoughts, by Jack Handey