Date: Tue, 21 Dec 2004 00:00:39 -0500 From: Tom McLaughlin <tmclaugh@sdf.lonestar.org> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? Message-ID: <1103605239.1100.13.camel@compass.straycat.dhs.org> In-Reply-To: <6.2.0.14.2.20041220191915.0531e798@localhost> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> <20041220221928.GA2698@sourcefire.com> <6.2.0.14.2.20041220191915.0531e798@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2004-12-20 at 19:30 -0700, Brett Glass wrote: > At 03:19 PM 12/20/2004, Nigel Houghton wrote: > > >Take a look at the Jail project, you'll find it here... > > > > http://www.jmcresearch.com/projects/jail/ > > > >..and in ports/sysutils/ along with some other jail tools, it may > >provide some of the features you are looking for. > > Looks useful. (Shame it's GPLed.) In any case, it seems to me that > creation of a jail the way this tool does it (and the way most people > have to do it in general) requires a lot of redundant copies of files. > Wouldn't it be neat if there were a type of link (not quite soft, not > quite hard; call it "firm") that would let you link to the current > master copies of executables (rather than copying them) but not > let the inmates out of their jails? Hard links have the disadvantage > that they're broken when you upgrade an executable; soft links can't > be used because, well, you're in a jail. The type of link I have in > mind would be symbolic but resolved by the system behind the scenes; > from inside the jail it wouldn't look like a link. > > --Brett > FreeBSD has its own jail (8) system which might be useful but yes it requires redundant files. You could also look at using a restricted shell (pdksh has he option but I'm not sure about csh) as well. I'm looking at doing anonymous cvs over ssh where i formerly used a jail. I haven't tried it yet but a restricted shell looks like it may provide me with what I need. Last time I did an sftp jail I believe I used chrsh which can be found here: http://www.aarongifford.com/computers/chrsh.html Tom -- BSD# Project - Porting Mono to FreeBSD http://forge.novell.com/modules/xfmod/project/?bsd-sharp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1103605239.1100.13.camel>