From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 05:00:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C97BE16A4CE for ; Tue, 21 Dec 2004 05:00:42 +0000 (GMT) Received: from straycat.dhs.org (h0050da134090.ne.client2.attbi.com [24.60.174.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CB0543D45 for ; Tue, 21 Dec 2004 05:00:40 +0000 (GMT) (envelope-from tmclaugh@sdf.lonestar.org) Received: from compass.straycat.dhs.org (compass.straycat.dhs.org [192.168.1.32]) by straycat.dhs.org (8.13.0/8.13.0) with ESMTP id iBL50YQQ020289; Tue, 21 Dec 2004 00:00:35 -0500 (EST) From: Tom McLaughlin To: Brett Glass In-Reply-To: <6.2.0.14.2.20041220191915.0531e798@localhost> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> <20041220221928.GA2698@sourcefire.com> <6.2.0.14.2.20041220191915.0531e798@localhost> Content-Type: text/plain Date: Tue, 21 Dec 2004 00:00:39 -0500 Message-Id: <1103605239.1100.13.camel@compass.straycat.dhs.org> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 05:00:42 -0000 On Mon, 2004-12-20 at 19:30 -0700, Brett Glass wrote: > At 03:19 PM 12/20/2004, Nigel Houghton wrote: > > >Take a look at the Jail project, you'll find it here... > > > > http://www.jmcresearch.com/projects/jail/ > > > >..and in ports/sysutils/ along with some other jail tools, it may > >provide some of the features you are looking for. > > Looks useful. (Shame it's GPLed.) In any case, it seems to me that > creation of a jail the way this tool does it (and the way most people > have to do it in general) requires a lot of redundant copies of files. > Wouldn't it be neat if there were a type of link (not quite soft, not > quite hard; call it "firm") that would let you link to the current > master copies of executables (rather than copying them) but not > let the inmates out of their jails? Hard links have the disadvantage > that they're broken when you upgrade an executable; soft links can't > be used because, well, you're in a jail. The type of link I have in > mind would be symbolic but resolved by the system behind the scenes; > from inside the jail it wouldn't look like a link. > > --Brett > FreeBSD has its own jail (8) system which might be useful but yes it requires redundant files. You could also look at using a restricted shell (pdksh has he option but I'm not sure about csh) as well. I'm looking at doing anonymous cvs over ssh where i formerly used a jail. I haven't tried it yet but a restricted shell looks like it may provide me with what I need. Last time I did an sftp jail I believe I used chrsh which can be found here: http://www.aarongifford.com/computers/chrsh.html Tom -- BSD# Project - Porting Mono to FreeBSD http://forge.novell.com/modules/xfmod/project/?bsd-sharp