From owner-freebsd-isp  Tue Oct 13 11:23:42 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA26171
          for freebsd-isp-outgoing; Tue, 13 Oct 1998 11:23:42 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26158
          for <freebsd-isp@FreeBSD.ORG>; Tue, 13 Oct 1998 11:23:39 -0700 (PDT)
          (envelope-from julian@whistle.com)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id LAA27761;
	Tue, 13 Oct 1998 11:21:09 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpdm27756; Tue Oct 13 18:21:01 1998
Date: Tue, 13 Oct 1998 11:20:56 -0700 (PDT)
From: Julian Elischer <julian@whistle.com>
To: Graphic Rezidew <rezidew@kemicol.rezidew.net>
cc: freebsd-isp@FreeBSD.ORG
Subject: Re: CHROOT'd environments
In-Reply-To: <199810130418.XAA06571@kemicol.rezidew.net>
Message-ID: <Pine.BSF.3.95.981013111517.2872G-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

yes only root can chroot
you can use 'sudo' (in the ports under security)
and a shell script to make any user able to do this.
(as long as he can't get out of the shell script)
It can run a script once sudo'd that 'exec su - $USER'
to get back to the user's ID once the chroot is done..

WARNING!
a root user can get out of a chroot environment (and remain root)


then you will discover that you cannot set it "noexec" because
the users shell will need to have come from the chroot environment.


On Mon, 12 Oct 1998, Graphic Rezidew wrote:

> I am trying to set up 'isolated' environments for certain users on my system
> I want to mount a FS (noexec,nodev,userquota) at point /FAKEROOT and then make dirs 
> like ; bin; sbin; etc; blah blah under it. Then I would like to have a shell
> script that does something to the effect of: 
> #!/bin/sh
> chroot /FAKEROOT /bin/sh
> --EOF--
> The problem that I am running into is that it appears that only root can run
> chroot. If there is a shell that allows chroot'd logins please let me know
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message