Date: Mon, 13 Nov 2000 19:32:03 -0600 (CST) From: Mike Meyer <mwm@mired.org> To: Lloyd Rennie <lloyd@vbc.net> Cc: questions@freebsd.org Subject: Re: chrooted shell accounts Message-ID: <14864.38419.48129.325993@guru.mired.org> In-Reply-To: <73909714@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Lloyd Rennie <lloyd@vbc.net> types:
> I have been having difficulty chrooting a user's shell on a machine here,
> as detailed below. In this case the user in question is 'derek'.
> derek's shell is /usr/local/bin/derekshell, which is a binary file
> generated by /usr/local/bin/derekshell.c;
>
> void main (int argc, char *argv []) {
> system("/usr/local/bin/derekshell.sh");
> }
>
> No rocket Science there. /usr/local/bin/derekshell has been added to
> /etc/shells.
> /usr/local/bin/derekshell.sh looks like;
>
> #!/bin/sh
> cd /home/derek
> id # debug purposes
> /usr/sbin/chroot /home/derek /bin/csh
> id # debug purposes
>
> Contrived I know, but more secure to have the binary wrapper when making
> things SUID 0.
True - but why isn't this a C program? It would be about the same
length as all these things, and remove one complication from the
system. If you wan to do a chroot as part of a shell script, try doing
the chroot in the wrapper, then running the shell script. Which
doesn't help with the problem, I know, but you asked for a simpler way
to do things.
> Permissions are like this;
>
> - -rwsr-xr-x 1 root bin 8808 Nov 1 17:16 /usr/local/bin/derekshell
> - -rw-r--r-- 1 root bin 82 Nov 1 17:16 /usr/local/bin/derekshell.c
> - -rwx------ 1 root wheel 69 Nov 1 17:18 /usr/local/bin/derekshell.sh
> /home/derek/bin looks like;
>
> % ls -l
> total 1200
> - -r-xr-xr-x 1 derek derek 241664 Nov 1 11:54 csh
> - -r-xr-xr-x 1 derek derek 155648 Nov 1 11:54 ls
> - -r-xr-xr-x 1 derek derek 126976 Nov 1 11:54 ping
> - -r-xr-xr-x 1 derek derek 40960 Nov 1 11:54 pwd
> - -r-xr-xr-x 1 derek derek 16384 Nov 1 11:54 traceroute
>
> If I run /usr/local/bin/derekshell as root, all works perfectly. If I run
> it as user derek (invoking it as derek's shell);
>
> % su - derek
> Password:
> uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
> csh: Permission denied.
> uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
> %
>
>
> What I want to know is (a) why this is not working, and (b) if there is a
> simpler way of doing it.
Well, the home directory permissions might have something to do with
it. I'd be interested to know where the message is coming from (is it
csh complaining that something is wrong, or chroot complaining that
something is wrong with /bin/csh).
<mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14864.38419.48129.325993>