From owner-freebsd-questions Mon Nov 13 17:32: 6 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id E0A1D37B479 for ; Mon, 13 Nov 2000 17:32:03 -0800 (PST) Received: (qmail 80882 invoked by uid 100); 14 Nov 2000 01:32:03 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14864.38419.48129.325993@guru.mired.org> Date: Mon, 13 Nov 2000 19:32:03 -0600 (CST) To: Lloyd Rennie Cc: questions@freebsd.org Subject: Re: chrooted shell accounts In-Reply-To: <73909714@toto.iv> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Lloyd Rennie types: > I have been having difficulty chrooting a user's shell on a machine here, > as detailed below. In this case the user in question is 'derek'. > derek's shell is /usr/local/bin/derekshell, which is a binary file > generated by /usr/local/bin/derekshell.c; > > void main (int argc, char *argv []) { > system("/usr/local/bin/derekshell.sh"); > } > > No rocket Science there. /usr/local/bin/derekshell has been added to > /etc/shells. > /usr/local/bin/derekshell.sh looks like; > > #!/bin/sh > cd /home/derek > id # debug purposes > /usr/sbin/chroot /home/derek /bin/csh > id # debug purposes > > Contrived I know, but more secure to have the binary wrapper when making > things SUID 0. True - but why isn't this a C program? It would be about the same length as all these things, and remove one complication from the system. If you wan to do a chroot as part of a shell script, try doing the chroot in the wrapper, then running the shell script. Which doesn't help with the problem, I know, but you asked for a simpler way to do things. > Permissions are like this; > > - -rwsr-xr-x 1 root bin 8808 Nov 1 17:16 /usr/local/bin/derekshell > - -rw-r--r-- 1 root bin 82 Nov 1 17:16 /usr/local/bin/derekshell.c > - -rwx------ 1 root wheel 69 Nov 1 17:18 /usr/local/bin/derekshell.sh > /home/derek/bin looks like; > > % ls -l > total 1200 > - -r-xr-xr-x 1 derek derek 241664 Nov 1 11:54 csh > - -r-xr-xr-x 1 derek derek 155648 Nov 1 11:54 ls > - -r-xr-xr-x 1 derek derek 126976 Nov 1 11:54 ping > - -r-xr-xr-x 1 derek derek 40960 Nov 1 11:54 pwd > - -r-xr-xr-x 1 derek derek 16384 Nov 1 11:54 traceroute > > If I run /usr/local/bin/derekshell as root, all works perfectly. If I run > it as user derek (invoking it as derek's shell); > > % su - derek > Password: > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) > csh: Permission denied. > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) > % > > > What I want to know is (a) why this is not working, and (b) if there is a > simpler way of doing it. Well, the home directory permissions might have something to do with it. I'd be interested to know where the message is coming from (is it csh complaining that something is wrong, or chroot complaining that something is wrong with /bin/csh).