Date: Tue, 13 Oct 1998 17:08:55 -0700 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: David Wolfskill <dhw@whistle.com>, freebsd-isp@FreeBSD.ORG, rezidew@kemicol.rezidew.net Subject: Re: CHROOT'd environments Message-ID: <199810140008.RAA17034@salsa.gv.tsc.tdk.com> In-Reply-To: David Wolfskill <dhw@whistle.com> "Re: CHROOT'd environments" (Oct 13, 9:18am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 13, 9:18am, David Wolfskill wrote: } Subject: Re: CHROOT'd environments } >Date: Mon, 12 Oct 1998 23:18:03 -0500 (CDT) } >From: Graphic Rezidew <rezidew@kemicol.rezidew.net> } } >The problem that I am running into is that it appears that only root can run } >chroot. If there is a shell that allows chroot'd logins please let me know } } The chroot() system call may only be invokoed by a process with } effective uid of 0 (root). Thus, any such shell would either need to be } invoked by root or would need to be setuid root. } } The former would not seem to be a useful exercise. } } The latter, though tricky, may be doable; you would need to write your } own program which would set up the chroot'ed environment, perform the } chroot, and then relinquish root privileges irrevocably. It would } probably also exec a more common shell just before giving the user } control. You would need to be certain that the program will handle } various conditions, some of which may well be pathological, in a known } and acceptable manner. You've just described <ftp://ftp.win.tue.nl/pub/security/chrootuid1.2.shar.Z>, which probably deserves to be a port. This utility is pretty handy for starting up daemons in their own chrooted jail, but it's not very convenient to use chrootuid for user logins. The painful part is that chrootuid needs to be invoked as root and needs the desired uid and chroot directory as arguments. This means that you'd need to write a wrapper for it in order to use it as the login shell in /etc/passwd, and set the uid to 0 in /etc/passwd. Wu-ftpd can be configured to automagically chroot certain users by adding a "/./" in the middle of the path to their home directory to specify the chroot directory. I'd prefer a tweak to /usr/bin/login to do the same thing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810140008.RAA17034>