Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Nov 2000 10:31:46 +0000 (GMT)
From:      Lloyd Rennie <lloyd@vbc.net>
To:        Mike Meyer <mwm@mired.org>
Cc:        questions@freebsd.org
Subject:   Re: chrooted shell accounts
Message-ID:  <Pine.BSF.4.10.10011141006030.33726-100000@brunel.uk1.vbc.net>
In-Reply-To: <14864.38419.48129.325993@guru.mired.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 13 Nov 2000, Mike Meyer wrote:
> Lloyd Rennie <lloyd@vbc.net> types:
> > I have been having difficulty chrooting a user's shell on a machine here,
> > as detailed below.  In this case the user in question is 'derek'.
> > derek's shell is /usr/local/bin/derekshell, which is a binary file
> > generated by /usr/local/bin/derekshell.c;
> > 
> > void main (int argc, char *argv []) {
> >   system("/usr/local/bin/derekshell.sh");
> > }
> > 
> > No rocket Science there. /usr/local/bin/derekshell has been added to
> > /etc/shells.
> > /usr/local/bin/derekshell.sh looks like;
> > 
> > #!/bin/sh
> > cd /home/derek
> > id	# debug purposes
> > /usr/sbin/chroot /home/derek /bin/csh
> > id	# debug purposes
> > 
> > Contrived I know, but more secure to have the binary wrapper when making
> > things SUID 0.
> 
> True - but why isn't this a C program? It would be about the same
> length as all these things, and remove one complication from the
> system. If you wan to do a chroot as part of a shell script, try doing
> the chroot in the wrapper, then running the shell script. Which
> doesn't help with the problem, I know, but you asked for a simpler way
> to do things.

s'a good point.
 
> > Permissions are like this;
> > 
> > - -rwsr-xr-x  1 root  bin    8808 Nov  1 17:16 /usr/local/bin/derekshell
> > - -rw-r--r--  1 root  bin      82 Nov  1 17:16 /usr/local/bin/derekshell.c
> > - -rwx------  1 root  wheel    69 Nov  1 17:18 /usr/local/bin/derekshell.sh
> > /home/derek/bin looks like;
> > 
> > % ls -l
> > total 1200
> > - -r-xr-xr-x  1 derek  derek  241664 Nov  1 11:54 csh
> > - -r-xr-xr-x  1 derek  derek  155648 Nov  1 11:54 ls
> > - -r-xr-xr-x  1 derek  derek  126976 Nov  1 11:54 ping
> > - -r-xr-xr-x  1 derek  derek   40960 Nov  1 11:54 pwd
> > - -r-xr-xr-x  1 derek  derek   16384 Nov  1 11:54 traceroute
> > 
> > If I run /usr/local/bin/derekshell as root, all works perfectly.  If I run
> > it as user derek (invoking it as derek's shell);
> >
> > % su - derek
> > Password:
> > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
> > csh: Permission denied.
> > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
> > % 
> > 
> > 
> > What I want to know is (a) why this is not working, and (b) if there is a
> > simpler way of doing it.
> 
> Well, the home directory permissions might have something to do with
> it.

drwxr-xr-x  3 derek  derek  512 Nov  1 11:53 /home/derek

Replaced my derekshell bin with a new one as you suggested.

void main (int argc, char *argv []) {
  system("cd /home/derek; /usr/sbin/chroot /home/derek /bin/csh");
}

However, as you say, this makes no difference.

> I'd be interested to know where the message is coming from (is it
> csh complaining that something is wrong, or chroot complaining that
> something is wrong with /bin/csh).

A good question.  How the hell do I tell?

--
Lloyd Rennie                   VBCnet GB Ltd	             lloyd@vbc.net
tel +44 (0) 117 929 1316    http://www.vbc.net    fax +44 (0) 117 927 2015



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10011141006030.33726-100000>