Date: Tue, 14 Nov 2000 10:31:46 +0000 (GMT) From: Lloyd Rennie <lloyd@vbc.net> To: Mike Meyer <mwm@mired.org> Cc: questions@freebsd.org Subject: Re: chrooted shell accounts Message-ID: <Pine.BSF.4.10.10011141006030.33726-100000@brunel.uk1.vbc.net> In-Reply-To: <14864.38419.48129.325993@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 13 Nov 2000, Mike Meyer wrote:
> Lloyd Rennie <lloyd@vbc.net> types:
> > I have been having difficulty chrooting a user's shell on a machine here,
> > as detailed below. In this case the user in question is 'derek'.
> > derek's shell is /usr/local/bin/derekshell, which is a binary file
> > generated by /usr/local/bin/derekshell.c;
> >
> > void main (int argc, char *argv []) {
> > system("/usr/local/bin/derekshell.sh");
> > }
> >
> > No rocket Science there. /usr/local/bin/derekshell has been added to
> > /etc/shells.
> > /usr/local/bin/derekshell.sh looks like;
> >
> > #!/bin/sh
> > cd /home/derek
> > id # debug purposes
> > /usr/sbin/chroot /home/derek /bin/csh
> > id # debug purposes
> >
> > Contrived I know, but more secure to have the binary wrapper when making
> > things SUID 0.
>
> True - but why isn't this a C program? It would be about the same
> length as all these things, and remove one complication from the
> system. If you wan to do a chroot as part of a shell script, try doing
> the chroot in the wrapper, then running the shell script. Which
> doesn't help with the problem, I know, but you asked for a simpler way
> to do things.
s'a good point.
> > Permissions are like this;
> >
> > - -rwsr-xr-x 1 root bin 8808 Nov 1 17:16 /usr/local/bin/derekshell
> > - -rw-r--r-- 1 root bin 82 Nov 1 17:16 /usr/local/bin/derekshell.c
> > - -rwx------ 1 root wheel 69 Nov 1 17:18 /usr/local/bin/derekshell.sh
> > /home/derek/bin looks like;
> >
> > % ls -l
> > total 1200
> > - -r-xr-xr-x 1 derek derek 241664 Nov 1 11:54 csh
> > - -r-xr-xr-x 1 derek derek 155648 Nov 1 11:54 ls
> > - -r-xr-xr-x 1 derek derek 126976 Nov 1 11:54 ping
> > - -r-xr-xr-x 1 derek derek 40960 Nov 1 11:54 pwd
> > - -r-xr-xr-x 1 derek derek 16384 Nov 1 11:54 traceroute
> >
> > If I run /usr/local/bin/derekshell as root, all works perfectly. If I run
> > it as user derek (invoking it as derek's shell);
> >
> > % su - derek
> > Password:
> > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
> > csh: Permission denied.
> > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek)
> > %
> >
> >
> > What I want to know is (a) why this is not working, and (b) if there is a
> > simpler way of doing it.
>
> Well, the home directory permissions might have something to do with
> it.
drwxr-xr-x 3 derek derek 512 Nov 1 11:53 /home/derek
Replaced my derekshell bin with a new one as you suggested.
void main (int argc, char *argv []) {
system("cd /home/derek; /usr/sbin/chroot /home/derek /bin/csh");
}
However, as you say, this makes no difference.
> I'd be interested to know where the message is coming from (is it
> csh complaining that something is wrong, or chroot complaining that
> something is wrong with /bin/csh).
A good question. How the hell do I tell?
--
Lloyd Rennie VBCnet GB Ltd lloyd@vbc.net
tel +44 (0) 117 929 1316 http://www.vbc.net fax +44 (0) 117 927 2015
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10011141006030.33726-100000>