From owner-freebsd-questions Tue Nov 14 8:14:40 2000 Delivered-To: freebsd-questions@freebsd.org Received: from madness.mdgnet.org (unknown [24.92.156.65]) by hub.freebsd.org (Postfix) with SMTP id 3AE5A37B4C5 for ; Tue, 14 Nov 2000 08:14:37 -0800 (PST) Received: (qmail 8468 invoked by uid 1000); 14 Nov 2000 16:14:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Nov 2000 16:14:35 -0000 Date: Tue, 14 Nov 2000 11:14:35 -0500 (EST) From: Matthew George To: Lloyd Rennie Cc: questions@freebsd.org Subject: Re: chrooted shell accounts In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG you may want to take a look at the jail facility if you haven't already... jail(2,8) On Mon, 13 Nov 2000, Lloyd Rennie wrote: > Date: Mon, 13 Nov 2000 13:22:36 +0000 (GMT) > From: Lloyd Rennie > To: questions@freebsd.org > Subject: chrooted shell accounts > > > I have been having difficulty chrooting a user's shell on a machine here, > as detailed below. In this case the user in question is 'derek'. > > > > derek's shell is /usr/local/bin/derekshell, which is a binary file > generated by /usr/local/bin/derekshell.c; > > void main (int argc, char *argv []) { > system("/usr/local/bin/derekshell.sh"); > } > > No rocket Science there. /usr/local/bin/derekshell has been added to > /etc/shells. > > /usr/local/bin/derekshell.sh looks like; > > #!/bin/sh > cd /home/derek > id # debug purposes > /usr/sbin/chroot /home/derek /bin/csh > id # debug purposes > > Contrived I know, but more secure to have the binary wrapper when making > things SUID 0. > > Permissions are like this; > > -rwsr-xr-x 1 root bin 8808 Nov 1 17:16 /usr/local/bin/derekshell > -rw-r--r-- 1 root bin 82 Nov 1 17:16 /usr/local/bin/derekshell.c > -rwx------ 1 root wheel 69 Nov 1 17:18 /usr/local/bin/derekshell.sh > > /home/derek/bin looks like; > > % ls -l > total 1200 > -r-xr-xr-x 1 derek derek 241664 Nov 1 11:54 csh > -r-xr-xr-x 1 derek derek 155648 Nov 1 11:54 ls > -r-xr-xr-x 1 derek derek 126976 Nov 1 11:54 ping > -r-xr-xr-x 1 derek derek 40960 Nov 1 11:54 pwd > -r-xr-xr-x 1 derek derek 16384 Nov 1 11:54 traceroute > > If I run /usr/local/bin/derekshell as root, all works perfectly. If I run > it as user derek (invoking it as derek's shell); > > % su - derek > Password: > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) > csh: Permission denied. > uid=1008(derek) euid=0(root) gid=996(derek) groups=996(derek) > % > > > What I want to know is (a) why this is not working, and (b) if there is a > simpler way of doing it. > > TIA - please reply direct as I am not currently a list subscriber. > > -- > Lloyd Rennie VBCnet GB Ltd lloyd@vbc.net > tel +44 (0) 117 929 1316 http://www.vbc.net fax +44 (0) 117 927 2015 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message