From owner-freebsd-questions Tue Sep 24 13:28:42 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3291537B401 for ; Tue, 24 Sep 2002 13:28:40 -0700 (PDT) Received: from hivemind.trini0.org (bgp626680bgs.brick201.nj.comcast.net [68.39.132.244]) by mx1.FreeBSD.org (Postfix) with SMTP id 71CA243E4A for ; Tue, 24 Sep 2002 13:28:39 -0700 (PDT) (envelope-from gsam@trini0.org) Received: (qmail 13030 invoked by uid 0); 24 Sep 2002 20:28:38 -0000 Received: from unknown (HELO trini0.org) (192.168.0.3) by hivemind.trini0.org with SMTP; 24 Sep 2002 20:28:38 -0000 Message-ID: <3D90CAF6.5040300@trini0.org> Date: Tue, 24 Sep 2002 16:28:38 -0400 From: Gerard Samuel User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20020915 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brossin Pierrick Cc: FreeBSD Questions Subject: Re: Chroot References: <3D908C45.3000302@trini0.org> <000d01c263e9$49c34920$3200000a@nitrox> <3D90A635.5060900@trini0.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well I figured out why my example below wouldn't work. So this is one for the archive for others who may try what I was doing... chroot can only be executed by root, and the shell is executed by the user logging in, thus a no go. So the method of using chroot and or jail doesn't seem to make sense to be used in what Im trying to do. Im going to explore the restricted bash method. Thanks for your time... Gerard Samuel wrote: > Your first half made total sense, and I was able to lock the root user > in /home/developer when > chroot was executed. > Your second half however, is not clicking with me at the moment. Here > is what I did.... > 1. Under /home/developer/bin create a new file (my_sh) with this -> > #!/bin/sh > /home/developer/bin/sh > chroot /home/developer/ > > 2. Chmod the file 555, chown root:wheel > 3. Enter vipw, and change the user "developer" shell to > /home/developer/bin/my_sh > > With these modifications, I can ssh into the account, but I can still > "break root" by cd'ing out of the home directory. > > Any advise would be greatly appreciated... > Thanks > > > Brossin Pierrick wrote: > >> Hi, >> >> || Im trying to figure out how to restrict users from leaving their home >> || directories. >> || I would enter the new directory /usr/home/developer and issue the >> || chroot command -> >> || hivemind# chroot /usr/home/developer >> || chroot: /bin/csh: No such file or directory >> >> It's because a chrooted directory is like the root dir of your system ! >> You have to create 'bin' 'etc' and stuff into /usr/home/developer. >> You should also copy csh into /usr/home/developer/bin. >> >> Your chrooted system will be completely independent of your system. >> This means if the user developer logs on, he won't be able to access the >> real /etc for example. >> >> I hope I'm clear enough. >> >> www.google.com for more info .. just type in "freebsd chroot". >> >> || What am I doing wrong?? >> || Also when this is set, how do I make it persist throught reboots. >> || Make my own script in /usr/local/etc/rc.d ??? >> || Thanks for any insight you may provide.... >> >> Just create a shell script and run it instead of running tcsh or sh >> or ... >> run 'vipw' and change it. >> >> Cya >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> >> >> >> > -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message