From owner-freebsd-questions Sat Jun 28 04:37:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA17683 for questions-outgoing; Sat, 28 Jun 1997 04:37:26 -0700 (PDT) Received: from nic.7da.nl (psd@nic.7da.nl [195.108.246.98]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA17678 for ; Sat, 28 Jun 1997 04:37:23 -0700 (PDT) Received: from gromit.nev.ml.org (root@dial.7da.nl [195.108.246.106]) by nic.7da.nl (8.8.5/7da) with ESMTP id NAA28889; Sat, 28 Jun 1997 13:37:43 +0200 Received: from localhost (paul@localhost [127.0.0.1]) by gromit.nev.ml.org (8.8.5/Gromit) with SMTP id NAA01254; Sat, 28 Jun 1997 13:18:22 +0200 Date: Sat, 28 Jun 1997 13:18:22 +0200 (MET DST) From: Paul Dekkers X-Sender: paul@gromit.nev.ml.org To: Zahemszky Gabor cc: questions@freebsd.org Subject: Re: Restricted root Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi >>>> Is it possible to create a user with a different / (root)? I want to >>>> create users that are NOT able to access the 'real' root, and get a >>>> limited account this way. >>> >>>man 2 chroot >>>man 8 chroot >>> >>>As I know, not very-very good, but it works, if they cannot compile >>>some programs, etc. >> >>But: it's for all users, and not for some users... e.g. with my account >>and the accounts of some other administrators I want to access the whole >>system. (And I don't think it's possible to use the chroot prog as >>non-root?!) > >I think, you have to write a very little C-program, and make it his login >shell. In that program, chdir to some restricted directory, chroot to >there, and exec his real shell. OK, but in that case the shell is uid root?! Or do I have to exec a '/bin/su - user'... Do I have to execute that after chroot?! Or can I just make something like: '/usr/sbin/chroot /vol1/safe /bin/su - user' ??? Isn't this a huge security risk? There is a process running root in that case... Or is it absolutly safe whith the good perms? I hope you can help me, I really need to restrict some users or they won't get access anymore ... -=- Paul.