Date: Thu, 15 Oct 1998 11:45:42 -0600 From: "Aaron D. Gifford" <agifford@infowest.com> To: freebsd-isp@FreeBSD.ORG Cc: Don Lewis <Don.Lewis@tsc.tdk.com>, David Wolfskill <dhw@whistle.com>, rezidew@kemicol.rezidew.net Subject: Re: CHROOT'd environments Message-ID: <362634C6.72829DBF@infowest.com> References: <199810140008.RAA17034@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Don Lewis <Don.Lewis@tsc.tdk.com> wrote: > > You've just described <ftp://ftp.win.tue.nl/pub/security/chrootuid1.2.shar.Z>, > which probably deserves to be a port. This utility is pretty handy for > starting up daemons in their own chrooted jail, but it's not very > convenient to use chrootuid for user logins. The painful part is that > chrootuid needs to be invoked as root and needs the desired uid and > chroot directory as arguments. This means that you'd need to write a > wrapper for it in order to use it as the login shell in /etc/passwd, > and set the uid to 0 in /etc/passwd. > > Wu-ftpd can be configured to automagically chroot certain users by > adding a "/./" in the middle of the path to their home directory to > specify the chroot directory. I'd prefer a tweak to /usr/bin/login to > do the same thing. I recently needed to permit user logins to a chrooted environment and so I whipped up a small wrapper program that runs suid root, sets up the jail, drops root priv.'s permanently, and then executes a shell within the jail. See http://www.eq.net/software/chrsh.html for more info. It was written on and for my own FreeBSD box. Let me repeat Julian Elischer's warning: If the user get's root WITHIN the chroot jail, the user can get out, and once out will STILL BE ROOT! Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?362634C6.72829DBF>