From owner-freebsd-isp  Thu Oct 15 10:46:42 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA28532
          for freebsd-isp-outgoing; Thu, 15 Oct 1998 10:46:42 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from infowest.com (ns1.infowest.com [204.17.177.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28527
          for <freebsd-isp@FreeBSD.ORG>; Thu, 15 Oct 1998 10:46:39 -0700 (PDT)
          (envelope-from agifford@infowest.com)
Received: from infowest.com (eq.net [207.49.60.250])
	by infowest.com (8.8.8/8.8.8) with ESMTP id LAA11773;
	Thu, 15 Oct 1998 11:45:53 -0600 (MDT)
Message-ID: <362634C6.72829DBF@infowest.com>
Date: Thu, 15 Oct 1998 11:45:42 -0600
From: "Aaron D. Gifford" <agifford@infowest.com>
X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-STABLE i386)
MIME-Version: 1.0
To: freebsd-isp@FreeBSD.ORG
CC: Don Lewis <Don.Lewis@tsc.tdk.com>, David Wolfskill <dhw@whistle.com>,
        rezidew@kemicol.rezidew.net
Subject: Re: CHROOT'd environments
References: <199810140008.RAA17034@salsa.gv.tsc.tdk.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Don Lewis <Don.Lewis@tsc.tdk.com> wrote:
> 
> You've just described <ftp://ftp.win.tue.nl/pub/security/chrootuid1.2.shar.Z>,
> which probably deserves to be a port.  This utility is pretty handy for
> starting up daemons in their own chrooted jail, but it's not very
> convenient to use chrootuid for user logins.  The painful part is that
> chrootuid needs to be invoked as root and needs the desired uid and
> chroot directory as arguments.  This means that you'd need to write a
> wrapper for it in order to use it as the login shell in /etc/passwd,
> and set the uid to 0 in /etc/passwd.
> 
> Wu-ftpd can be configured to automagically chroot certain users by
> adding a "/./" in the middle of the path to their home directory to
> specify the chroot directory.  I'd prefer a tweak to /usr/bin/login to
> do the same thing.

I recently needed to permit user logins to a chrooted environment and so I
whipped up a small wrapper program that runs suid root, sets up the jail,
drops root priv.'s permanently, and then executes a shell within the jail. 
See http://www.eq.net/software/chrsh.html for more info.  It was written on
and for my own FreeBSD box.

Let me repeat  Julian Elischer's warning: If the user get's root WITHIN the
chroot jail, the user can get out, and once out will STILL BE ROOT!

Aaron out.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message