chroot-ing users coming in via SSH and/or SFTP?

Brett Glass brett at lariat.org
Mon Dec 20 18:30:09 PST 2004


At 03:19 PM 12/20/2004, Nigel Houghton wrote:

>Take a look at the Jail project, you'll find it here...
>
> http://www.jmcresearch.com/projects/jail/
>
>..and in ports/sysutils/ along with some other jail tools, it may 
>provide some of the features you are looking for.

Looks useful. (Shame it's GPLed.) In any case, it seems to me that
creation of a jail the way this tool does it (and the way most people
have to do it in general) requires a lot of redundant copies of files. 
Wouldn't it be neat if there were a type of link (not quite soft, not
quite hard; call it "firm") that would let you link to the current 
master copies of executables (rather than copying them) but not
let the inmates out of their jails? Hard links have the disadvantage 
that they're broken when you upgrade an executable; soft links can't
be used because, well, you're in a jail. The type of link I have in
mind would be symbolic but resolved by the system behind the scenes;
from inside the jail it wouldn't look like a link.

--Brett



More information about the freebsd-security mailing list