chroot-ing users coming in via SSH and/or SFTP?
Tom McLaughlin
tmclaugh at sdf.lonestar.org
Mon Dec 20 21:00:42 PST 2004
On Mon, 2004-12-20 at 19:30 -0700, Brett Glass wrote:
> At 03:19 PM 12/20/2004, Nigel Houghton wrote:
>
> >Take a look at the Jail project, you'll find it here...
> >
> > http://www.jmcresearch.com/projects/jail/
> >
> >..and in ports/sysutils/ along with some other jail tools, it may
> >provide some of the features you are looking for.
>
> Looks useful. (Shame it's GPLed.) In any case, it seems to me that
> creation of a jail the way this tool does it (and the way most people
> have to do it in general) requires a lot of redundant copies of files.
> Wouldn't it be neat if there were a type of link (not quite soft, not
> quite hard; call it "firm") that would let you link to the current
> master copies of executables (rather than copying them) but not
> let the inmates out of their jails? Hard links have the disadvantage
> that they're broken when you upgrade an executable; soft links can't
> be used because, well, you're in a jail. The type of link I have in
> mind would be symbolic but resolved by the system behind the scenes;
> from inside the jail it wouldn't look like a link.
>
> --Brett
>
FreeBSD has its own jail (8) system which might be useful but yes it
requires redundant files. You could also look at using a restricted
shell (pdksh has he option but I'm not sure about csh) as well. I'm
looking at doing anonymous cvs over ssh where i formerly used a jail. I
haven't tried it yet but a restricted shell looks like it may provide me
with what I need.
Last time I did an sftp jail I believe I used chrsh which can be found
here:
http://www.aarongifford.com/computers/chrsh.html
Tom
--
BSD# Project - Porting Mono to FreeBSD
http://forge.novell.com/modules/xfmod/project/?bsd-sharp
More information about the freebsd-security
mailing list