chroot-ing users coming in via SSH and/or SFTP?

Tom McLaughlin tmclaugh at sdf.lonestar.org
Mon Dec 20 21:00:42 PST 2004


On Mon, 2004-12-20 at 19:30 -0700, Brett Glass wrote:
> At 03:19 PM 12/20/2004, Nigel Houghton wrote:
> 
> >Take a look at the Jail project, you'll find it here...
> >
> > http://www.jmcresearch.com/projects/jail/
> >
> >..and in ports/sysutils/ along with some other jail tools, it may 
> >provide some of the features you are looking for.
> 
> Looks useful. (Shame it's GPLed.) In any case, it seems to me that
> creation of a jail the way this tool does it (and the way most people
> have to do it in general) requires a lot of redundant copies of files. 
> Wouldn't it be neat if there were a type of link (not quite soft, not
> quite hard; call it "firm") that would let you link to the current 
> master copies of executables (rather than copying them) but not
> let the inmates out of their jails? Hard links have the disadvantage 
> that they're broken when you upgrade an executable; soft links can't
> be used because, well, you're in a jail. The type of link I have in
> mind would be symbolic but resolved by the system behind the scenes;
> from inside the jail it wouldn't look like a link.
> 
> --Brett
> 

FreeBSD has its own jail (8) system which might be useful but yes it
requires redundant files.  You could also look at using a restricted
shell (pdksh has he option but I'm not sure about csh) as well.  I'm
looking at doing anonymous cvs over ssh where i formerly used a jail.  I
haven't tried it yet but a restricted shell looks like it may provide me
with what I need.

Last time I did an sftp jail I believe I used chrsh which can be found
here:

http://www.aarongifford.com/computers/chrsh.html

Tom
-- 

BSD# Project - Porting Mono to FreeBSD
http://forge.novell.com/modules/xfmod/project/?bsd-sharp



More information about the freebsd-security mailing list