chroot-ing users coming in via SSH and/or SFTP?

Marton Kenyeres mkenyeres at konvergencia.hu
Mon Dec 20 23:50:32 PST 2004


On Tuesday 21 December 2004 03:30, Brett Glass wrote:
> At 03:19 PM 12/20/2004, Nigel Houghton wrote:
> >Take a look at the Jail project, you'll find it here...
> >
> > http://www.jmcresearch.com/projects/jail/
> >
> >..and in ports/sysutils/ along with some other jail tools, it may
> >provide some of the features you are looking for.
>
> Looks useful. (Shame it's GPLed.) In any case, it seems to me that
> creation of a jail the way this tool does it (and the way most people
> have to do it in general) requires a lot of redundant copies of
> files. Wouldn't it be neat if there were a type of link (not quite
> soft, not quite hard; call it "firm") that would let you link to the
> current master copies of executables (rather than copying them) but
> not let the inmates out of their jails? Hard links have the
> disadvantage that they're broken when you upgrade an executable; soft
> links can't be used because, well, you're in a jail. The type of link
> I have in mind would be symbolic but resolved by the system behind
> the scenes; from inside the jail it wouldn't look like a link.
>
> --Brett

This can be done with nullfs, unionfs or nfs over the loopback 
interface.

BTW, hard drives are quite cheap nowdays, so the main problem with 
redundant copies is not the space they waste, it's that they are hard 
to manage. IMHO `firm` links wont help you a bit.

m.


More information about the freebsd-security mailing list