[NCLUG] chroot login
M Butcher
mbutcher at aleph-null.tv
Mon Feb 3 09:12:22 MST 2003
Have you looked at running bash in restricted mode? It is built for the
sort of thing that I think you are trying to do. I've used it in the
bast to give operators the ability to log in and use (only) the tools in
their home directories.
See the section RESTRICTED SHELL in the bash man page.
Matt
On Mon, 2003-02-03 at 02:52, Patrick Riedel wrote:
> I'd like to constrain certain users to their home directories. I've
> tried several different methods, none are great/easy. Maybe I'm missing
> an obvious tool. If so, please help! :)
>
> Here's what I've come up with. Is this safe? If not, how can it be
> compromised? TIA!
>
> ---
>
> 1. Create a fake shell script (/bin/chrt-shell):
>
> #!/bin/bash
> #
> /usr/sbin/chroot /home/$USER /usr/bin/env -i HOME=/home \ /bin/bash
> --login
>
> 2. Make script executable: chmod 755 /bin/chrt-shell
>
> 3. Create a chroot group: groupadd chrtgrp
>
> 4. Make chroot SUID root for the chrtgrp:
>
> chgrp chrtgrp /usr/sbin/chroot
> chmod 4750 /usr/sbin/chroot
>
> 5. Create user's home directory:
>
> mkdir /home/myuser
> mkdir /home/myuser/etc
> mkdir /home/myuser/dev
> mkdir /home/myuser/bin
> mkdir /home/myuser/lib
> mkdir /home/myuser/usr
> mkdir /home/myuser/usr/bin
> mkdir /home/myuser/home
> (etc., etc.)
>
> 6. Add user, add to chrtgrp, set password, take ownership of home
> directory:
>
> useradd -d /home/myuser -G chrtgrp -M -s /bin/chrt-shell myuser
> passwd myuser
> chown myuser:myuser /home/myuser/home
>
> 7. Copy necessary binaries and libraries. Example:
>
> (bash): cp /bin/bash /home/myuser/bin/
> ldd /bin/bash (and cp libs to /home/myuser/lib)
>
> (utilities): cd /bin
> cp ls cp mv rm grep more /home/myuser/bin/
> cd /usr/bin
> cp less
> ldd <util> (and copy libs to /home/myuser/lib)
> (etc., etc.)
>
> (env): cp /usr/bin/env /home/myuser/usr/bin/
> ldd /usr/bin/env (cp libs to /home/myuser/lib)
>
> ---
>
> I can probably save time in Step 5 by using the /etc/skel dir, but I'm
> not familiar with that yet.
>
> Thanks again for any help.
>
>
> Patrick
>
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
More information about the NCLUG
mailing list