TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:16756] Restricted shell



>Have you tried making their home directory look like their root directory?
>This is what anon ftp does.  /home/ftp (or whatever) looks to the anonymous
>user like /  The command to set it is chroot.  man chroot should explain more.

only problem with chroot, is that they lose access to the system files below
their current directory. that's why ftp directories usually have their own
/bin directory & the like. 
        proftpd doesn't do it this way, not exactly sure how. (the
description says that it opens the necessary files before chrooting, but the
mechanics of this are beyond my understanding).
        I'm not familiar enough with BSD 'jail' to know how that may differ.
        there's something to be said for VMS in this situation. it can
control these sorts of things much more stringently.

I wonder if it would be possible to write a 'jailer daemon' that could
monitor for program calls made from within a chroot jail, then make them on
behalf of the jailed user? it wouldn't be quite as secure as a complete jail
(if the daemon was compromised, there goes the jail security); but more
secure than a regular user account.

Carl Soderstrom
System Administrator    307 Brighton Ave. 
Minnesota DHIA	        Buffalo, MN	
carls@agritech.com      (763) 682-1091