On Fri, Oct 26, 2001 at 04:35:14PM +0100, Tim Haynes wrote: > Rishi L Khan <[EMAIL PROTECTED]> writes: > > > I think the only way to accomplish a chroot IS to include all the files > > in the jail that the user needs. > [snip] > > Yes. Somehow, if you're going to run something, it needs to be in the jail. > Various alternatives to consider for various reasons : busybox, rbash, > sash. > What would be nice would be a union-mount, so you could graft a "real" /bin > on top of /home/foo/bin, and so on. I'm not sure that `mount --bind' is the > same thing? > Umm... couldn't you have a restricted environment but with commands hard-linked in it to the proper ones and restricting thoroughly the hard links? (only rX, no w bits) The problem is how to do this automatically (and not checking dynamic dependencies one by one...)
> FWIW I had to implement a chroot-jailled login for someone recently; if > anyone's interested, my attempts at the relevant C, nicked in part from the > appropriate manpages, are to be found below. > There is sufficient jiggery-pokery with arg{c,v} in here to allow > ssh restricteduser@box "cat > foofile" < localfoofile > to transfer a file, but not to make scp work. (Don't ask me; don't take > this code as professional, bug-free, exploit-free or generally anything > other than rubbish, but it compiles, and it works.) > Will take a look... Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]