Rishi L Khan <[EMAIL PROTECTED]> writes: > I think the only way to accomplish a chroot IS to include all the files > in the jail that the user needs. [snip]
Yes. Somehow, if you're going to run something, it needs to be in the jail. Various alternatives to consider for various reasons : busybox, rbash, sash. What would be nice would be a union-mount, so you could graft a "real" /bin on top of /home/foo/bin, and so on. I'm not sure that `mount --bind' is the same thing? FWIW I had to implement a chroot-jailled login for someone recently; if anyone's interested, my attempts at the relevant C, nicked in part from the appropriate manpages, are to be found below. There is sufficient jiggery-pokery with arg{c,v} in here to allow ssh [EMAIL PROTECTED] "cat > foofile" < localfoofile to transfer a file, but not to make scp work. (Don't ask me; don't take this code as professional, bug-free, exploit-free or generally anything other than rubbish, but it compiles, and it works.) ~Tim -- no se encuentra el sistema operativo |[EMAIL PROTECTED] (seen mid-windows 98 installation) |http://spodzone.org.uk/ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <malloc.h> #include <string.h> #define NOBODY (1999) #define ROOTPATH "/where/ever/" #define environ NULL int my_system (const char *command) { int pid, status; if (!command) return 1; pid = fork(); if (pid == -1) return -1; if (!pid) { char *argv[4]; argv[0] = "sh"; argv[1] = "-c"; argv[2] = command; argv[3] = 0; execve("/bin/sh", argv, environ); exit(127); } do { if (waitpid(pid, &status, 0) == -1) { if (errno != EINTR) return -1; } else return status; } while(1); } int main (int argc, char *argv[]) { int r=0, t=0, i=0; char *cmd; r=chroot(ROOTPATH); #if 0 if(r) fprintf(stderr, "Chroot error: %d, %d, [%s]\n\n", r, errno, sys_errlist[errno]); #endif chdir("/home/someplace"); setuid(NOBODY); setgid(NOBODY); seteuid(NOBODY); setegid(NOBODY); #if 0 fprintf(stderr, "Changed id: U%d G%d EU%d EG%d\n", getuid(), getgid(), geteuid(), getegid()); #endif for(i=t=1; i<argc; i++) t+=strlen(argv[i]); #if 0 printf("Combined total: %d\n", t); #endif cmd=malloc(t+128); strcpy(cmd, "/bin/bash "); if(argc>1) strcat(cmd, "-c "); for(i=t=1; i<argc; i++) { strcat(cmd, argv[i]); strcat(cmd, " "); } #if 0 printf("Built string [%s]\n", cmd); #endif my_system(cmd); return 0; }