On Tue, 2003-08-19 at 21:50, Vincent Danen wrote:
> On Tue Aug 19, 2003 at 07:31:02PM -0700, Jack Coates wrote:
> 
> > > > > I have a user login name that is used to run a game server process
> > > > > (Neverwinter Nights, if it matters :).
> > > > > 
> > > > > I don't know if it's possible for a remote user to crash the game process
> > > > > in a way which would leave them sitting in a shell, but since I don't know
> > > > > that the chances are 0%, I'm thinking that having the login name chroot
> > > > > jailed to its home directory would limit the damage that someone could do
> > > > > if they *did* somehow manage to end up in a shell via a server process
> > > > > crash.
> > > > > 
> > > > > Is there a way to to this?
> > > > 
> > > > Look at the user's line in /etc/password. At the end is the shell
> > > > they'll be given. chroot them there.
> > > 
> > > Er, all that does is just show me which shell they're logging in to use.  
> > > I'm at a loss as to how that will restrict them to their own home directory 
> > > as being / to them when logged in - thus keeping them away from the rest of 
> > > the system.  Could you please provide some specifics?
> > > 
> > >                --Dave
> > 
> > how about changing /bin/bash to chroot /new/root /bin/bash?
> > 
> > Be aware that bash expects a whole lotta stuff to be around, which
> > you'll need to recreate under the new root.
> 
> I don't think that will work as you'll need to be root to chroot IIRC.  What
> you could do is write a script that does the chroot and call it via sudo,
> then do something like "/usr/bin/sudo /somescript/chrootuser" which does the
> chroot call as root.

good point -- last time I did this it was in inetd.conf and I was using
DJB's setuidgid as part of the trick.
> 
> You're right about the environment tho.  You'll need to have a /bin/bash in
> the chroot and then recreate the libs it wants or recompile it static.
> 
> You could also use /bin/rbash which is somewhat better than just bash, but
> not as nice as chroot (but a lot easier to setup).
-- 
Jack Coates
Monkeynoodle: A Scientific Venture...


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to