----- Original Message ----- From: "Jimen Ching" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 26, 2002 10:15 AM Subject: Re: [luau] restricting directory access
> On Thu, 25 Apr 2002, Warren Togami wrote: > >> What can a user do with a shell account without access to outside of their > >> home directory? > >Plenty. They can poke around the filesystem looking for local root > >exploits, > > If they can't cd out of their home directory, unless the admin allowed > this user to install some tool that has a root exploit, I doubt this user > can do much. Doing this is currently not possible in the Unix security model. The shell and all the tools one would expect to use normally in a shell need to be executable, along with many default config files that must be read by those tools. chrooting the home directory away from the users would lock these away from the user. Mandatory access control ACL's would improve this situation somewhat, but there are several competing MAC implementations for Linux all of which are incompatible.
