Re: [expert] Any way to chroot jail a user?
Robert W. grabbed a keyboard and wrote: > On Thu, 2003-08-21 at 02:49, David Guntner wrote: >> Robert W. grabbed a keyboard and wrote:logging >> > On Tue, 2003-08-19 at 21:05, David Guntner wrote: >> > What about changing the shell to "/bin/false". Will that prevent themimplement >> > getting a login shell? >> >> If I can't login as the player set up to run the server, it will be kind >> of hard to start up screen and then start the actual server >> program :-) > > Sorry, I assumed the server was started through a script in /etc/init.d. > You could also use 'sudo' to start the server with the proper user. Then > you don't have to log in as that user. The nature of the Neverwinter Nights game server is such that it needs to be interactive for me to make manual settings changes on the fly. Therefor, an interactive shell is needed to start up screen (which keeps things running when logged out) and then run the server. Thus, doing something which prohibits logging in outright is not an option. As I said in my first message, this is not *that* big of a thing. I don't think that anyone can do something which would result in crashing the server process and ending up in a shell as a result. If there was a relatively easy way to chroot jail the user to its own home directory, I'd be all for it. But from what I've read in the other responses, it seems like it will be more trouble that it's worth to implement. --Dave Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
On Thu, 2003-08-21 at 02:49, David Guntner wrote: > Robert W. grabbed a keyboard and wrote: > > On Tue, 2003-08-19 at 21:05, David Guntner wrote: > > What about changing the shell to "/bin/false". Will that prevent them > > getting a login shell? > > If I can't login as the player set up to run the server, it will be kind of > hard to start up screen and then start the actual server program :-) > > --Dave Sorry, I assumed the server was started through a script in /etc/init.d. You could also use 'sudo' to start the server with the proper user. Then you don't have to log in as that user. -- Robert W. [EMAIL PROTECTED] "It is done. I am the Alpha and the Omega, the Beginning and the End." -- Revelations 21:6 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
Robert W. grabbed a keyboard and wrote: > On Tue, 2003-08-19 at 21:05, David Guntner wrote: > > Jack Coates grabbed a keyboard and wrote: > > > > > > On Mon, 2003-08-18 at 22:47, David Guntner wrote: > > > > I have a user login name that is used to run a game server process > > > > (Neverwinter Nights, if it matters :). > > > > > > > > I don't know if it's possible for a remote user to crash the game process > > > > in a way which would leave them sitting in a shell, but since I don't know > > > > that the chances are 0%, I'm thinking that having the login name chroot > > > > jailed to its home directory would limit the damage that someone could do > > > > if they *did* somehow manage to end up in a shell via a server process > > > > crash. > > > > > > > > Is there a way to to this? > > > > > > Look at the user's line in /etc/password. At the end is the shell > > > they'll be given. chroot them there. > > > What about changing the shell to "/bin/false". Will that prevent them > getting a login shell? If I can't login as the player set up to run the server, it will be kind of hard to start up screen and then start the actual server program :-) --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
On Tue, 2003-08-19 at 21:50, Vincent Danen wrote: > On Tue Aug 19, 2003 at 07:31:02PM -0700, Jack Coates wrote: > > > > > > I have a user login name that is used to run a game server process > > > > > (Neverwinter Nights, if it matters :). > > > > > > > > > > I don't know if it's possible for a remote user to crash the game process > > > > > in a way which would leave them sitting in a shell, but since I don't know > > > > > that the chances are 0%, I'm thinking that having the login name chroot > > > > > jailed to its home directory would limit the damage that someone could do > > > > > if they *did* somehow manage to end up in a shell via a server process > > > > > crash. > > > > > > > > > > Is there a way to to this? > > > > > > > > Look at the user's line in /etc/password. At the end is the shell > > > > they'll be given. chroot them there. > > > > > > Er, all that does is just show me which shell they're logging in to use. > > > I'm at a loss as to how that will restrict them to their own home directory > > > as being / to them when logged in - thus keeping them away from the rest of > > > the system. Could you please provide some specifics? > > > > > >--Dave > > > > how about changing /bin/bash to chroot /new/root /bin/bash? > > > > Be aware that bash expects a whole lotta stuff to be around, which > > you'll need to recreate under the new root. > > I don't think that will work as you'll need to be root to chroot IIRC. What > you could do is write a script that does the chroot and call it via sudo, > then do something like "/usr/bin/sudo /somescript/chrootuser" which does the > chroot call as root. good point -- last time I did this it was in inetd.conf and I was using DJB's setuidgid as part of the trick. > > You're right about the environment tho. You'll need to have a /bin/bash in > the chroot and then recreate the libs it wants or recompile it static. > > You could also use /bin/rbash which is somewhat better than just bash, but > not as nice as chroot (but a lot easier to setup). -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
On Tue, 2003-08-19 at 22:29, David Guntner wrote: > Vincent Danen grabbed a keyboard and wrote: > > > > I don't think that will work as you'll need to be root to chroot IIRC. What > > you could do is write a script that does the chroot and call it via sudo, > > then do something like "/usr/bin/sudo /somescript/chrootuser" which does the > > chroot call as root. > > > > You're right about the environment tho. You'll need to have a /bin/bash in > > the chroot and then recreate the libs it wants or recompile it static. > > > > You could also use /bin/rbash which is somewhat better than just bash, but > > not as nice as chroot (but a lot easier to setup). > > I look at the bash manpage, in the section which mentions rbash. > Unfortunately, that's *too* restricted for my needs. :-) I need to be able > to cd to directories within the user's home directory for the game server > to actually work. Well, it was a thought anyway. Thanks for the > suggestions, everyone. > > --Dave Dave, If this server is going to be heavily used. And by a lot of "unknowns" you might consider install the NSA patches and running SE Linux (note it's not a distro, but patches to secure your favorite distro.)... A quick article here http://www.linuxjournal.com/article.php?sid=6895 And I believe the July issue had a more in depth article on it. Man with this one you can even make it so that root can't do things, control time/access level/usage in all kinds of way. Neat stuff. James Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
Vincent Danen grabbed a keyboard and wrote: > > I don't think that will work as you'll need to be root to chroot IIRC. What > you could do is write a script that does the chroot and call it via sudo, > then do something like "/usr/bin/sudo /somescript/chrootuser" which does the > chroot call as root. > > You're right about the environment tho. You'll need to have a /bin/bash in > the chroot and then recreate the libs it wants or recompile it static. > > You could also use /bin/rbash which is somewhat better than just bash, but > not as nice as chroot (but a lot easier to setup). I look at the bash manpage, in the section which mentions rbash. Unfortunately, that's *too* restricted for my needs. :-) I need to be able to cd to directories within the user's home directory for the game server to actually work. Well, it was a thought anyway. Thanks for the suggestions, everyone. --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
On Tue Aug 19, 2003 at 07:31:02PM -0700, Jack Coates wrote:
> > > > I have a user login name that is used to run a game server process
> > > > (Neverwinter Nights, if it matters :).
> > > >
> > > > I don't know if it's possible for a remote user to crash the game process
> > > > in a way which would leave them sitting in a shell, but since I don't know
> > > > that the chances are 0%, I'm thinking that having the login name chroot
> > > > jailed to its home directory would limit the damage that someone could do
> > > > if they *did* somehow manage to end up in a shell via a server process
> > > > crash.
> > > >
> > > > Is there a way to to this?
> > >
> > > Look at the user's line in /etc/password. At the end is the shell
> > > they'll be given. chroot them there.
> >
> > Er, all that does is just show me which shell they're logging in to use.
> > I'm at a loss as to how that will restrict them to their own home directory
> > as being / to them when logged in - thus keeping them away from the rest of
> > the system. Could you please provide some specifics?
> >
> >--Dave
>
> how about changing /bin/bash to chroot /new/root /bin/bash?
>
> Be aware that bash expects a whole lotta stuff to be around, which
> you'll need to recreate under the new root.
I don't think that will work as you'll need to be root to chroot IIRC. What
you could do is write a script that does the chroot and call it via sudo,
then do something like "/usr/bin/sudo /somescript/chrootuser" which does the
chroot call as root.
You're right about the environment tho. You'll need to have a /bin/bash in
the chroot and then recreate the libs it wants or recompile it static.
You could also use /bin/rbash which is somewhat better than just bash, but
not as nice as chroot (but a lot easier to setup).
--
MandrakeSoft Security; http://www.mandrakesecure.net/
Online Security Resource Book; http://linsec.ca/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp0.pgp
Description: PGP signature
Re: [expert] Any way to chroot jail a user?
On Tue, 2003-08-19 at 19:05, David Guntner wrote: > Jack Coates grabbed a keyboard and wrote: > > > > On Mon, 2003-08-18 at 22:47, David Guntner wrote: > > > I have a user login name that is used to run a game server process > > > (Neverwinter Nights, if it matters :). > > > > > > I don't know if it's possible for a remote user to crash the game process > > > in a way which would leave them sitting in a shell, but since I don't know > > > that the chances are 0%, I'm thinking that having the login name chroot > > > jailed to its home directory would limit the damage that someone could do > > > if they *did* somehow manage to end up in a shell via a server process > > > crash. > > > > > > Is there a way to to this? > > > > Look at the user's line in /etc/password. At the end is the shell > > they'll be given. chroot them there. > > Er, all that does is just show me which shell they're logging in to use. > I'm at a loss as to how that will restrict them to their own home directory > as being / to them when logged in - thus keeping them away from the rest of > the system. Could you please provide some specifics? > >--Dave how about changing /bin/bash to chroot /new/root /bin/bash? Be aware that bash expects a whole lotta stuff to be around, which you'll need to recreate under the new root. -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
Jack Coates grabbed a keyboard and wrote: > > On Mon, 2003-08-18 at 22:47, David Guntner wrote: > > I have a user login name that is used to run a game server process > > (Neverwinter Nights, if it matters :). > > > > I don't know if it's possible for a remote user to crash the game process > > in a way which would leave them sitting in a shell, but since I don't know > > that the chances are 0%, I'm thinking that having the login name chroot > > jailed to its home directory would limit the damage that someone could do > > if they *did* somehow manage to end up in a shell via a server process > > crash. > > > > Is there a way to to this? > > Look at the user's line in /etc/password. At the end is the shell > they'll be given. chroot them there. Er, all that does is just show me which shell they're logging in to use. I'm at a loss as to how that will restrict them to their own home directory as being / to them when logged in - thus keeping them away from the rest of the system. Could you please provide some specifics? --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Any way to chroot jail a user?
On Mon, 2003-08-18 at 22:47, David Guntner wrote: > I have a user login name that is used to run a game server process > (Neverwinter Nights, if it matters :). > > I don't know if it's possible for a remote user to crash the game process > in a way which would leave them sitting in a shell, but since I don't know > that the chances are 0%, I'm thinking that having the login name chroot > jailed to its home directory would limit the damage that someone could do > if they *did* somehow manage to end up in a shell via a server process > crash. > > Is there a way to to this? > > --Dave > Look at the user's line in /etc/password. At the end is the shell they'll be given. chroot them there. -- Jack Coates Monkeynoodle: A Scientific Venture... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
