
-----BEGIN PGP SIGNED MESSAGE----- Hi, Some months ago, as I seem to remember, there was a thread about creating ssh-logins with limited file-system access (even a proper file-system). I then noticed it, and thought it could be interesting, but apparently I didn't save these files. Is there anybody in the neighbourhood that could dish up these messages ? or a conclusion, a direction to follow so I can offer people access to a (very limited) portion of my filesystem. I would like them to have e.g. chroot /tmp/unsecure_root /bin/sh as shell, but I keep getting an error-answer /usr/sbin/chroot: cannot execute sh: No such file or directory What am I doing wrong ? ******* Groetjes vanwege ***** Greetings From ******* Dieter Demerre - http://www.angelfire.com/de/ddemerre ddemerre@acm.org - ext.dieter.demerre@siemens.be - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> mQENAzhXiLAAqQEIAMsoaNcCZFHswGBK1J4dRJvjUA7XwIICCKIKwU1HZIz5meGk rbSgfK3SwJaqQOTRveKjPYtiZ7D6H19bjsO+P9bvdvEZHLC4dCQIvJfSMlcvSvLN 2S/wpfqaDZBsFDk2WnBmah9wilrm3QE4ATbWgGDeRd/XvPuRNc10FiZjRnEp5h+1 PcBppgljLhlJuBFEKxEXxjUsyBTl1zM3Gex8u+vNvg80DtlnlUB7Kc++JkJOSa3e 7FZAN7WEXztH9rKQmeCc/a1S00zHoPBeJnsfhjaX/nUhL2MH0AfTn0fX2W7LxgEQ J9MJhxr8Ejlsj+a5wQD2OFGk4Ttn4ftB++EuukMABRG0IURpZXRlciBEZW1lcnJl IDxkZGVtZXJyZUBhY20ub3JnPokBFQMFEDhXiLDh+0H74S66QwEBr2MIAJyuK5vb 4gMBZNelDedU53df23VfyrychlEH5E2fudaqpt3pspCQgX78KK4vLWsFr9ycUUYF 0FdTQBCUuhvj8BShexU9VocxjuoSaNuNwMqNZCWIAWx3OksvkTiNmXUC8rswxYKu Z81O8LQifpjSe4tifAoZvdSBjrvKNyx6UfAWLrYlaUOmzxzRtulIIW8L429aU//a ivhdBmBs4TKR9/NTCwI1Z/OY8Kc46keOI4cmdTNDGDYjlZHNi7UG8kj4XxajL40o 6yLY7m2TfXBbRB2aK10CjinpPhi+Vk6fA3KJ9/a4am4o2Oe8Tvqm8DPp0BM4VuyW dT7wQMNZk5WW0Ho= =kTdL - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQEVAwUBOL+bKeH7QfvhLrpDAQG71wgAx/PqCxap9wz5eyhIG7bSLqcZj9Vecuoq 2DUxOrOnEvpyt1lU+8tblxc4ltJd4VNNLFwSfAZR2JC2ns4/mrYNr82dJfT2qJvM F4RoTcaGAcvRao94BfeYR8gEM3vADk03cebA0HkoL/De2rLmFvsSM9ec7FMZNfVt /sdCo3Qn91emdFiakmmfQXekW1TnWZAlJZP2dZg0pEDeJwfceeK0S5bBZj8WEW7q ffnKSdx8t5Gvs57MHOxBzTKRE1f0nJRvMblYurkmjY/kom9WHDUlddRWmv0jFEDl fcdsvIVdxrHFg9srrB0o1ghVi0K7wd47MXZe+/ZzY0GPNe+1+mUJ/A== =Ghi/ -----END PGP SIGNATURE-----

Some months ago, as I seem to remember, there was a thread about creating ssh-logins with limited file-system access (even a proper file-system). I then noticed it, and thought it could be interesting, but apparently I didn't save these files. Is there anybody in the neighbourhood that could dish up these messages ? or a conclusion, a direction to follow so I can offer people access to a (very limited) portion of my filesystem.
I would like them to have e.g. chroot /tmp/unsecure_root /bin/sh as shell, but I keep getting an error-answer /usr/sbin/chroot: cannot execute sh: No such file or directory
What am I doing wrong ?
You have to set up a complete root filesystem with all the needed directories and files (/sbin /etc ...) in the chrooted directory. Hope, that someone can give a minimum list of that. Bernhard Mackert

You have to set up a complete root filesystem with all the needed directories and files (/sbin /etc ...) in the chrooted directory.
Hope, that someone can give a minimum list of that.
Bernhard Mackert
You need all libraries including the linker (/lib/ld-linux.so.2) and the ld.so.cache in /etc that are needed/linked into the binaries you want to use. The libs can be seen using `ldd binary-file'. Additionally, some libraries need files such as /etc/passwd, /etc/group and others as well as the terminfo database under /usr/share/terminfo or the timezone description file. Use strace to find out what's missing if the process won't complain loud enough. It's a nice piece of work, but it's possible. On the other hand, you could install a whole system into a directory (under SuSE, newer versions of yast support this). You could use this directory to host a chroot()ed process. Be aware that running a process under root privileges renders the whole prison porous since a breakout is trivial once you can use chroot(2) within an already chroot()ed environment. Roman. -- _ _ | Roman Drahtmüller "Freedom means that you can choose | CC University of Freiburg what you want to learn at a given | email: draht@uni-freiburg.de time." A. Becker, 1999 | - - People often find it easier to be a result of the past than a cause of the future.
participants (3)
-
DEMERRE DIETER
-
Roman Drahtmueller
-
Security