Doing chroot to ssh session would leave the session virtually useless, as the users then obviously would not have access to any system commands (as most of them are not in their homedirectories). I would rather protect the directories & files with normal file access rights. Read man chmod first.
-Pete
Hi Pete, of course you are right. I didn't mean chroot itself, but something similar that can hold a user in his homedir. To protect the dirs and files with the normal chmod does not have the effect I want. Okay, some more details: The homedir of the users is set to the directories of the virtual domains. I don't want the users to be able to access the directories of the other domains. When doing chmod o-rwx for these directories, even the apache itself cannot acces them and therefore cannot display the content. I hope you know what I mean. Any hints ? -- Stephan
On Thu, 21 Oct 1999, Security Webmaster OKDesign oHG wrote:
Hi Pete, of course you are right. I didn't mean chroot itself, but something similar that can hold a user in his homedir. To protect the dirs and files with the normal chmod does not have the effect I want. Okay, some more details: The homedir of the users is set to the directories of the virtual domains. I don't want the users to be able to access the directories of the other domains. When doing chmod o-rwx for these directories, even the apache itself cannot acces them and therefore cannot display the content. I hope you know what I mean. Any hints ?
Ok. In that case I would use another machine for users which would nfs mount the directories needeed for each user from the actual server. Thus giving only access to files that clients need to access on the server, and keeping clear separation of rights. -Pete
-- Stephan
Hi, The easiest solution (though not foolproof) is to assign all of these files to the group that apache is running as while removing "everyone" access completely. The only problem with this is that one user's CGI has read access to other people's files (see CGI wrappers). The problem with having a shell that chroot's is each user needs to be confined to thier own directory only, I dont want to create a new shell binary for each user. It seems a risky venture to depend on environment variables here to get the uid/gid, thats why a modification to ssh seems more secure. -HD Security Webmaster OKDesign oHG wrote:
Hi Pete, of course you are right. I didn't mean chroot itself, but something similar that can hold a user in his homedir. To protect the dirs and files with the normal chmod does not have the effect I want. Okay, some more details: The homedir of the users is set to the directories of the virtual domains. I don't want the users to be able to access the directories of the other domains. When doing chmod o-rwx for these directories, even the apache itself cannot acces them and therefore cannot display the content. I hope you know what I mean. Any hints ?
-- Stephan
participants (3)
-
H D Moore
-
Petri Sirkkala.
-
Security Webmaster OKDesign oHG