How to chroot standard login users: You need a program as login shell, that does the following: 1.) Checks if called as login else exits 2.) checks if UID=0 (big security hole?!) 3.) call CHROOT 4.) sets UID=back to normal 5.) calls a standard shell I've found a little c-program that implements all of this features except 1.) here: http://www.phirate.ethos.co.nz/dev/srsh/ Maybe someone will have a look at this and check if the UID=0 part offers standard users possibilitities to break into a root shell or something similar... Marek Stiefenhofer -----Ursprüngliche Nachricht----- Von: Stiefenhofer, Marek ECOFIS Gesendet am: Montag, 20. November 2000 12:19 An: 'Gerd Bitzer'; 'suse-security@suse.com' Betreff: AW: [suse-security] Chroot ssh login I know, but that's not sufficiant. rbash does not prevent from accessing files below your home-directory like: ls ~/../../etc -----Ursprüngliche Nachricht----- Von: Gerd Bitzer [mailto:gerd.bitzer@tesion.de] Gesendet am: Montag, 20. November 2000 12:13 An: Stiefenhofer, Marek ECOFIS Betreff: Re: [suse-security] Chroot ssh login may be there's also another interesting possibility, socalled restricted shells. The user is then limited to its own homedirectory, as far as I know e.g. bash supports this mode with "bash -r". Maybe other shells also have this feature "Stiefenhofer, Marek ECOFIS" wrote:
Hi,
I want to chroot user logins via telnet/ssh to their home directory. I guess this is a standard procedure, but I'm sort of stuck. I can't chroot the login shell of a standard user - only root can chroot.
Examples would be appreciated...
Kind regards,
Marek Stiefenhofer
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com