Re: [Jailkit-users] SU problem in jail

[Olivier Sessink]

> Hi Oliver
>
> Thanks for looking into this:
>
> What I want to achieve is: disabled root ssh login (already works),
> and having only few users in a "su" group, that are able to execute
> the su, to be able to su to the root user and manage the system. I
> want all users to be chrooted and only those in the "su"group can su.

in my personal opinion this is going to cost more than it will solve:

1) getting 'su' to work in a jail is going to be very difficult

2) you'll need many files that you don't want in a jail in this jail to
get 'su' working (such as the shadow file, all pam configuration, etc.)

3) you'll need some kind of password synchronisation between those jails
and the real shadow file (with all kinds of security problems)

different ideas:

- jail all regular accounts, and put ssh in the jail for those accounts
that are allowed to use the root account
- disable all ssh port forwarding
- enable root ssh logons from localhost

or another option:
- jail not all accounts
- use ssh keys for those accounts that are not jailed, and allow su for
those accounts

Olivier




- create