[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] Re: Question about jk_lsh (and the mailing list..)
From: |
Stephen Tallowitz |
Subject: |
Re: [Jailkit-users] Re: Question about jk_lsh (and the mailing list..) |
Date: |
Thu, 22 Sep 2005 23:38:57 +0200 |
Hello list,
> you could use bash in the jail, and them remove the 'others' permissions
> from all binaries (0750), change the group of those binaries, and give
> users access to the groups of the binaries you want to allow them to
> use. e.g.
> chmod 0750 <jail>/usr/bin/cvs
> chgrp cvs <jail>/usr/bin/cvs
Using a bash-only chroot is very effective. Bash has a few, very limited
built-in commands, so creating a chroot with only bash and say cvs will give
the users the feel of a "real" interactive shell, yet limiting their actions to
the cvs command. To see what I'm talking about, try this:
1. mkdir /srv/bashroot (or something similar)
2. jk_cp -v /srv/bashroot /bin/bash (-v is for the effect, to see what jk_cp is
doing)
3. as user root: chroot /srv/bashroot /bin/bash
Now you've manually created and chrooted into a bash-only environment. Try a
few commands (ls, rm, touch): they will not work - because they are external
binaries that would also be needed to be copied to the chroot to be available.
The only useful commands you will be able to use are "cd", "pwd" and "exit"
because they are built-in bash commands (see man bash, section "shell builtin
commands").
Beware: even with the builtin bash commands you could be doing potentially
malicious things - such as 'echo "password=mypassword" >>
/etc/mywebapp/global-config.php' - so being in a chroot is no excuse to not
handle permissions as usual.
Cheers,
Stephen