From owner-freebsd-questions@FreeBSD.ORG Sun Nov 13 09:24:09 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A96F106564A for ; Sun, 13 Nov 2011 09:24:09 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 0A2A78FC08 for ; Sun, 13 Nov 2011 09:24:08 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id pAD9O4aa019636 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sun, 13 Nov 2011 09:24:05 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.4.1 smtp.infracaninophile.co.uk pAD9O4aa019636 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1321176245; bh=X83A9i5fI6FsxfjuZUAT62USNQqTDU/1ysnjhXn+RpA=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type; b=z70sG8Yf52uygEHHIfGasA1V5/VctbjUUMVsMEv42Vqft4Q6GRVWus7IGi3aCSAoM qNPuWyY7He0mxH1o94Fc+vtNqwQsLRjgxRDSR6mHnP8HOLDehM+aQkhRhKW7iAIX18 IC/cwBX3Q7C3sECOsE165PxdBPvxbE6T0YzBTkaA= Message-ID: <4EBF8CAD.8000003@infracaninophile.co.uk> Date: Sun, 13 Nov 2011 09:23:57 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: masayoshi References: <1321152864.63708.YahooMailNeo@web122210.mail.ne1.yahoo.com> In-Reply-To: <1321152864.63708.YahooMailNeo@web122210.mail.ne1.yahoo.com> X-Enigmail-Version: 1.3.3 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig8A2557824EC6A5DE5E39092E" X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: "freebsd-questions@freebsd.org" Subject: Re: How to login to my jail from host itself (normal user) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Nov 2011 09:24:09 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8A2557824EC6A5DE5E39092E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 13/11/2011 02:54, masayoshi wrote: > I must adduser Ayumi as normal user. > After adding her in jail, I add her in host. > Then I type the following command: >=20 > # ln -s /usr/jails/www/home/ayumi /home >=20 > When she logins, she is in /usr/jails/www/home/ayumi. > But if she uses "cd" command, she can move directory. >=20 > I would like to keep her in jail because she is reckless. > I would like to know how to login to my jail as normal user from host i= tself when login prompt appear. > If possible, could you tell me how to do it? >=20 > Thanks in advance. >=20 I assume simply using a restricted shell like rbash is unsuitable? And that you cannot simply give your user an unprivileged login account -- without root access, while they may be able to chdir around the system, there's not much damage they can do accidentally. (Although users are endlessly inventive when it comes to breaking things...) When you say 'login' do you mean at the console? That's going to be fairly tricky to enforce. However if you mean logging in over the net by eg. ssh then to confine the user to a jail is pretty easy. Enable sshd in the jail -- usually this means configuring sshd the host to bind to specific IP numbers rather than '*'. See jail(8) for more details. Then you give the user a working login and password in the jail and not on the host system. Either delete the account in the host or set the login shell to /sbin/nologin and lock the password. Now, if you want to support console based logins direct to a jail. As far as I know, this is not possible with the FreeBSD console. It would be a really cool thing to be able to do though. Dedicate one of the console vty's to the jail... Unfortunately I don't think that's going to be impossible without code changes to the OS. The problem is init(8) -- the master process on the system, and the process that controls each of the getty(8) programs that watch for login attempts on the various terminals -- that program would require modification so that it knew how to associate a particular vty with a jail, and then manage the login process to create a new login session within the jail. About the only way I can think of doing this for a console login is to use X and set up xdm(8) to enable its remote login capability, in which case you get a pull-down on the login screen to allow you to choose which host to log into. But I've never tried to set up a system like this, so I can't really say if its possible or not. My educated guess is that it should work, but it's quite an ambitious project for a beginne= r. It would be nice if you could just force the login process on the host to run something like 'jexec -U $USER 1 /bin/tcsh' but that's a command you need root privilege for, so scratch that. Also, it's pretty dodgy to assume that the jail you want is always going to be running with JID=3D= 1. If you can rely on your user to follow instructions, then you can just tell them to 'ssh jailhost' immediately they login to the host, and set up sshd in the jail as described above. This means they will have to have a working login on the host system, but you can make that be an unprivileged account without root access or access to anything else sensitive. Their account in the jail can have root there, no problem. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig8A2557824EC6A5DE5E39092E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6/jLQACgkQ8Mjk52CukIz9RgCeOjU10jMu7eEmLDe63RJW8gMD bOYAoJN4TyRcf/QMca9vuNY1w3CXdgBU =PUPX -----END PGP SIGNATURE----- --------------enig8A2557824EC6A5DE5E39092E--