Date: Mon, 12 Feb 96 09:56:02 -0800 From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca> To: "az.com" <yankee@anna.az.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Need help building jails Message-ID: <199602121756.JAA31080@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Sat, 10 Feb 96 09:49:10 PST." <Pine.BSF.3.91.960210093015.26616C-100000@anna.az.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>
>
>
> 2 questions:
>
> 1. Haven't been above to build a jail yet with chroot!
>
[a few lines edited out]
> chroot: jail: Operation not permitted.
>
> I've tried endless permutations of permissions and configurations,
> nothing seems to work. If I'm super user, chroot works.
Chroot(2) only works if the process calling it has superuser privilege.
>
> Wanted to put a chroot in the best location, presumably not .login or
> .cshrc, but instead right in the /etc/passwd file as what to execute at
> login.
>
>
> 2. Can I find code for FreeBSD to do exactly the same thing as chroot with
> ftpd?
>
> 3. Can I find code for FreeBSD to do exactly the same thing as chroot
> with httpd?
FTPD and HTTPD both run as root. When a connection is accepted, both chroot()
and issue a setuid().
An idea would be to create a custom version of telnetd that would spawn a custom
version of login which would do a chroot() just prior to doing a setuid(). The
advantage is that your custom version of telnetd could replace telnetd in
inetd.conf while the original version could be used from a different port. The
custom login program could use /usr/local/etc/passwd instead of /etc/passwd
limiting access to users within the "jail" environment.
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602121756.JAA31080>