From owner-freebsd-security  Mon Feb 12 09:56:14 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA14604
          for security-outgoing; Mon, 12 Feb 1996 09:56:14 -0800 (PST)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA14599
          for <freebsd-security@FreeBSD.ORG>; Mon, 12 Feb 1996 09:56:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.3/8.6.10) with SMTP id JAA31080; Mon, 12 Feb 1996 09:56:02 -0800 (PST)
From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
Message-Id: <199602121756.JAA31080@passer.osg.gov.bc.ca>
X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol
Reply-to: cschuber@orca.gov.bc.ca
X-Mailer: DXmail
To: "az.com" <yankee@anna.az.com>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Need help building jails  
In-reply-to: Your message of "Sat, 10 Feb 96 09:49:10 PST."
             <Pine.BSF.3.91.960210093015.26616C-100000@anna.az.com> 
Date: Mon, 12 Feb 96 09:56:02 -0800
X-Mts: smtp
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

> 
> 
> 
> 2 questions:
> 
> 1. Haven't been above to build a jail yet with chroot!
> 
[a few lines edited out]
> chroot: jail: Operation not permitted.
> 
> I've tried endless permutations of permissions and configurations, 
> nothing seems to work. If I'm super user, chroot works.

Chroot(2) only works if the process calling it has superuser privilege.

> 
> Wanted to put a chroot in the best location, presumably not .login or 
> .cshrc, but instead right in the /etc/passwd file as what to execute at 
> login. 
> 
> 
> 2. Can I find code for FreeBSD to do exactly the same thing as chroot with 
> ftpd?
> 
> 3. Can I find code for FreeBSD to do exactly the same thing as chroot 
> with httpd?

FTPD and HTTPD both run as root.  When a connection is accepted, both chroot() 
and issue a setuid().

An idea would be to create a custom version of telnetd that would spawn a custom 
version of login which would do a chroot() just prior to doing a setuid().  The 
advantage is that your custom version of telnetd could replace telnetd in 
inetd.conf while the original version could be used from a different port.  The 
custom login program could use /usr/local/etc/passwd instead of /etc/passwd 
limiting access to users within the "jail" environment.


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."