Date: Mon, 21 Feb 2000 08:22:32 -0600 (CST) From: Ryan Thompson <freebsd@sasknow.com> To: "Nicholas J. Dear" <ndear@areti.net> Cc: isp@FreeBSD.ORG Subject: Re: Not allowing "dir up". Message-ID: <Pine.BSF.4.10.10002210809520.13499-100000@sasknow.com> In-Reply-To: <200002211344.NAA27354@post.mail.areti.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 21 Feb 2000, Nicholas J. Dear wrote: > Is there anyway we can stop users being able to "dir up" out of their home > directory? > > ie Their home dir is /usr/home/user/ > > And they can't get into /usr/home - or anything below. > > Many thanks, > N. Read chroot(8), or chroot(2) if the chroot command is to be issued from a C program. The basic syntax is: chroot /newroot [COMMAND] Note that the user's shell must exist under the /newroot directory. So, if their shell is /bin/csh, there should exist an executable /newroot/bin/csh as well. Be careful of permissions on executable files, and their parent directories! It is also a good idea to place a subset of the regular /bin (and possibly /sbin) directories under the new root environment. Something that generally also goes without saying is symlinks. Any symlinks that point to locations outside the chroot'ed environment will be broken. For example, ln -s /bin /newroot/bin is a BAD idea, and will not work under chroot. That all being said, running login users under chroot isn't strictly necessary if permissions are carefully set systemwide. I set a umask of 077 for my users (owner full control, group/world no access) so that users can not read each others' files unless explicit access is given. I make use of process and login accounting so I have a searchable database of what goes on, if a crack attempt is made. Read security(7). For ftp logins, simply edit /etc/ftpchroot and add the appropriate username, one per line. Running ftp users in a chroot environment IS a good idea, for reasons of simplicity. Most ftp accounts nowadays are used for web publishing, and users would be confused if presented with a full unix filesystem when their client defaults to the / directory :-) -- Ryan Thompson <ryan@sasknow.com> 50% Owner, Sysadmin SaskNow Technologies http://www.sasknow.com #106-380 3120 8th St E Saskatoon, SK S7H 0W2 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10002210809520.13499-100000>