From owner-freebsd-chat Fri Mar 12 18:30:50 1999 Delivered-To: freebsd-chat@freebsd.org Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.6.133]) by hub.freebsd.org (Postfix) with ESMTP id 21DAD14DDE for ; Fri, 12 Mar 1999 18:29:45 -0800 (PST) (envelope-from tlambert@usr05.primenet.com) Received: (from daemon@localhost) by smtp03.primenet.com (8.8.8/8.8.8) id TAA05965; Fri, 12 Mar 1999 19:29:14 -0700 (MST) Received: from usr05.primenet.com(206.165.6.205) via SMTP by smtp03.primenet.com, id smtpd005890; Fri Mar 12 19:29:04 1999 Received: (from tlambert@localhost) by usr05.primenet.com (8.8.5/8.8.5) id TAA15918; Fri, 12 Mar 1999 19:29:03 -0700 (MST) From: Terry Lambert Message-Id: <199903130229.TAA15918@usr05.primenet.com> Subject: Re: added chroot to /usr/bin/login To: licia@o-o.org (Licia) Date: Sat, 13 Mar 1999 02:29:03 +0000 (GMT) Cc: freebsd-chat@FreeBSD.ORG, fad@o-o.org In-Reply-To: from "Licia" at Mar 12, 99 06:01:22 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I've placed a small patch to /usr/src/usr.bin/login/login.c on my home site > at http://www.o-o.org/~licia/projects/login/ that adds a simple and fairly > clean way to chroot users at login time. The 2.2.8R patch is tested, the > FreeBSD-current patch is anyone's guess, although I think it should probably > work :) I think the correct way to pursue this would be to put the user's in a "chroot" login class. You would put the word "chroot" between the colons in the passwd file entry via "vipw", e.g.: test::999:999:chroot:0:0:test user:/A/testuser:/bin/csh And then within this class, add the resource limit "rootdir" in addition to the default, e.g.: chroot:\ :rootdir=~:\ :tc=default: Note: ~ expands to the home directory, $ expands to the username; you could also do: chroot:\ :rootdir=/jail/$:\ :tc=default: And then use: login_getcapstr(3) Within login itself to get the string; if present, you chroot to the target. You could also do: sharedjail:\ :rootdir=/usr06/jail/:\ :tc=default: And put users in a shared, but chrooted environment, like so: sally::2018:2018:sharedjail:0:0:sally:/users/s/sally:/bin/csh bob::2019:2019:sharedjail:0:0:bob:/users/b/bob:/bin/csh They could interact (and share shared libraries, for example), but not affect the rest of the system. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message