Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Mar 1999 17:32:13 -0800 (PST)
From:      <unknown@riverstyx.net>
To:        Licia <licia@o-o.org>
Cc:        Brett Glass <brett@lariat.org>, freebsd-chat@FreeBSD.ORG, fad@o-o.org
Subject:   Re: added chroot to /usr/bin/login
Message-ID:  <Pine.LNX.4.04.9903121731510.17092-100000@hades.riverstyx.net>
In-Reply-To: <Pine.BSF.4.05.9903121853470.24744-100000@o-o.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Just thought I'd mention that 80 is a really common group on a lot of web
servers for the http group (and the login group of the http user).

On Fri, 12 Mar 1999, Licia wrote:

> On Fri, 12 Mar 1999, Brett Glass wrote:
> > I like it! However, I guess my concern would be that assigning a fixed
> > number (in this case, 80) to the group that gets chrooted might not
> > be the best way to go. Groups in FreeBSD can contain only a limited
> > number of users, so this places a limit on the usefulness of the
> > feature. And if group 80 is already in use, it could require major
> > modifications to the file system to avoid problems.
> > 
> 
> I'm glad someone likes it :)
> 
> This is why it is specifically -login group- 80.  This doesn't require any
> additions to /etc/group to add the user.  Simply chpass the user, and change
> their gid to 80.  This will allow an effectively unlimited number of users to
> be chrooted with no problem.
> 
> I asked about how to find a good 'reserved group' and got no responses, so I
> made one up.  80 sounded nice to me :)  If it's in use, it's a completely
> trivial alteration to the patches to change to whatever gid is desired.  Just
> go in and change the 80 to the new gid.
> 
> > How about something like the /etc/ftpchroot file, where one can list
> > both users and groups that are chrooted? Or the /etc/skey.access
> > file, which lets you use the tty, IP address, group membership,
> > and/or the individual user ID as criteria? (The latter may be overkill
> > for this situation.) You could probably snag the code right out of
> > ftpd to implement an etc/loginchroot file. Or it could be made into
> > a library which ftpd, login, and other programs could share.
> > 
> > --Brett
> > 
> 
> For this situation I think really that anything else would be overkill.  I'm
> actually thinking of removing the chroot-group idea, and having it totally
> based on /etc/login.conf, but for now I think it's ok as it is :)
> 
> 
> > At 06:01 PM 3/12/99 -0600, Licia wrote:
> >  
> > >
> > >I've placed a small patch to /usr/src/usr.bin/login/login.c on my home site
> > >at http://www.o-o.org/~licia/projects/login/  that adds a simple and fairly
> > >clean way to chroot users at login time.  The 2.2.8R patch is tested, the
> > >FreeBSD-current patch is anyone's guess, although I think it should probably
> > >work :)
> > >
> > >
> > >     [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf]
> > >     [ Telnet to o-o.org and log in as bbs ]    [ ssh -l bbs -C o-o.org ]
> > >     [        A happy user of FreeBSD : http://www.freebsd.org/         ]
> > >
> > >  main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);}
> > >
> > >
> > >
> > >To Unsubscribe: send mail to majordomo@FreeBSD.org
> > >with "unsubscribe freebsd-chat" in the body of the message
> > 
> > 
> 
>      [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf]
>      [ Telnet to o-o.org and log in as bbs ]    [ ssh -l bbs -C o-o.org ]
>      [        A happy user of FreeBSD : http://www.freebsd.org/         ]
> 
>   main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);}
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-chat" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.04.9903121731510.17092-100000>