Date: Fri, 12 Mar 1999 17:32:13 -0800 (PST) From: <unknown@riverstyx.net> To: Licia <licia@o-o.org> Cc: Brett Glass <brett@lariat.org>, freebsd-chat@FreeBSD.ORG, fad@o-o.org Subject: Re: added chroot to /usr/bin/login Message-ID: <Pine.LNX.4.04.9903121731510.17092-100000@hades.riverstyx.net> In-Reply-To: <Pine.BSF.4.05.9903121853470.24744-100000@o-o.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Just thought I'd mention that 80 is a really common group on a lot of web servers for the http group (and the login group of the http user). On Fri, 12 Mar 1999, Licia wrote: > On Fri, 12 Mar 1999, Brett Glass wrote: > > I like it! However, I guess my concern would be that assigning a fixed > > number (in this case, 80) to the group that gets chrooted might not > > be the best way to go. Groups in FreeBSD can contain only a limited > > number of users, so this places a limit on the usefulness of the > > feature. And if group 80 is already in use, it could require major > > modifications to the file system to avoid problems. > > > > I'm glad someone likes it :) > > This is why it is specifically -login group- 80. This doesn't require any > additions to /etc/group to add the user. Simply chpass the user, and change > their gid to 80. This will allow an effectively unlimited number of users to > be chrooted with no problem. > > I asked about how to find a good 'reserved group' and got no responses, so I > made one up. 80 sounded nice to me :) If it's in use, it's a completely > trivial alteration to the patches to change to whatever gid is desired. Just > go in and change the 80 to the new gid. > > > How about something like the /etc/ftpchroot file, where one can list > > both users and groups that are chrooted? Or the /etc/skey.access > > file, which lets you use the tty, IP address, group membership, > > and/or the individual user ID as criteria? (The latter may be overkill > > for this situation.) You could probably snag the code right out of > > ftpd to implement an etc/loginchroot file. Or it could be made into > > a library which ftpd, login, and other programs could share. > > > > --Brett > > > > For this situation I think really that anything else would be overkill. I'm > actually thinking of removing the chroot-group idea, and having it totally > based on /etc/login.conf, but for now I think it's ok as it is :) > > > > At 06:01 PM 3/12/99 -0600, Licia wrote: > > > > > > > >I've placed a small patch to /usr/src/usr.bin/login/login.c on my home site > > >at http://www.o-o.org/~licia/projects/login/ that adds a simple and fairly > > >clean way to chroot users at login time. The 2.2.8R patch is tested, the > > >FreeBSD-current patch is anyone's guess, although I think it should probably > > >work :) > > > > > > > > > [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf] > > > [ Telnet to o-o.org and log in as bbs ] [ ssh -l bbs -C o-o.org ] > > > [ A happy user of FreeBSD : http://www.freebsd.org/ ] > > > > > > main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);} > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-chat" in the body of the message > > > > > > [ licia@o-o.org ] [ http://www.o-o.org/~licia/ ] [ Alias : Ladywolf] > [ Telnet to o-o.org and log in as bbs ] [ ssh -l bbs -C o-o.org ] > [ A happy user of FreeBSD : http://www.freebsd.org/ ] > > main(){int num[4]={1768122732,762265697,1919889007,103};printf("%s\n",num);} > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-chat" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.04.9903121731510.17092-100000>