From owner-freebsd-hackers  Fri Feb 15  5: 7:10 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from smtpzilla1.xs4all.nl (smtpzilla1.xs4all.nl [194.109.127.137])
	by hub.freebsd.org (Postfix) with ESMTP id 6AE3D37B400
	for <freebsd-hackers@freebsd.org>; Fri, 15 Feb 2002 05:07:06 -0800 (PST)
Received: from silver (zacha.xs4all.nl [213.84.201.224])
	by smtpzilla1.xs4all.nl (8.12.0/8.12.0) with ESMTP id g1FD75YY074910
	for <freebsd-hackers@freebsd.org>; Fri, 15 Feb 2002 14:07:05 +0100 (CET)
Date: Fri, 15 Feb 2002 14:02:49 +0100
From: Walter Hop <walter@binity.com>
X-Mailer: The Bat! (v1.53d) Educational
X-Priority: 3 (Normal)
Message-ID: <18416867424.20020215140249@binity.com>
To: FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject: chroot+su idea
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hi all,

just like many people, I want to run my "dangerous" daemons as a
non-root user in a chroot environment. Now, I would usually use the
``su'', or ``chroot'' tools from the FreeBSD toolset in the creation
of an rc.d script, but the question that puzzles me is how to combine
these two measures?

1) su first, then chroot: impossible, as chroot needs to be run by
   root, so whenever I su to the user I cannot chroot anymore.

2) chroot first, then su: undesired, as I would have to move a suid
   root copy of the "su" tool into the chroot; also unpractical as I'd
   have to duplicate a lot of files into the chroot to satisfy su.

Is there a tool available that combines chroot and su? If not, a
chroot capability would be an interesting feature to add to the
FreeBSD ``su'' command in my opinion, e.g.

% su -l ircd -r /usr/local/ircd -c 'bin/ircd'

Any ideas or suggestions would be welcomed. If I have overlooked a
current solution for the chroot+su chicken/egg problem, I'd love to
submit a patch for su to add such a chroot parameter, but I could
imagine that the committer team is more conservative than I am. :)

Thanks!
walter

-- 
 Walter Hop <walter@binity.com> | +31 6 24290808 | PGP keyid 0x84813998


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message