From owner-freebsd-questions Wed Aug 7 10:11:26 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA20040 for questions-outgoing; Wed, 7 Aug 1996 10:11:26 -0700 (PDT) Received: from mail.EUnet.hu (mail.eunet.hu [193.225.28.100]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA19999 for ; Wed, 7 Aug 1996 10:11:19 -0700 (PDT) Received: by mail.EUnet.hu, id TAA21763; Wed, 7 Aug 1996 19:11:16 +0200 Received: by CoDe.CoDe.hu (SAA03849); Wed, 7 Aug 1996 18:58:27 GMT From: Gabor Zahemszky Message-Id: <199608071858.SAA03849@CoDe.CoDe.hu> Subject: Re: chroot To: freebsd-questions@freebsd.org Date: Wed, 7 Aug 1996 18:58:27 +0000 (GMT) Cc: njensen@salsa.habaneros.com In-Reply-To: <01BB8434.5D2CBF00@jalapeno.habaneros.com> from "Neil C. Jensen" at Aug 7, 96 07:45:05 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > The permissions on chroot are correct: > -r-xr-xr-x 1 bin bin 8192 Jul 16 19:33 /usr/sbin/chroot > > If I use "/usr/sbin/chroot /home/terminal" as my login shell, the > exact error message is "login: /usr/sbin/chroot /home/terminal: > permission denied". I think, login try to run the file ``/usr/sbin/chroot /home/terminal'' (as a file, and not as a command with a directory parameter!) but cannot find it. I think, you cannot make a login shell such way, only with scripts. (So make a little proram, eg: chrootedshell, which has: ``chroot /home/terminal'' in it, and use that instead. But as so many people would have to scream, SUID shell scripts doesn't work in modern Unices, so use perl/C/I don't know what. BUT: > If I instead try to use the login script, the error message is > "chroot: /home/terminal: Operation not permitted" chroot(8) try to run the shell ($SHELL) or the second parameter. But it search it in the chrooted environment! (See also: configuring anonymous ftp) So you need a (eg:) /bin/sh in that /home/teminal directory, and of course most of the other utilities and data files (and shared libraries!). But: as chroot(2) says, the chroot syscall is restricted only to the superuser. But login changes UID to your user, so chroot generates error. So make a little C program, which is SUID, and exec chroot. But beware: after it, your user will be root in that chrooted file structure. (Try it: (as root) $ chown root chroot; chmod u+s chroot (and as normal user) $ env SHELL=/bin/sh /usr/sbin/chroot / $ id uid=NM(who-you-were) euid=0(root) .... (... doesn't matter) So first turn back everything: chown bin chroot ; chmod 555 chroot, and after it: write another version, which after chrooting, switch back to the original uid (it would be more simple, write the whole thing into your SUID C-wrapper). (In modern AT&T Unices, there is a little trick in login, maybe FBSD has to ``port'' it: if the users shell in ``/etc/passwd'' is a *, than login makes a chroot to that users home directory, and start the login procedure from the beginning: exec login, get username, passwd (from that chrooted directory's /etc/passwd, and start shell - well, with this method, that user need type her/his login name (and password) twice, but ... -- Gabor Zahemszky -:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- Earth is the cradle of human sense, but you can't stay in the cradle forever. Tsiolkovsky