Date: Wed, 7 Aug 1996 18:58:27 +0000 (GMT) From: Gabor Zahemszky <zgabor@CoDe.hu> To: freebsd-questions@freebsd.org Cc: njensen@salsa.habaneros.com Subject: Re: chroot Message-ID: <199608071858.SAA03849@CoDe.CoDe.hu> In-Reply-To: <01BB8434.5D2CBF00@jalapeno.habaneros.com> from "Neil C. Jensen" at Aug 7, 96 07:45:05 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > The permissions on chroot are correct: > -r-xr-xr-x 1 bin bin 8192 Jul 16 19:33 /usr/sbin/chroot > > If I use "/usr/sbin/chroot /home/terminal" as my login shell, the > exact error message is "login: /usr/sbin/chroot /home/terminal: > permission denied". I think, login try to run the file ``/usr/sbin/chroot /home/terminal'' (as a file, and not as a command with a directory parameter!) but cannot find it. I think, you cannot make a login shell such way, only with scripts. (So make a little proram, eg: chrootedshell, which has: ``chroot /home/terminal'' in it, and use that instead. But as so many people would have to scream, SUID shell scripts doesn't work in modern Unices, so use perl/C/I don't know what. BUT: > If I instead try to use the login script, the error message is > "chroot: /home/terminal: Operation not permitted" chroot(8) try to run the shell ($SHELL) or the second parameter. But it search it in the chrooted environment! (See also: configuring anonymous ftp) So you need a (eg:) /bin/sh in that /home/teminal directory, and of course most of the other utilities and data files (and shared libraries!). But: as chroot(2) says, the chroot syscall is restricted only to the superuser. But login changes UID to your user, so chroot generates error. So make a little C program, which is SUID, and exec chroot. But beware: after it, your user will be root in that chrooted file structure. (Try it: (as root) $ chown root chroot; chmod u+s chroot (and as normal user) $ env SHELL=/bin/sh /usr/sbin/chroot / $ id uid=NM(who-you-were) euid=0(root) .... (... doesn't matter) So first turn back everything: chown bin chroot ; chmod 555 chroot, and after it: write another version, which after chrooting, switch back to the original uid (it would be more simple, write the whole thing into your SUID C-wrapper). (In modern AT&T Unices, there is a little trick in login, maybe FBSD has to ``port'' it: if the users shell in ``/etc/passwd'' is a *, than login makes a chroot to that users home directory, and start the login procedure from the beginning: exec login, get username, passwd (from that chrooted directory's /etc/passwd, and start shell - well, with this method, that user need type her/his login name (and password) twice, but ... -- Gabor Zahemszky <zgabor@CoDe.hu> -:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- Earth is the cradle of human sense, but you can't stay in the cradle forever. Tsiolkovsky
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608071858.SAA03849>