On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote: > Manuel Arostegui Ramirez wrote: > > > > http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485 > > > > I followed that with a few modifications to make the chroot > environment look a little bit more like the natural environment. > One change I made was to put the jailed shell in > > /usr/local/bin/jail_shells/pajaro > > rather than in /bin/jail. This allows easy setup of different > users with jailed shells named for them. Another was to add > /home/pajaro/home/pajaro, so that the "home" directory shows > up in the chroot environment. > > I see some consequences which are somewhat different from the > "normal" environment. > > (1) I found that > > $ su - pajaro > > worked to log in, but not > > $ login > login: pajaro > Password: > Login incorrect > > (2) The user must enter his password twice when logging in, > once for the user and once for sudo to execute the chroot. > > (3) The user, though jailed, runs as root in the chroot > environment, not as himself > > bash-2.05b# whoami > whoami: cannot find username for UID 0 > > (4) After the initial login, the current directory is > /, not $HOME. > > bash-2.05b# pwd > / > bash-2.05b# ls > bin home lib usr > bash-2.05b# cd > bash-2.05b# pwd > /home/pajaro > bash-2.05b# > > Mike > -- > p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} > Oppose globalization and One World Governments like the UN. > This message made from 100% recycled bits. > You have found the bank of Larn. > I can explain it for you, but I can't understand it for you. > I speak only for myself, and I am unanimous in that! > (just trying to be wiseguy :) ) (1) I tested with same setup as in document ad worked for me, of course with (2) two time password :) But I think you can override the sudo password with NOPASSWD in sudoers (3) this is intended to, since you *sudo* chroot. (4) actually you don't have a true login shell so the home directory in /etc/passwd means nothing. The PWD will be the one you chrooted to Not to mention that you can easily break out from that jail. On the other hand I have noticed /etc/security/chroot.conf but never found an RH/Fedora/CentOS document about how to set it up. It looks like is using a pam module, pam_chroot.so In the meanwhile there is another chroot howto. Sorry again guys that is not Fedora related :D This time is debian. http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html You might be interested in the link it provides: chroot section of the Debian Reference Calin ================================================= "Help Mr. Wizard!" -- Tennessee Tuxedo
