kalinix wrote:
On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:
Manuel Arostegui Ramirez wrote:
http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485
I followed that with a few modifications to make the chroot
environment look a little bit more like the natural environment.
One change I made was to put the jailed shell in
/usr/local/bin/jail_shells/pajaro
rather than in /bin/jail. This allows easy setup of different
users with jailed shells named for them. Another was to add
/home/pajaro/home/pajaro, so that the "home" directory shows
up in the chroot environment.
I see some consequences which are somewhat different from the
"normal" environment.
(1) I found that
$ su - pajaro
worked to log in, but not
$ login
login: pajaro
Password:
Login incorrect
(2) The user must enter his password twice when logging in,
once for the user and once for sudo to execute the chroot.
(3) The user, though jailed, runs as root in the chroot
environment, not as himself
bash-2.05b# whoami
whoami: cannot find username for UID 0
(4) After the initial login, the current directory is
/, not $HOME.
bash-2.05b# pwd
/
bash-2.05b# ls
bin home lib usr
bash-2.05b# cd
bash-2.05b# pwd
/home/pajaro
bash-2.05b#
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
(just trying to be wiseguy :) )
I'd rather be a wise guy than a dumb guy.
I wasn't complaining, I was noting differences between the
environments. I had, perhaps naively, supposed that one could
create a chroot environment in which the user was jailed, but
couldn't otherwise tell the difference. Always running as a
user other than the login name is a pretty significant difference,
especially if the effective user is root.
(1) I tested with same setup as in document ad worked for me, of course
with
Hmm. I wonder what the difference may be? I didn't log out
at any time, but I don't see how that would make any difference.
I also don't see how the modifications I made would cause "su -"
and "login" to behave differently.
(2) two time password :) But I think you can override the sudo password
with NOPASSWD in sudoers
I believe you are correct.
(3) this is intended to, since you *sudo* chroot.
Hmm. Are you sure that this is the "intended effect". I understand
why it happened.
(4) actually you don't have a true login shell so the home directory
in /etc/passwd means nothing. The PWD will be the one you chrooted to
It should be a login shell, if one uses login or su -. Also,
if you note, the cd I did transferred me to the $HOME directory
in the chroot'ed environment. So, it does mean SOMETHING.
Not to mention that you can easily break out from that jail.
Would you care to elucidate?
On the other hand I have noticed /etc/security/chroot.conf but never
found an RH/Fedora/CentOS document about how to set it up. It looks like
is using a pam module, pam_chroot.so
Hmm. I have one like this...
$ cat /etc/security/chroot.conf
# /etc/security/chroot.conf
# format:
# username_regex chroot_dir
#matthew /home
I know next to nothing about chroot and PAM.
In the meanwhile there is another chroot howto. Sorry again guys that is
not Fedora related :D This time is debian.
I don't have a problem with information from whatever source.
http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html
You might be interested in the link it provides: chroot section of the
Debian Reference
Thanks!
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!