On Tue, 2007-09-18 at 16:31 -0500, Mike McCarty wrote: > kalinix wrote: > > On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote: > > > >>Manuel Arostegui Ramirez wrote: > >> > >>>http://www.todo-linux.com/modules.php?name=News&file=article&sid=2485 > >>> > >> > >>I followed that with a few modifications to make the chroot > >>environment look a little bit more like the natural environment. > >>One change I made was to put the jailed shell in > >> > >> /usr/local/bin/jail_shells/pajaro > >> > >>rather than in /bin/jail. This allows easy setup of different > >>users with jailed shells named for them. Another was to add > >>/home/pajaro/home/pajaro, so that the "home" directory shows > >>up in the chroot environment. > >> > >>I see some consequences which are somewhat different from the > >>"normal" environment. > >> > >>(1) I found that > >> > >> $ su - pajaro > >> > >>worked to log in, but not > >> > >> $ login > >> login: pajaro > >> Password: > >> Login incorrect > >> > >>(2) The user must enter his password twice when logging in, > >>once for the user and once for sudo to execute the chroot. > >> > >>(3) The user, though jailed, runs as root in the chroot > >>environment, not as himself > >> > >> bash-2.05b# whoami > >> whoami: cannot find username for UID 0 > >> > >>(4) After the initial login, the current directory is > >>/, not $HOME. > >> > >> bash-2.05b# pwd > >> / > >> bash-2.05b# ls > >> bin home lib usr > >> bash-2.05b# cd > >> bash-2.05b# pwd > >> /home/pajaro > >> bash-2.05b# > >> > >>Mike > >>-- > >>p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} > >>Oppose globalization and One World Governments like the UN. > >>This message made from 100% recycled bits. > >>You have found the bank of Larn. > >>I can explain it for you, but I can't understand it for you. > >>I speak only for myself, and I am unanimous in that! > >> > > > > (just trying to be wiseguy :) ) > > I'd rather be a wise guy than a dumb guy. > > I wasn't complaining, I was noting differences between the > environments. I had, perhaps naively, supposed that one could > create a chroot environment in which the user was jailed, but > couldn't otherwise tell the difference. Always running as a > user other than the login name is a pretty significant difference, > especially if the effective user is root. > > > (1) I tested with same setup as in document ad worked for me, of course > > with > > Hmm. I wonder what the difference may be? I didn't log out > at any time, but I don't see how that would make any difference. > I also don't see how the modifications I made would cause "su -" > and "login" to behave differently. > > > (2) two time password :) But I think you can override the sudo password > > with NOPASSWD in sudoers > > I believe you are correct. > > > (3) this is intended to, since you *sudo* chroot. > > Hmm. Are you sure that this is the "intended effect". I understand > why it happened. > > > (4) actually you don't have a true login shell so the home directory > > in /etc/passwd means nothing. The PWD will be the one you chrooted to > > It should be a login shell, if one uses login or su -. Also, > if you note, the cd I did transferred me to the $HOME directory > in the chroot'ed environment. So, it does mean SOMETHING. It's a long debate... the simplest way to check is 'shopt'. If login_shell is on then you are in a login shell... Mine is off. As for $HOME I guess you're right, although if I try cd I get an error. Maybe I should have an /etc/passwd in chrooted env. > > > Not to mention that you can easily break out from that jail. > > Would you care to elucidate? > It's not trivial, but still, a skilled person could do http://www.unixwiz.net/techtips/chroot-practices.html http://www.bpfh.net/simes/computing/chroot-break.html a little bit outdated but I'm pretty sure there are many howtos out there waiting to be read :D > > On the other hand I have noticed /etc/security/chroot.conf but never > > found an RH/Fedora/CentOS document about how to set it up. It looks like > > is using a pam module, pam_chroot.so > > Hmm. I have one like this... > > $ cat /etc/security/chroot.conf > # /etc/security/chroot.conf > # format: > # username_regex chroot_dir > #matthew /home > > I know next to nothing about chroot and PAM. > > > In the meanwhile there is another chroot howto. Sorry again guys that is > > not Fedora related :D This time is debian. > > I don't have a problem with information from whatever source. > > > http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html > > > > You might be interested in the link it provides: chroot section of the > > Debian Reference > > Thanks! > > Mike > -- > p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} > Oppose globalization and One World Governments like the UN. > This message made from 100% recycled bits. > You have found the bank of Larn. > I can explain it for you, but I can't understand it for you. > I speak only for myself, and I am unanimous in that! > Calin ================================================= The price of seeking to force our beliefs on others is that someday they might force their beliefs on us. -- Mario Cuomo