I agree that a jail is the cleanest way. My setup is as follows: chroot jail: /home/jailedUsers
dirs and files within the jail: ./lib ./lib/libnsl.so.1 ./lib/libnsl-2.3.2.so ./lib/libc.so.6 ./lib/libc-2.3.2.so ./lib/ld-linux.so.2 ./lib/ld-2.3.2.so ./lib/libnss_compat.so.2 ./lib/libnss_compat-2.3.2.so ./lib/libnss_files.so.2 ./lib/libnss_files-2.3.2.so ./lib/libresolv.so.2 ./lib/libresolv-2.3.2.so ./lib/libutil.so.1 ./lib/libutil-2.3.2.so ./lib/libcrypt.so.1 ./lib/libcrypt-2.3.2.so ./lib/libdl.so.2 ./lib/libdl-2.3.2.so ./lib/libncurses.so.5 ./lib/libncurses.so.5.4 ./lib/librt.so.1 ./lib/librt-2.3.2.so ./lib/libpthread.so.0 ./lib/libpthread-0.10.so ./lib/libacl.so.1 ./lib/libacl.so.1.1.0 ./lib/libattr.so.1 ./lib/libattr.so.1.1.0 ./lib/libm.so.6 ./lib/libm-2.3.2.so ./lib/libpam.so.0 ./lib/libpam_misc.so.0 ./etc ./etc/nsswitch.conf ./etc/passwd ./etc/group ./etc/jailkit ./etc/jailkit/jk_lsh.ini ./etc/resolv.conf ./etc/host.conf ./etc/hosts ./etc/protocols ./etc/motd ./etc/issue ./etc/bash.bashrc ./etc/profile ./etc/terminfo -- bunch of dirs in here --- ./usr ./usr/bin ./usr/bin/jk_lsh ./usr/bin/ssh ./usr/bin/nvi ./usr/bin/scp ./usr/bin/awk ./usr/bin/bzip2 ./usr/bin/bunzip2 ./usr/bin/away ./usr/lib ./usr/lib/sftp-server ./usr/lib/i586 ./usr/lib/i586/libcrypto.so.0.9.7 ./usr/lib/libz.so.1 ./usr/lib/libz.so.1.2.1 ./usr/lib/libbz2.so.1.0 ./usr/lib/libbz2.so.1.0.2 ./dev ./dev/urandom ./dev/tty ./dev/log ./bin ./bin/sh ./bin/bash ./bin/ls ./bin/cat ./bin/chmod ./bin/mkdir ./bin/cp ./bin/cpio ./bin/date ./bin/dd ./bin/echo ./bin/egrep ./bin/false ./bin/sleep ./home ./home/drocke ./root And by only allowing the user write access to his/her own directory (within the jail) will limit the liability to the system. Mark --- Ehren Wilson <[EMAIL PROTECTED]> wrote: > The cleanest way I have found was using rssh. All you do is change > the > shell to /usr/bin/rssh. The only issue I have with it is that to > jail them > to their home directory you need a separate chroot for each folder of > the > following. I jailed the /home folder and thus only need one jail, if > you > want each user to be jailed to ~/ as / then you need a separate jail > for > each user through copying or linking the files. > > > Ehren Wilson > > jail components: > ./etc > ./etc/ld.so.cache > ./etc/ld.so.conf > ./usr > ./usr/bin > ./usr/bin/scp > ./usr/lib > ./usr/lib/i686 > ./usr/lib/i686/cmov > ./usr/lib/i686/cmov/libcrypto.so.0.9.7 > ./usr/lib/libz.so.1 > ./usr/lib/rssh > ./usr/lib/rssh/rssh_chroot_helper > ./usr/lib/sftp-server > > > -----Original Message----- > > From: Robert Cates [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 28, 2004 11:54 AM > > To: debian-isp@lists.debian.org > > Cc: Andreas John; MB; [EMAIL PROTECTED] > > Subject: Re: restricting sftp/ssh login access > > > > > > Hi, and thanks for the quick replies! > > Just to be a bit clearer in what I'm asking: I would like to be > able to > > allow my customers to access their accounts (update their web > sites) with > > sftp which as I understand it is an extention to (Open)SSH, and > > not FTP. I > > know for example that the Windows application - WS_FTP Pro - has an > option > > to use sftp/ssh on port 22 and when I tested it, I landed way up at > root > > "/". So, I'd like to be able to allow secure access, but with an > > ftp client > > like WS_FTP Pro using sftp, and not a Secure SHell. I have my > > server setup > > so that the customer can use SSH to change their password, and > that's all > > they can do with SSH. > > > > Is there nothing in the ssh_config or sshd_config which can be set > to > > restrict sftp access to a designated directory? > > > > It seems to me that the patched OpenSSH way that Hiren pointed out > is > > workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html > but I'm > > open to other maybe better ways. > > > > Thanks again, > > Robert > > ----- Original Message ----- > > From: "MB" <[EMAIL PROTECTED]> > > To: "Andreas John" <[EMAIL PROTECTED]> > > Cc: <debian-isp@lists.debian.org> > > Sent: Monday, June 28, 2004 6:47 PM > > Subject: Re: restricting sftp/ssh login access > > > > > > > John, > > > > > > First off, I make a small mistake, the package I used was > "jailkit", > > > from either: > > > > > > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > > > or > > > http://freshmeat.net/projects/jailkit/ > > > > > > It has tons of documentation to help you create a jailed > environment, > > > including loading your jail with whatever executables needed. > > > > > > Looks like I simplified my script to one line: > > > > > > ----------------------- > > > #!/bin/bash > > > > > > /usr/sbin/jk_socketd > > > ------------------------ > > > > > > This produces a group of daemonized processes: > > > nobody 13659 13658 0 Apr18 ? 00:00:00 [jk_socketd] > > > > > > > > > but I think that I had a much more elaborate script to > > > {start|stop|restart} this daemon, something like: > > > > > > > > > /etc/init.d/chroot_jail > > > ------------------------ > > > #!/bin/bash > > > > > > case "$1" in > > > start) > > > echo -n "Starting Chroot Jail Server: chroot jail" > > > start-stop-daemon --start --quiet --pidfile > > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > > echo "." > > > ;; > > > stop) > > > echo -n "Stopping Chroot Jail Server: chroot jail" > > > start-stop-daemon --stop --quiet --oknodo --pidfile > > > /var/run/jk_socketd.pid > > > echo "." > > > ;; > > > > > > restart) > > > echo -n "Restarting Chroot Jail Server: chroot jail" > > > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > > > /var/run/jk_socketd.pid > > > start-stop-daemon --start --quiet --pidfile > > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > > echo "." > > > ;; > > > > > > *) > > > echo "Usage: /etc/init.d/chroot_jail > {start|stop|restart}" > > > exit 1 > > > esac > > > > > > exit 0 > > > --------------------------------------- > > > > > > > > > Mark > > > > > > > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > > > Hi Mark! > > > > > > > > > You will need to run a special daemon (jk_socketd) to log > users > > > > into the > > > > > jail, but that is about the hardest part. I'll post my > startup > > > > script > > > > > if you would like. > > > > > > > > Do I need the ssh-patch if I run this jk_socketd? Does it > replace > > > > that > > > > patch? It's pain in the ass to maintain an ssh package that is > > > > seperate > > > > from the debian tree. > > > > > > > > And yes - please post me that startup-script. Would be nice. > > > > > > > > Best regards and many pengiuns, > > > > Andreas > > > > > > > > > > > > -- > > > > Andreas John > > > > net-lab GmbH > > > > Luisenstrasse 30b > > > > 63067 Offenbach > > > > Tel: +49 69 85700331 > > > > > > > > http://www.net-lab.net > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
