On Thu, 11 Oct 2001, Nadav Har'El wrote: > On Wed, Oct 10, 2001, Eran Levy wrote about "Chroot jail": > > Hi, > > I know how making bind, apache, etc. into a chroot jail. But now I want to > > make a guest account in a chroot jail. I had some documents/guides about > > that, but I cant find them now. Can someone give me URLs of > > documents/guides? I cant find guides/document specified for a user account > > in a chroot jail. Any idea? > > I don't know of any guides (try a search engine like Google) but there's > one obvious problem you'll need to solve when chroot-jailing someone: you'll > need to provide a copy all the binaries, libraries, and so on that the user is > supposed to use inside his jail. This becomes unwieldy when you have several > jailed users. > Two ways to prevent this redunant copying: > 1. Use hard-links (symbolic links won't work) rather than copying > 2. Put all the binaries, libraries, etc., that you want to give your > users in a seperate partition, and then mount it at multiple mount points. > This is possible in Linux! You can even have a virtual partition (e.g., > some sort of loopback) and not a real disk partition. > > But if you use one of these solutions, watch out: one of the ideas of a > chroot jail is that the user may (through some exploit) become root, but > then can only ruin his own files. If the files are linked to other files, > he'll be able to ruin those files. So never link a non-trusted user's files > with the ones you're using - always make at least one other copy - for the > non-trusted jailed users.
If you assume that the chroot-ed user can become root, and he either has a compiler or a binary of "chroot" then he can also break out of the chroot jail, and become root of the whole system. -- Tzafrir Cohen mailto:[EMAIL PROTECTED] http://www.technion.ac.il/~tzafrir ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
