This is in response to an email awhile back:
http://www.monkey.org/openbsd/archive/misc/0208/msg00558.html
Friday, July 19, 2002, 9:01:11 AM, you wrote:
....
I have used many softwares like chrsh (Aaron Grifford)
on a port from Ben Goren but didn't get it to work.
I've done *everything* Aaron and Ben told
me to do, but chrsh insisted to report me
an error like:
User='' (2000) Group='' (2000): Unable to obtain root permission in \
order to perform chroot() function.
After several tryes, I finally quit it and decided to implement....
The reason you could not get Ben Goren's port of chrsh to work is that the
port does not do everything for you, in particular two things that will
prevent it from working on OpenBSD 3.8:
It does not install setgid and setuid, and the settings in the compiled
chrsh.c check for it to install /bin/chrsh but the package installs
/usr/local/bin/chrsh
And to be honest if we can't figure out that pare, we are likely
to also put something in the jail that would allow a security break out...
NOTE - DON't even try to use chroot to limit users accounts unless you
understand it can be trivial to overcome:
http://www.bpfh.net/simes/computing/chroot-break.html
It is perhaps very dangerous to chroot ssh except in special
situations, but the truth is a lot of servers try to do this, -
especially in linux and freebsd implementations. Many seem to patch the
openssh direct - not to happy about that, others use a shell. some
approach examples:
http://chrootssh.sourceforge.net/index.php
http://www.adg.us/computers/chrsh.html
http://olivier.sessink.nl/jailkit/
-----------------------------------------------------
----------------- details and notes ----------------
---------- read no further unless need to know -----
----------------------------------------------------
the reason of this post is that google did not easily find answers about
chrsh and openbsd beyond the helpful start by Ben Goren:
http://www.trumpetpower.com/OpenBSD/chrsh
His port almost works, but does not install the binary so that it can
chroot, and the binary fails check because it is defined with wrong path.
An approach is that you could use his port then edit the chrsh.c inside
the port make area,
edit ./chrsh/w-chrsh-1.0b2/chrsh/chrsh.c
changing
#define CHRSHPATH "/bin/chrsh"
to
#define CHRSHPATH "/usr/local/bin/chrsh"
rm ./chrsh/w-chrsh-1.0b2/chrsh/chrsh.c
cd ./chrsh/w-chrsh-1.0b2/chrsh/
make
cp chrsh /usr/local/bin/chrsh
--- however, the package did not install setuid nor setgid ----
--- which probably is good because it forces you ---
--- to think or at least google --
ls -al /usr/local/bin/chrsh
-r-xr-xr-x 1 root wheel 18340 Dec /usr/local/bin/chrsh
chmod u+s,g+s /usr/local/bin/chrsh
ls -al /usr/local/bin/chrsh
-r-sr-sr-x 1 root wheel 18340 Dec /usr/local/bin/chrsh
--- and then you have to do all the steps for making the jail
--- and the special path for the shell -- which is documented
--- and sometimes scripted elsewhere....
like it says on Aaron D. Gifford's website:
That's all the documentation ya get, folks! :)
