Hi, i am trying to create a jail for a friend who is going to access some files.


i have read alot about things like ssh jailing and stuff, but i want to make the jail global for the user. he is going to have an ftp account also, i know i can chroot that (vsftpd).

the thing is that i want something like this

/home/theguy/[bin,var,usr....]

AND /home/theguy/target

which im going to:
so im thinking about making a script which will be his login script like

/etc/passwd:
and here is the login script:

but the thing is that the chroot system call is for root only. so when theguy is executing his login script it will not work. so does anyone got any ideas on how i can do this. it will be very appreciated!

by the way the reason this guy is getting an account is because some html editing. i know there will be alot of permissions blablabla, and that he maybe will chroot into /target or something. im going to deal with this after im getting this to work.

again; your help is very appreciated!

Chroot jails are very well documented.

http://www.google.com/search?q=linux...-US:unofficial

You can easily mount the target directory inside the chroot jail.

yeah, but how can i allow a regular user to execute the chroot system call?

Have you investigated restricted shells?

You can set his default shell to rbash or rksh or the restricted version of whatever shell you use.

Given the context (this person is a "friend"), can you not just give him a regular shell account and put some thought into your filesystem permissions? By contrast, for untrusted users, handing out shell accounts is a large can of worms and difficult to implement securely.

IMO, even this option is difficult to implement well. Too many programs (e.g. even staples like vi and less) allow shell commands to be run from within them, thus circumventing the restricted shell "restrictions".

Good point, but then again a secure chroot jail isn't exactly easy to setup either.

Does this friend really need shell access? If so, why?

he is just going to edit some html files in my /var/www/htdocs/subdir

this guy is a good friend in real life, so im very sure he don't have cruel intesions. I just wanted to try to do this in a very simple way without installing a lot of applications. something like i just change his login shell to a script that chroots into the jail and then i just mount -o bind a dir in the jail to the /var/www/htdocs/subdir.

i just want to learn how this works, but if i need alot of applications to do this, then i can just accept that he can read almost all the files in my system.

Thanks for all response!

EDIT: and by the way, this guy dosen't know anything about unix at all. so im actually just trying this so i can learn how to do it.

I thought it might be something like that.

He doesn't need shell access. He will likely be far more comfortable editing files on his own machine and uploading/downloading them to/from yours via sftp or similar than learning vi/emacs/whatever. I'm sure there are even graphical utilities for windows that handle sftp/scp.

Restricting his access to the htdocs directory should be trivial. Google is your friend ;-)

Best of luck,
Phoenix

we are going to edit the same files, so i won't let him just upload the files after he has edited them, because if i have edited them then my changes will be lost. so using vi will give a warning that the file is already opened by someone else in vi. but i'll just giving him a regular enviroment then.

thanks for all response.

You could also use cvs or subversion, which has the added benefit of providing a nice history of your edits in case you want to roll back to a previous state.

-Phoenix