Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, i am trying to create a jail for a friend who is going to access some files.
i have read alot about things like ssh jailing and stuff, but i want to make the jail global for the user. he is going to have an ftp account also, i know i can chroot that (vsftpd).
the thing is that i want something like this
/home/theguy/[bin,var,usr....]
AND /home/theguy/target
which im going to:
Code:
mount -o bind /var/www/htdocs/somesubdir /home/theguy/target
so im thinking about making a script which will be his login script like
but the thing is that the chroot system call is for root only. so when theguy is executing his login script it will not work. so does anyone got any ideas on how i can do this. it will be very appreciated!
by the way the reason this guy is getting an account is because some html editing. i know there will be alot of permissions blablabla, and that he maybe will chroot into /target or something. im going to deal with this after im getting this to work.
Hi, i am trying to create a jail for a friend who is going to access some files.
Given the context (this person is a "friend"), can you not just give him a regular shell account and put some thought into your filesystem permissions? By contrast, for untrusted users, handing out shell accounts is a large can of worms and difficult to implement securely.
Quote:
Originally Posted by phoenix_precedent
Have you investigated restricted shells?
IMO, even this option is difficult to implement well. Too many programs (e.g. even staples like vi and less) allow shell commands to be run from within them, thus circumventing the restricted shell "restrictions".
IMO, even this option is difficult to implement well. Too many programs (e.g. even staples like vi and less) allow shell commands to be run from within them, thus circumventing the restricted shell "restrictions".
Good point, but then again a secure chroot jail isn't exactly easy to setup either.
Does this friend really need shell access? If so, why?
Good point, but then again a secure chroot jail isn't exactly easy to setup either.
Does this friend really need shell access? If so, why?
he is just going to edit some html files in my /var/www/htdocs/subdir
this guy is a good friend in real life, so im very sure he don't have cruel intesions. I just wanted to try to do this in a very simple way without installing a lot of applications. something like i just change his login shell to a script that chroots into the jail and then i just mount -o bind a dir in the jail to the /var/www/htdocs/subdir.
i just want to learn how this works, but if i need alot of applications to do this, then i can just accept that he can read almost all the files in my system.
Thanks for all response!
EDIT: and by the way, this guy dosen't know anything about unix at all. so im actually just trying this so i can learn how to do it.
He doesn't need shell access. He will likely be far more comfortable editing files on his own machine and uploading/downloading them to/from yours via sftp or similar than learning vi/emacs/whatever. I'm sure there are even graphical utilities for windows that handle sftp/scp.
Restricting his access to the htdocs directory should be trivial. Google is your friend ;-)
He doesn't need shell access. He will likely be far more comfortable editing files on his own machine and uploading/downloading them to/from yours via sftp or similar than learning vi/emacs/whatever. I'm sure there are even graphical utilities for windows that handle sftp/scp.
Restricting his access to the htdocs directory should be trivial. Google is your friend ;-)
Best of luck,
Phoenix
we are going to edit the same files, so i won't let him just upload the files after he has edited them, because if i have edited them then my changes will be lost. so using vi will give a warning that the file is already opened by someone else in vi. but i'll just giving him a regular enviroment then.
You could also use cvs or subversion, which has the added benefit of providing a nice history of your edits in case you want to roll back to a previous state.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.