Helo!
What you want is possible. I've never tryed it with Apache, but I suppose is the same.
Basically, you need to use a few tools:
chroot
sudo
ldd
The idea is to provide the user only what he needs, so that he can be jailed with chroot.
First, you need to create your chroot jail. To achieve this, you must create a directory structure on each user home as if it was "/". If you choose /home/user for "user" chroot jail, you will need to create inside, at least:
dev/
usr/
usr/bin
usr/lib
var/
etc/
sbin/
After that, you have to copy there the tools and libs the user is going to use. You could use "ldd" to guess which libs each binary needs, and copy them to its appropriate directory. You may want to copy a shell, and some basic commands (cat, grep, more, etc) with the libraries they need to run.
For example, in my AIX box:
Perhaps you would need to create some device files in /home/user/dev. Do not use cp for this, instead, use the appropriate command. In may case (AIX), "mknod".
You will also need to create an etc/passwd and an etc/group in your chroot.
Now you need a "special shell" which put the user into the jail when he/she logs in.
For instance, create a /bin/chroot_shell.sh like this:
Code:
if [ "$1" = "-c" ]; then
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER $*
else
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
fi
As you can see you will need to configure "sudo" for this to work. Use "visudo" to add a line like this:
Code:
user ALL=NOPASSWD:/usr/sbin/chroot /home/user /bin/su - user*
Next, change "user"'s shell into /bin/chroot_shell.sh in /etc/passwd
After that, And add a line in /home/user/etc/passwd like:
Code:
user:!:203:1::/:/usr/bin/ksh
NOTICE, you must have copyed /usr/bin/ksh to /home/user/usr/bin/ksh along with every lib ksh needs.
Well, these are, more or less, the steps you should follow, but most probably I forgot something or made a mistake... I've written this by heart
Hello
I am trying to configure WU-FTPD on Solaris 10 to do the following:
Using the -r parameter to in.ftpd, I am running the FTP demon within a CHROOT jail (/export/ftp). The FTP service is also being controlled by SMF. This seems to work fine.
However, one of the requirements I have is to... (2 Replies)
I have a rather peculiar problem in the past 2 weeks. I have a network setup with a linux box acting as a gateway (It is exposed to the internet). Also, there are 2 additional machines that are connected to the gateway (and are not exposed to the outside world). (The gateway has a NAT setup to... (5 Replies)
Hi, I managed to install openssh from source on my home directory on a server I don't have root access to. I had problems with privilege separation because of permissions initially so I disabled it in sshd_config. But when I run sshd from where I installed it by doing ~/local/sbin/sshd, nothing at... (0 Replies)
Hi, I've just managed to install openssh in my home directory on a server I have access to by using --prefix=$HOME/local after ./configure. Another thing I was having trouble with without root access was privilege separation, so I disabled that in my sshd_config. However, when I run... (10 Replies)
Hi All,
I am ftping a file from unix to mainframe. Now the problem arises that i want to check if the file was ftpd or not. Is there any way i could do this? (4 Replies)
I am using oracle 9i with sun solaris 8 on Sun E 250 server.earlier we are taking backup of oracle archive files on /orabackup directory.in which archive file are stored with ...arc.Z extension. now we have changed the archive backup directory.now when we are trying to delete earlier directory... (3 Replies)
we don't have root in our /etc/ftpd/ftpusers and we are getting some pushback from the external auditors about this - specifically as a security risk if a "sniffer" were to catch roots password at the ftp.
What do most shops do - disable ftp for root?
What do you do to get things to the... (3 Replies)
Hi ,
I have installed apache and configured Document root as /home
DocumentRoot "/home"
The files under home directory is listed on the web server, i have one text file under "/home/test/1.txt" i can view the file when i set DocumentRoot to /home.
But when i change Document root to ... (1 Reply)
We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will... (2 Replies)
i do not have root on a solairs 10 server , however i do have the root role, i was wondering if I can change the root password as a a role with the passwd command? I have not tried yet.
and do i have to use the # chgkey -p afterwards?
i need to patch is why i am asking.
thanks (1 Reply)
07-05-2006
