05-31-2013
hmm, this is exactly what a "chroot" environment is for. Notice, that you do not have to put every binary there, just the absolute minimum. If there is no shell you do not need to deny access to it. Further, you put only copies of these binaries there, not the real ones. If a process manages to compromise these it is still jailed in its - now compromised - chroot environment.
I hope this helps.
bakunin
7 More Discussions You Might Find Interesting
1. Linux
I created a user
useradd -d /disk2/ftpfiles me
How would i beable to jail me so he could not move arround my file system? (4 Replies)
Discussion started by: byblyk
4 Replies
2. UNIX for Advanced & Expert Users
I'm trying to establish a jail on a FBSD 6.1 system and have a couple of questions on bringing up the daemon.
Under the jail man page there are two user flags that I am unclear on,
-u username The user name from host environment as whom the command
should run.
-U... (1 Reply)
Discussion started by: thumper
1 Replies
3. What is on Your Mind?
Enough of boring techie topics!! Vote on Paris Hilton and her jail time!! What do you think? (9 Replies)
Discussion started by: Neo
9 Replies
4. UNIX for Dummies Questions & Answers
I was reading an article on how it is very important to setup a chroot jail to run bind. I can follow what the article says but one thing I am unclear about is now on system boot the BIND process in the chroot jail will start since it the owner will no longer be root but some other user. Can... (1 Reply)
Discussion started by: mojoman
1 Replies
5. Solaris
Hi Gurus,
I am creating a user for ftp only on Solaris 10. However while testing I can see user can reach to root directory.
I followed following while creating the user
1 Created a shell in /usr/bin/ftponly as chmod a+x to ftponly
2 Placed the entry in /etc/shells
... (2 Replies)
Discussion started by: kumarmani
2 Replies
6. UNIX for Advanced & Expert Users
I have a developer that needs ssh access to a server to get to a specific directory. I want to restrict them to that directory. I've tried to set their shell as rksh which does jail them but only if they are using ssh from another unix system. If they are using putty or winscp they can still... (2 Replies)
Discussion started by: toor13
2 Replies
7. Cybersecurity
Hi all,
I want to jail a process in his folder, so he can't have any link with a parent folder.
Ex. If i'm a hacker, and I can upload my script & and I can start it, i'll could go to ../, /etc/passwd, etc..
So what I did is to chroot the process :
I copied all libraries used by the... (1 Reply)
Discussion started by: Deb.I.am
1 Replies
LEARN ABOUT OPENSOLARIS
chroot
chroot(1M) System Administration Commands chroot(1M)
NAME
chroot - change root directory for a command
SYNOPSIS
/usr/sbin/chroot newroot command
DESCRIPTION
The chroot utility causes command to be executed relative to newroot. The meaning of any initial slashes (/) in the path names is changed
to newroot for command and any of its child processes. Upon execution, the initial working directory is newroot.
Notice that redirecting the output of command to a file,
chroot newroot command >x
will create the file x relative to the original root of command, not the new one.
The new root path name is always relative to the current root. Even if a chroot is currently in effect, the newroot argument is relative to
the current root of the running process.
This command can be run only by the super-user.
RETURN VALUES
The exit status of chroot is the return value of command.
EXAMPLES
Example 1 Using the chroot Utility
The chroot utility provides an easy way to extract tar files (see tar(1)) written with absolute filenames to a different location. It is
necessary to copy the shared libraries used by tar (see ldd(1)) to the newroot filesystem.
example# mkdir /tmp/lib; cd /lib
example# cp ld.so.1 libc.so.1 libcmd.so.1 libdl.so.1
libsec.so.1 /tmp/lib
example# cp /usr/bin/tar /tmp
example# dd if=/dev/rmt/0 | chroot /tmp tar xvf -
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWcsu |
+-----------------------------+-----------------------------+
SEE ALSO
cd(1), tar(1), chroot(2), ttyname(3C), attributes(5)
NOTES
Exercise extreme caution when referencing device files in the new root file system.
References by routines such as ttyname(3C) to stdin, stdout, and stderr will find that the device associated with the file descriptor is
unknown after chroot is run.
SunOS 5.11 15 Dec 2003 chroot(1M)