IP Networking

Helo !
I want to do something and I don't know where to start... I want to make a small web hosting server (just for me and a few friends) and for the sake of learning I'd like to make an account for every user. The thing is that I want everyone to log into the server and to be put in his home directory and that directory to be the root directory for that user.
I want to do this with ftpd, sshd and apache. All services for that user must let him in his home directory and he shouldn't be able to go anywhere else (excepting his subdirectories).

For ftpd it's simple... I use ftpchroot. I know that I can recompile the ftp server with it's built-in ls command, but I don't think it's necesarely.

For sshd, and apache I guess that I should do something with chroot... but I don't know what exactly to do... I mean, the root directory will differ for every user...

So, any ideeas or starting points to "acomplish" this it will be apreciated. Of course, any other point of view is welcomed as well.

The operating system I use is FreeBSD 5.4-RELEASE.

Thanks !

Helo!
What you want is possible. I've never tryed it with Apache, but I suppose is the same.
Basically, you need to use a few tools:The idea is to provide the user only what he needs, so that he can be jailed with chroot.
First, you need to create your chroot jail. To achieve this, you must create a directory structure on each user home as if it was "/". If you choose /home/user for "user" chroot jail, you will need to create inside, at least:
dev/
usr/
usr/bin
usr/lib
var/
etc/
sbin/

After that, you have to copy there the tools and libs the user is going to use. You could use "ldd" to guess which libs each binary needs, and copy them to its appropriate directory. You may want to copy a shell, and some basic commands (cat, grep, more, etc) with the libraries they need to run.
For example, in my AIX box:

Code:

$cp /usr/bin/ksh /home/user/usr/bin/ksh
$ldd /usr/bin/ksh 
/usr/bin/ksh needs:
         /usr/lib/libc.a(shr.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)
$cp /usr/lib/libc.a /home/user/usr/lib
$cp /usr/lib/libcrypt.a /home/user/usr/lib

Perhaps you would need to create some device files in /home/user/dev. Do not use cp for this, instead, use the appropriate command. In may case (AIX), "mknod".

You will also need to create an etc/passwd and an etc/group in your chroot.

Now you need a "special shell" which put the user into the jail when he/she logs in.
For instance, create a /bin/chroot_shell.sh like this:

Code:

if [ "$1" = "-c" ]; then
        sudo /usr/sbin/chroot /home/$USER /bin/su - $USER $*
else
        sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
fi

As you can see you will need to configure "sudo" for this to work. Use "visudo" to add a line like this:

Code:

user ALL=NOPASSWD:/usr/sbin/chroot /home/user /bin/su - user*

Next, change "user"'s shell into /bin/chroot_shell.sh in /etc/passwd

After that, And add a line in /home/user/etc/passwd like:

Code:

user:!:203:1::/:/usr/bin/ksh

NOTICE, you must have copyed /usr/bin/ksh to /home/user/usr/bin/ksh along with every lib ksh needs.

Well, these are, more or less, the steps you should follow, but most probably I forgot something or made a mistake... I've written this by heart

I hope it helps.

Well... it sounds pretty simple... I'll try later and I hope it is going to work.
Thanks a lot for your answer and for the time spent writing this mini-tutorial

Yes, it's really simple
I think this is valid also for apache... I've tested it in Linux, AIX and Solaris with ftp, telnet, ssh and have no problem... Besides it is easy to automate with scripts if you ar planning to have a large amount of users
I have a more detailed tuto written by me in spanish, but this is an english forum, hehehe...
Good luck with the test!