Mike.McCarty at sbcglobal.net
Tue Sep 18 21:31:23 UTC 2007
> On Tue, 2007-09-18 at 14:45 -0500, Mike McCarty wrote:
>>Manuel Arostegui Ramirez wrote:
>>I followed that with a few modifications to make the chroot
>>environment look a little bit more like the natural environment.
>>One change I made was to put the jailed shell in
>>rather than in /bin/jail. This allows easy setup of different
>>users with jailed shells named for them. Another was to add
>>/home/pajaro/home/pajaro, so that the "home" directory shows
>>up in the chroot environment.
>>I see some consequences which are somewhat different from the
>>(1) I found that
>> $ su - pajaro
>>worked to log in, but not
>> $ login
>> login: pajaro
>> Login incorrect
>>(2) The user must enter his password twice when logging in,
>>once for the user and once for sudo to execute the chroot.
>>(3) The user, though jailed, runs as root in the chroot
>>environment, not as himself
>> bash-2.05b# whoami
>> whoami: cannot find username for UID 0
>>(4) After the initial login, the current directory is
>>/, not $HOME.
>> bash-2.05b# pwd
>> bash-2.05b# ls
>> bin home lib usr
>> bash-2.05b# cd
>> bash-2.05b# pwd
>>Oppose globalization and One World Governments like the UN.
>>This message made from 100% recycled bits.
>>You have found the bank of Larn.
>>I can explain it for you, but I can't understand it for you.
>>I speak only for myself, and I am unanimous in that!
> (just trying to be wiseguy :) )
I'd rather be a wise guy than a dumb guy.
I wasn't complaining, I was noting differences between the
environments. I had, perhaps naively, supposed that one could
create a chroot environment in which the user was jailed, but
couldn't otherwise tell the difference. Always running as a
user other than the login name is a pretty significant difference,
especially if the effective user is root.
> (1) I tested with same setup as in document ad worked for me, of course
Hmm. I wonder what the difference may be? I didn't log out
at any time, but I don't see how that would make any difference.
I also don't see how the modifications I made would cause "su -"
and "login" to behave differently.
> (2) two time password :) But I think you can override the sudo password
> with NOPASSWD in sudoers
I believe you are correct.
> (3) this is intended to, since you *sudo* chroot.
Hmm. Are you sure that this is the "intended effect". I understand
why it happened.
> (4) actually you don't have a true login shell so the home directory
> in /etc/passwd means nothing. The PWD will be the one you chrooted to
It should be a login shell, if one uses login or su -. Also,
if you note, the cd I did transferred me to the $HOME directory
in the chroot'ed environment. So, it does mean SOMETHING.
> Not to mention that you can easily break out from that jail.
Would you care to elucidate?
> On the other hand I have noticed /etc/security/chroot.conf but never
> found an RH/Fedora/CentOS document about how to set it up. It looks like
> is using a pam module, pam_chroot.so
Hmm. I have one like this...
$ cat /etc/security/chroot.conf
# username_regex chroot_dir
I know next to nothing about chroot and PAM.
> In the meanwhile there is another chroot howto. Sorry again guys that is
> not Fedora related :D This time is debian.
I don't have a problem with information from whatever source.
> You might be interested in the link it provides: chroot section of the
> Debian Reference
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the users