[Ilugc] how to chkroot a user to their home directory
- From: sriram@xxxxxxxxxxxxxxxxxx (P. Sriram)
- Date: Thu, 12 Dec 2002 13:14:29 +0530 (IST)
On Thu, 12 Dec 2002, Subbarayan Ganesan wrote:
In global login script check for the environement variable SSH_TTY and
specific groups for which you want to chkroot. If true issue appropriate
command.
[in reply to the original query]
Can any one help me in knowing how to chkroot a user to their home
directory for SSH access. Thanks for your help
Tamilnadulinks team http://www.tamilnadulinks.com
i thought it was chroot, not chkroot; anyway, chrooting a user to their
home directory can have very bad effects. as pointed out by an earlier
reply, this chroot will take /sbin, /bin and such things out of reach.
symbolic links in the users' directory will not solve the problem - in
fact, it will probably create circular symbolic links which lead nowhere.
even things like bash will be out of reach. if you really want to do this,
here is the way to do it.
(1) prepare a list of commands/programs/packages that the user is going to
be allowed to use (including shells like bash)
(2) place a copy of every one of the items from (1) within the users' home
directory; hard links or symbolic links will not work and the binaries
will have to be here.
does not sound too bad, but actually, the worst is yet to come. every one
of the programs copied to the users' directory in step (2) must be self
contained. for statically linked packages, this is not a problem. however,
most things will use dynamically linked libraries. in that case, there are
two (both painful) options. we can recompile each of the chosen packages
from (1) with statically linked libraries - which will bloat the packages
like anything. the second option is to use ldd or some such tool to get a
list of all the dynamic libraries used by all the packages and copy all
these packages to the users' home directory (with the proper structure
like /lib, /usr/lib etc under the home directory).
in short, it is probably not worth the effort. if the intent is to
restrict what the user can do, there are other alternate approaches like
restricted shells.
sriram
Other related posts: