[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Login shell chroot implementation.

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Login shell chroot implementation.
From: Eduardo Augusto Alvarenga <eduardo-openbsd-misc_(_dot_)_a8164a_(_at_)_thrx_(_dot_)_dyndns_(_dot_)_org>
Date: Tue, 13 Aug 2002 09:01:32 -0300 (BRT)
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
Reply-to: Eduardo Augusto Alvarenga <eduardo-openbsd-misc_(_dot_)_a8164a_(_at_)_thrx_(_dot_)_dyndns_(_dot_)_org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

After lot's of researches on google, deja, yahoo, man pages, FAQs and
another places, I finally acomplished a 'chroot shell' enviroment on a
3.1-stable OpenBSD system.

I have used many softwares like chrsh (Aaron Grifford) on a port from Ben
Goren but didn't get it to work. I've done *everything* Aaron and Ben told
me to do, but chrsh insisted to report me an error like:

- --
User='' (2000) Group='' (2000): Unable to obtain root permission in \
order to perform chroot() function.
- --

After several tryes, I finally quit it and decided to implement
something using a shell script that uses '/chroot' as the slash directory
and is executed at the user's login, acting like their shell.

- --
eduardo@(dwitsa/ttyp0)[~]$cat /usr/local/bin/chroots
#!/bin/sh
if [ "$1" = "-c" ]; then
        i=0;
        PARAMS="";
        for param in $*; do
                if [ $i -gt 0 ]; then
                        PARAMS="$PARAMS $param";
                fi
                let i++;
        done;
        sudo /usr/sbin/chroot /chroot /usr/bin/su - $USER -c "$PARAMS"
else
        sudo /usr/sbin/chroot /chroot /usr/bin/su - $USER
fi;
- --

I've also added some privileges to the users %chroot on /etc/sudoers.

Then I've created '/chroot/etc' and on it i've added a master.passwd file
containing just the chrooted users records+root pointing their homedirs
do /chroot/home/$user and created spwd.db via pwd_mkdb.

It worked wonderfully.

My question is: I'm not a C coder, and I can't imagine how to implement
this using a C wrapper. I'll be very glad if someone 'translates' this
shell script to C code since it'll be faster and lighter to use.

Ben an Aaron, If you can please help me using chrsh, It'll be very
appreciated.


Best Regards,

- -- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Eduardo A. Alvarenga - Analista de Suporte #179653
 Secretaria de Segurança  Pública do Estado do Pará
      Belém - Pará - (91) 223-4996 / 272-1611
     eduardo_(_at_)_{thrx_(_dot_)_dyndns_(_dot_)_org,segup.pa.gov.br}
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  OpenBSD Consultant: www.openbsd.org/support.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9WPUepKK2uJoGDlMRAhH+AJ93gCQJTZz7DotkTzhIf5x7o8EjfQCeIAsz
kMqcGPlJa4iA/h6loKrAQdg=
=fs1s
-----END PGP SIGNATURE-----

Prev by Date: Re: Revision of patches
Next by Date: NAT and dhcp
Previous by thread: Re: passwd file...
Next by thread: CVS Checkout problems...
Index(es):
- Date
- Thread

Visit your host, monkey.org