Re: chroot-ing users coming in via SSH and/or SFTP?

• Previous message: David Wolfskill: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• In reply to: Nigel Houghton: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Next in thread: Tom McLaughlin: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Reply: Tom McLaughlin: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Reply: Marton Kenyeres: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 20 Dec 2004 19:30:00 -0700
To: Nigel Houghton <nigel@sourcefire.com>

At 03:19 PM 12/20/2004, Nigel Houghton wrote:

>Take a look at the Jail project, you'll find it here...
>
> http://www.jmcresearch.com/projects/jail/
>
>..and in ports/sysutils/ along with some other jail tools, it may
>provide some of the features you are looking for.

Looks useful. (Shame it's GPLed.) In any case, it seems to me that
creation of a jail the way this tool does it (and the way most people
have to do it in general) requires a lot of redundant copies of files.
Wouldn't it be neat if there were a type of link (not quite soft, not
quite hard; call it "firm") that would let you link to the current
master copies of executables (rather than copying them) but not
let the inmates out of their jails? Hard links have the disadvantage
that they're broken when you upgrade an executable; soft links can't
be used because, well, you're in a jail. The type of link I have in
mind would be symbolic but resolved by the system behind the scenes;
from inside the jail it wouldn't look like a link.

--Brett

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: David Wolfskill: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• In reply to: Nigel Houghton: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Next in thread: Tom McLaughlin: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Reply: Tom McLaughlin: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Reply: Marton Kenyeres: "Re: chroot-ing users coming in via SSH and/or SFTP?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: VM and jailed processes ... for all the executables in each jail. ... postfix, mailman, dovecot or any other smtp or imap/pop3-server ... (freebsd-questions) Re: chroot-ing users coming in via SSH and/or SFTP? ... (Shame it's GPLed.) ... > current master copies of executables but ... > links can't be used because, well, you're in a jail. ... redundant copies is not the space they waste, ... (FreeBSD-Security) Re: chroot-ing users coming in via SSH and/or SFTP? ... > master copies of executables but not ... > be used because, well, you're in a jail. ... FreeBSD has its own jail system which might be useful but yes it ... haven't tried it yet but a restricted shell looks like it may provide me ... (FreeBSD-Security) ruby upgrade broke portsdb and pkgdb (update ) ... seems I have no access to use anything in /usr/local/sbin/ even as root ... I have a jail that does not have the ruby update done, ... I have access to the executables in /usr/local/sbin ... (freebsd-questions)