chroot, scp and security on RedHat 8.0

From: Leland T. Snyder (ltsnyder@x3ci.com)
Date: 03/01/03

  • Next message: Ted Behling: "Re: What Is hosts2-ns" 
    From: "Leland T. Snyder" <ltsnyder@x3ci.com>
To: <focus-linux@securityfocus.com>
Date: Fri, 28 Feb 2003 22:06:29 -0500

    I recently posted a request on the OpenSSH discussion board about how I
    might lock a user into access of a limited number of directories when they
    connect using scp. The reply I got told me to use a patch of OpenSSH that
    implements chroot jail if a key file exists in the home directory of the
    login used. This would work just fine, however I also noticed that RedHat
    8.0 also has a shell based command to allow the entering a chroot jail from
    the command line. This leads to some old questions that I always had
    tingling in my mind about /etc/profile and when a user can break from a
    script.

    Q1> If the first line of my /etc/profile traps and ignores all events
    (including all user generated break/terminate events). Is there still a way
    to break before the first line of /etc/profile as a user??

    I imagine I can bypass the whole patching of OpenSSH and just add a
    conditional statement to the /etc/profile (after trapping and ignoring
    signals), that would send specific user id's to thier repective chroot jails
    , at which point I and recind the event trap and let the users do thier
    stuff in thier respective jails.

    Anything wrong with this plan?

    Again , Tank you in advance for your help, this is priceless . . . .

    Leland T. Snyder

  • Next message: Ted Behling: "Re: What Is hosts2-ns"