Quote:
Originally Posted by Tommahawk
...trying jailedkit but it seems the issue is with jkchrootsh...
|
Quote:
Originally Posted by jggimi
I have not used it, and can't answer any questions about it.
|
Quote:
Originally Posted by Tommahawk
just one jailed user for the moment that can login get a shell and nothing much else.
|
To improve your understanding of chrooted environments, please read FAQ 10.16. It describes how one would make a single application with dynamically loaded libraries available to a chrooted Apache server.
Since you want a "shell" environment, you'll have to determine and define
in advance exactly what you want your user to be able to do within that shell. /bin/sh or /usr/local/bin/tcsh will not be enough. And not just your executables -- those found typically in /bin, /usr/bin, /usr/local/bin you think of as commands -- but all libraries and library tools called by each, usually /usr/lib and /usr/local/lib, and in the case of shells that interact with consoles/ttys, you'll need nodes from /dev as well.
Since you will need device nodes in your virtual filesystem, you'll need to permit them in whichever real filesystem houses your virtual /dev. This means you will need to check your mount options for that filesystem, and perhaps change them.
-----
For example, to chroot into a statically linked (no libraries) /bin/sh, you'll need a virtual filesystem containing your "jailed" user's $HOME, /bin/sh, and /dev/tty, on a real filesystem that is not mounted nodev. That shell won't be able to execute any external commands except "sh". It can execute internal shell commands only. Not very useful.
FAQ 10.16 will help you understand what is needed to enable a single executable program with dynamic libraries.
When I set up virtual filesystems, it was for development and testing of administrative tools so it was easy -- I replicated
everything I might need: /bin, /sbin, /usr/bin, /usr/sbin, /user/local/bin, /usr/lib, /usr/local/lib, and /dev. I also needed bits of /var, and those directories were put in place and filled with test data.