ed36b0a2 |
1 | .TH chrootsh 8 "20 April 1999" "Local tools" |
2 | .SH NAME |
3 | chrootsh \- logs a user into a safe chrooted environment |
4 | .SH SYNOPSIS |
5 | .B chrootsh |
6 | .SH USAGE |
7 | Set a user's shell to the |
8 | .B chrootsh |
9 | program's path. |
10 | .PP |
11 | When run, |
12 | .B chrootsh |
13 | ensures that the current user has his or her shell set to be |
14 | .BR chrootsh . |
15 | If not, an error is raised and the program exits. |
16 | .PP |
17 | Assuming things check out OK, the user's home directory is examined. It |
18 | should be of the form |
19 | .IB gaoldir /./ homedir |
20 | where |
21 | .I gaoldir |
22 | is the path to the chroot gaol in which the user is to be imprisoned, |
23 | and |
24 | .I homedir |
25 | is the path from the root of the gaol to the user's actual home |
26 | directory. (This is for the benefit of users outside the gaol; |
27 | .B chrootsh |
28 | uses information from the gaol's |
29 | .B /etc/passwd |
30 | file to work this out. You'd do yourself a favour to make sure the two |
31 | are consistent.) |
32 | .PP |
33 | Once the new root directory is set, |
34 | .B chrootsh |
35 | drops all of its privileges, and re-reads the user's information |
36 | (presumably from a local version of the |
37 | .B /etc/passwd |
38 | file) to find the appropriate shell and home directory. It sets |
39 | appropriate values in the environment, and invokes the user's shell. |
40 | .SH EXAMPLE |
41 | Suppose |
42 | .B /home/gaol |
43 | is a carefully set-up environment for users to run in, with a minimal |
44 | set of tools installed. To set up a user |
45 | .B fred |
46 | within the gaol, make a directory |
47 | .B /home/gaol/home/fred |
48 | for the user, setting the access permissions as required. Then add a |
49 | line like |
50 | .PP |
51 | .RS 5 |
52 | .nf |
53 | .ft B |
54 | fred:*:1042:1042:Fred:/home/gaol/./home/fred:/usr/bin/chrootsh |
55 | .ft R |
56 | .fi |
57 | .RE |
58 | .PP |
59 | to the main password database (wherever that is). Then, put a line |
60 | .PP |
61 | .RS 5 |
62 | .nf |
63 | .ft B |
64 | fred:*:1042:1042:Fred:/home/fred:/bin/sh |
65 | .ft R |
66 | .fi |
67 | .RE |
68 | .PP |
69 | in the gaol's password file |
70 | .BR /home/gaol/etc/passwd . |
71 | Finally, set a sensible password for |
72 | .B fred |
73 | in the main password database, and everything ought to work. |
74 | .SH BUGS |
75 | The |
76 | .B chrootsh |
77 | program must be installed |
78 | .RB setuid- root . |
79 | While the author has made a fair effort to avoid security holes, he |
80 | might have missed something. There's no substitute for thorough |
81 | auditing. If you find a security problem, please report it to the |
82 | author as a serious bug. |
83 | .SH SEE ALSO |
84 | .BR banned (8), |
85 | .BR ushell (1). |
86 | .SH AUTHOR |
87 | Mark Wooding (mdw@nsict.org) |