| 1 | .\" -*-nroff-*- |
| 2 | .TH chrootsh 8 "20 April 1999" "Local tools" |
| 3 | .SH NAME |
| 4 | chrootsh \- logs a user into a safe chrooted environment |
| 5 | .SH SYNOPSIS |
| 6 | .B chrootsh |
| 7 | .SH USAGE |
| 8 | Set a user's shell to the |
| 9 | .B chrootsh |
| 10 | program's path. |
| 11 | .PP |
| 12 | When run, |
| 13 | .B chrootsh |
| 14 | ensures that the current user has his or her shell set to be |
| 15 | .BR chrootsh . |
| 16 | If not, an error is raised and the program exits. |
| 17 | .PP |
| 18 | Assuming things check out OK, the user's home directory is examined. It |
| 19 | should be of the form |
| 20 | .IB gaoldir /./ homedir |
| 21 | where |
| 22 | .I gaoldir |
| 23 | is the path to the chroot gaol in which the user is to be imprisoned, |
| 24 | and |
| 25 | .I homedir |
| 26 | is the path from the root of the gaol to the user's actual home |
| 27 | directory. (This is for the benefit of users outside the gaol; |
| 28 | .B chrootsh |
| 29 | uses information from the gaol's |
| 30 | .B /etc/passwd |
| 31 | file to work this out. You'd do yourself a favour to make sure the two |
| 32 | are consistent.) |
| 33 | .PP |
| 34 | Once the new root directory is set, |
| 35 | .B chrootsh |
| 36 | drops all of its privileges, and re-reads the user's information |
| 37 | (presumably from a local version of the |
| 38 | .B /etc/passwd |
| 39 | file) to find the appropriate shell and home directory. It sets |
| 40 | appropriate values in the environment, and invokes the user's shell. |
| 41 | .SH EXAMPLE |
| 42 | Suppose |
| 43 | .B /home/gaol |
| 44 | is a carefully set-up environment for users to run in, with a minimal |
| 45 | set of tools installed. To set up a user |
| 46 | .B fred |
| 47 | within the gaol, make a directory |
| 48 | .B /home/gaol/home/fred |
| 49 | for the user, setting the access permissions as required. Then add a |
| 50 | line like |
| 51 | .PP |
| 52 | .RS 5 |
| 53 | .nf |
| 54 | .ft B |
| 55 | fred:*:1042:1042:Fred:/home/gaol/./home/fred:/usr/bin/chrootsh |
| 56 | .ft R |
| 57 | .fi |
| 58 | .RE |
| 59 | .PP |
| 60 | to the main password database (wherever that is). Then, put a line |
| 61 | .PP |
| 62 | .RS 5 |
| 63 | .nf |
| 64 | .ft B |
| 65 | fred:*:1042:1042:Fred:/home/fred:/bin/sh |
| 66 | .ft R |
| 67 | .fi |
| 68 | .RE |
| 69 | .PP |
| 70 | in the gaol's password file |
| 71 | .BR /home/gaol/etc/passwd . |
| 72 | Finally, set a sensible password for |
| 73 | .B fred |
| 74 | in the main password database, and everything ought to work. |
| 75 | .PP |
| 76 | The |
| 77 | .B chrootsh |
| 78 | program makes entries in the system log whenever a user logs in, or when |
| 79 | something goes wrong. Every call ought to make at least one log entry. |
| 80 | Logging is done to the |
| 81 | .B LOG_DAEMON |
| 82 | facility, because the idea is that users with shells like this get used |
| 83 | to run `daemon'-like services. |
| 84 | .SH BUGS |
| 85 | The |
| 86 | .B chrootsh |
| 87 | program must be installed |
| 88 | .RB setuid- root . |
| 89 | While the author has made a fair effort to avoid security holes, he |
| 90 | might have missed something. There's no substitute for thorough |
| 91 | auditing. If you find a security problem, please report it to the |
| 92 | author as a serious bug. |
| 93 | .SH SEE ALSO |
| 94 | .BR banned (8), |
| 95 | .BR ushell (1). |
| 96 | .SH AUTHOR |
| 97 | Mark Wooding (mdw@nsict.org) |