2 .TH chrootsh 8 "20 April 1999" "Local tools"
4 chrootsh \- logs a user into a safe chrooted environment
8 Set a user's shell to the
14 ensures that the current user has his or her shell set to be
16 If not, an error is raised and the program exits.
18 Assuming things check out OK, the user's home directory is examined. It
20 .IB gaoldir /./ homedir
23 is the path to the chroot gaol in which the user is to be imprisoned,
26 is the path from the root of the gaol to the user's actual home
27 directory. (This is for the benefit of users outside the gaol;
29 uses information from the gaol's
31 file to work this out. You'd do yourself a favour to make sure the two
34 Once the new root directory is set,
36 drops all of its privileges, and re-reads the user's information
37 (presumably from a local version of the
39 file) to find the appropriate shell and home directory. It sets
40 appropriate values in the environment, and invokes the user's shell.
44 is a carefully set-up environment for users to run in, with a minimal
45 set of tools installed. To set up a user
47 within the gaol, make a directory
48 .B /home/gaol/home/fred
49 for the user, setting the access permissions as required. Then add a
55 fred:*:1042:1042:Fred:/home/gaol/./home/fred:/usr/bin/chrootsh
60 to the main password database (wherever that is). Then, put a line
65 fred:*:1042:1042:Fred:/home/fred:/bin/sh
70 in the gaol's password file
71 .BR /home/gaol/etc/passwd .
72 Finally, set a sensible password for
74 in the main password database, and everything ought to work.
78 program makes entries in the system log whenever a user logs in, or when
79 something goes wrong. Every call ought to make at least one log entry.
80 Logging is done to the
82 facility, because the idea is that users with shells like this get used
83 to run `daemon'-like services.
87 program must be installed
89 While the author has made a fair effort to avoid security holes, he
90 might have missed something. There's no substitute for thorough
91 auditing. If you find a security problem, please report it to the
92 author as a serious bug.
97 Mark Wooding (mdw@nsict.org)