1 .TH chrootsh 8 "20 April 1999" "Local tools"
3 chrootsh \- logs a user into a safe chrooted environment
7 Set a user's shell to the
13 ensures that the current user has his or her shell set to be
15 If not, an error is raised and the program exits.
17 Assuming things check out OK, the user's home directory is examined. It
19 .IB gaoldir /./ homedir
22 is the path to the chroot gaol in which the user is to be imprisoned,
25 is the path from the root of the gaol to the user's actual home
26 directory. (This is for the benefit of users outside the gaol;
28 uses information from the gaol's
30 file to work this out. You'd do yourself a favour to make sure the two
33 Once the new root directory is set,
35 drops all of its privileges, and re-reads the user's information
36 (presumably from a local version of the
38 file) to find the appropriate shell and home directory. It sets
39 appropriate values in the environment, and invokes the user's shell.
43 is a carefully set-up environment for users to run in, with a minimal
44 set of tools installed. To set up a user
46 within the gaol, make a directory
47 .B /home/gaol/home/fred
48 for the user, setting the access permissions as required. Then add a
54 fred:*:1042:1042:Fred:/home/gaol/./home/fred:/usr/bin/chrootsh
59 to the main password database (wherever that is). Then, put a line
64 fred:*:1042:1042:Fred:/home/fred:/bin/sh
69 in the gaol's password file
70 .BR /home/gaol/etc/passwd .
71 Finally, set a sensible password for
73 in the main password database, and everything ought to work.
77 program makes entries in the system log whenever a user logs in, or when
78 something goes wrong. Every call ought to make at least one log entry.
79 Logging is done to the
81 facility, because the idea is that users with shells like this get used
82 to run `daemon'-like services.
86 program must be installed
88 While the author has made a fair effort to avoid security holes, he
89 might have missed something. There's no substitute for thorough
90 auditing. If you find a security problem, please report it to the
91 author as a serious bug.
96 Mark Wooding (mdw@nsict.org)