I have used chrsh on a RAQ4 with good results. However, since the number of NFS mounts is limited to 256 ( I think), it also limits the number of users you can put on the server. That is, if you create a jail that prevents users seein eachothers files etc.
Jason ----- Original Message ----- From: "Michael Stauber" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 12, 2002 6:24 AM Subject: Re: [cobalt-security] Apache running as root . . . . > Hi Matt, > > > You would not have to re-write Linux to provide this service, but you > > would have to write some type of daemon process that behaves just like > > in.telnetd, but is confined to a chrooted area. > > Correct. You see, a co-worker of mine is a contributor / developer for > Rocklinux and they use the following approach for SSH and FTP: > > They do an NFS-export of the users home directory and of /usr/local/bin and > /usr/local/sbin > > Then they create a chrooted jail into which they mount the users home > directory and the directories with the executables the user needs. The jail > also contains its own /tmp and /dev/null and a few other essentials. Of > course NFS / Portmapper is blocked to the outside world by a firewall rule. > > Creating the jail isn't the problem, even on the Cobalts. > > There certainly is a better ressource than the URL below, but you might want > to look at it for the general idea: > > http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3 /chap21sec167.html > > As for SSH or a daemon that "spawns" into the jail ... this can possibly done > without a rewrite of the daemon. Maybe as easy as by substituting a special > shell for all the "jailed" users. See URL below: > > http://www.aarongifford.com/computers/chrsh.html > > I haven't tested "chrsh" yet, but I'll do so this weekend when I have some > time at hand. It sounds quite promising. > > -- > > With best regards, > > Michael Stauber > [EMAIL PROTECTED] > Unix/Linux Support Engineer > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
