Hi! In article <[EMAIL PROTECTED]>, Nick Clifford <[EMAIL PROTECTED]> wrote:
>Personally, a chroot jail is the only thing I trust when I need to setup >an isolated or restricted environment. Its difficult to break out of a >chroot jail even when you are root, but it can be done. So ensure they >can't get root. :) If you install capsel (ftp://ftp.linuxnews.pl/Linux/kernel/patches/capsel/), you can restrict chroot even for root - it will only succeed once, every next call to chroot will fail, so root can't break out, too. On a side note: I hacked up osh to gain a kind of "restricted" shell (very restricted in comparison with rbash). It's debianized at http://www.gws-online.de/download/, package name is nosh. It uses the same configuration stile of osh to restrict users to special commands and directories, so they can't access stuff I don't want them to access, and I don't have to set up a chroot jail (as that is sometimes a real PITA for some programs). We use it as a users shell on westfalen.de so people can be allowed to change passwords or execute weblint or other command line tools without being given a full shell. It doens't do shell scripts in the expected way, though - only very limited shell capabilities. Combined with capsel (where you can restrict executables to users, too), you can set up quite a restricted environment without need for chroot (or with chroot only for programs where it is needed). bye, Georg -- http://www.westfalen.de/hugo/
