On Tue Aug 19, 2003 at 07:31:02PM -0700, Jack Coates wrote: > > > > I have a user login name that is used to run a game server process > > > > (Neverwinter Nights, if it matters :). > > > > > > > > I don't know if it's possible for a remote user to crash the game process > > > > in a way which would leave them sitting in a shell, but since I don't know > > > > that the chances are 0%, I'm thinking that having the login name chroot > > > > jailed to its home directory would limit the damage that someone could do > > > > if they *did* somehow manage to end up in a shell via a server process > > > > crash. > > > > > > > > Is there a way to to this? > > > > > > Look at the user's line in /etc/password. At the end is the shell > > > they'll be given. chroot them there. > > > > Er, all that does is just show me which shell they're logging in to use. > > I'm at a loss as to how that will restrict them to their own home directory > > as being / to them when logged in - thus keeping them away from the rest of > > the system. Could you please provide some specifics? > > > > --Dave > > how about changing /bin/bash to chroot /new/root /bin/bash? > > Be aware that bash expects a whole lotta stuff to be around, which > you'll need to recreate under the new root.
I don't think that will work as you'll need to be root to chroot IIRC. What you could do is write a script that does the chroot and call it via sudo, then do something like "/usr/bin/sudo /somescript/chrootuser" which does the chroot call as root. You're right about the environment tho. You'll need to have a /bin/bash in the chroot and then recreate the libs it wants or recompile it static. You could also use /bin/rbash which is somewhat better than just bash, but not as nice as chroot (but a lot easier to setup). -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
