Proci wrote:
> Sziasztok!
>
> Korábban olvastam valahol (talan itt?): van egy olyan lehetoseg az ssh
> user bezarasara, hogy a /bin/bash helyett egy modosított
> parancsertelmezot adunk neki, mely nem engedi cd .. parancsot, ha az
> mar a chroot mappajan kivulre mutatna.
> Persze akkor felmerült a cd /, cd /etc/ stb sebezhetoség, de most
> nekem eleg volna igy is.
> Előnye volt, hogy nem kell kulon minimal rendszert osszehozni a chroot
> mappan belül (+ a szukseges alkalmazasokat belegyogyitani).
> Pont erre volna most szuksegem, de sehol nem talalom.
> Tudtok ilyen megoldasrol?
>
Az ilyen megoldasokhoz a dokumentacio olvasasan keresztul is vezet ut.
man sshd_config:
ChrootDirectory
Specifies a path to chroot(2) to after authentication. This
path, and all its components, must be root-owned directories
that are not writable by any other user or group.
The path may contain the following tokens that are expanded at
runtime once the connecting user has been authenticated: %% is
replaced by a literal '%', %h is replaced by the home directory
of the user being authenticated, and %u is replaced by the user-
name of that user.
The ChrootDirectory must contain the necessary files and direc-
tories to support the users' session. For an interactive ses-
sion this requires at least a shell, typically sh(1), and basic
/dev nodes such as null(4), zero(4), stdin(4), stdout(4),
stderr(4), arandom(4) and tty(4) devices. For file transfer
sessions using ``sftp'', no additional configuration of the
environment is necessary if the in-process sftp server is used
(see Subsystem for details).
The default is not to chroot(2).
--
Gabor HALASZ <[email protected]>
_________________________________________________
linux lista - [email protected]
http://mlf2.linux.rulez.org/mailman/listinfo/linux
