On Sat, Sep 23, 2006 at 12:22:11PM -0700, Dan wrote: > Looking through multiple sites and looking at all of the different > strategies on locking a user into a particular set of directories. > It would seem that using chroot is the only way to accomplish this.
Exactly. > In ProFTPd there is an option to set the default root to anything we > want (including the user's home directory). This is accomplished by > some programming in ProFTPd itself as I never setup any chroot jails > on my system. There is a world of difference: ftpd does not rely on other programs to do its work; it does everything related to ftp by itself. In fact, under such circumstances, I think it could set up a real chroot without having to go through the hastle of copying libraries and such. I haven't looked at ProFTPd's code to see what it does, but if it wants to pretend that you can't access some files outside a particular directory, it's perfectly fine for it to do that, too. Either way, rssh doesn't have that luxury. By contrast, rssh does only two things: create chroot jails, and execute some other program. If you use sftp, it executes sftp-server. If you use scp, it executes scp. You would need to modify THOSE programs... not rssh. What you are requesting is impossible. Also FWIW blocking access programmatically is not the same thing as setting up a chroot jail; if someone were to find a way to exploit the program that does this to get a shell, they would still have access to the whole system. By contrast, as long as the calling program which sets up a chroot jail does it correctly, and there's no bug in the OS, this is impossible. So using real chroot jails is arguably "safer" than just faking it (though a bug is required in any case, so it's also arguable that it makes no difference). > I read on some website somewhere that SSH has the same capability of > creating a default root without actually being a chroot jail (you > don't need to do the copying or linking of extra files). I've never heard of this (not with OpenSSH), but if that's true, then you're all set: configure SSH to do that. :) > Is there some way that RSSH can implement this sort of > functionality? No. But even if there were, I wouldn't do it anyway... I'm only maintaining it for bugs (haven't been any found this year). But it doesn't matter for you, since what you want is impossible. Sorry. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgpA6Qj6EUpYb.pgp
Description: PGP signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
