On Sat, 7 Apr 2001, Randy Kramer wrote:
> I don't think our descriptions are very different, but why, once you
> create the account with restricted file permission is it called
> "chrooted" -- does the user of the account think it's a root account, or
> is it just that it's his "root" account, as a synonym for "home"
> account? Must you do something to make the restricted account
> "chrooted"? (I guess I'll have to look up "chroot" on google or
> similar.)
chroot is the act of changing the root directory of a filesystem as it
appears to the process. (man 1 chroot)
So, if I make an [x]inetd entry that calls "chroot /var/ssh sshd" instead
of sshd, then when inetd passes the connection on to sshd, sshd will see
the directory /var/sshd as its root directory, and what it sees as
/etc/passwd would actually be /var/sshd/etc/passwd on your real
filesystem. The tricky part is building the fake filesystem so that it
has everything it needs (ls, mkdir, rsync, libraries) but nothing that can
be used to do anything nasty. The system also makes sure that so far as
sshd knows, /var/ssh/.. is a link to /var/ssh. A good sysadmin can even
build a chrooted filesystem such that users don't even know they're in a
chrooted environment. Other resources (processes, memory, etc.) are
the same in a chroot, it's only the filesystem that gets changed.
You should be able to look in /var/ftp for an example - that's where ftpd
chroots itself when an anonymous connection is made.
--
Rob Russell Senior Systems Analyst
613-224-6676 x332 N-able Technologies
fax: 613-228-1399 http://www.N-ableIT.com
877-655-4689 [EMAIL PROTECTED]
