On Mon, Feb 28, 2011 at 7:36 PM, Scott Moser <[email protected]> wrote: > On Mon, 28 Feb 2011, Serge E. Hallyn wrote: > >> Quoting Michael Zoet ([email protected]): >> > >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > Am 26.02.2011 10:21, schrieb Tapas Mishra: >> > > On Sat, Feb 26, 2011 at 1:39 PM, Dan Sheffner <[email protected]> >> > > wrote: >> > >> Like Michael said I would accomplish this with two users. Just off the >> > >> top >> > >> of my head I would do: >> > > No not two users it has to be same user who has to be restricted based >> > > on IP from which he logs in. >> > >> > Normally I would say it is impossible, but I do not know everything >> > about PAM, jails and so on. The file system persmissions are not based >> > on the IP a user came from, so you need to tweak a lot! If I really >> > had to do such things I would write a shell script that looks up from >> > where the user came and setup the enviromnet accordingly and make this >> > shell script the login shell. But this is lot of work and someone has >> > to be very carefull... >> >> Right - giving details to match those in the requirements :), two ways >> you could do this include (1) creating a container for the readonly >> user, give it the second IP (or fwd the second IP to it), and make >> /home/$user a recursive readonly bind mount of the real home. And >> (2) you could presumably use an apparmor rule. First thought is >> write your own trivial pam module to set the user's apparmor context >> based on login. > > I've done something like this before, jailing into a given root based on a > login name. There was really only 1 user, but 2 entries in /etc/passwd, so > you could get in as 'user-jailed' or 'user'. or some such. The key was > that the user had their shell in /etc/passwd as '/bin/my-jail-user' or > something like that. That was a program that decided to jail or not and > then executed the appropriate "real" shell. > > I think that you could probably do something like this. The only thing > I'm not really sure how to do with more digging is to find the source IP > address of the ssh connection. I'm sure it can be done. > Thanks for this information.
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
