254 lines
11 KiB
HTML
254 lines
11 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.4F.k">
|
|
<TITLE>The Answer Gang 74: pseudo-chroot</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!--endcut ========================================================= -->
|
|
<P> <hr>
|
|
<!--startcut ======================================================= -->
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<!--endcut ========================================================= -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
|
|
><A HREF="..//"
|
|
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
|
|
ALT="[ Table Of Contents ]" border="0"></A
|
|
><A HREF="../lg_answer74.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer74.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="../tag/bios.html">Meet the Gang</A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A>
|
|
<A HREF="8.html">8</A>
|
|
<A HREF="9.html">9</A>
|
|
</td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A
|
|
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<!--endcut ========================================================= -->
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Gang</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and the Gang,
|
|
the Editors of Linux Gazette...
|
|
and You!
|
|
<br>Send questions (or interesting answers) to
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
|
|
</H4>
|
|
<p><em><font color="#990000">There is no guarantee</font></em>
|
|
that your questions here will <b>ever</b> be answered.
|
|
<em><font color="#990000">Readers at confidential sites</font></em>
|
|
must provide permission to publish. However,
|
|
<em><font color="#990000">you can be published anonymously</font></em>
|
|
- just let us know!
|
|
</p>
|
|
<p>TAG <a href="../tag/bios.html">Member bios</a>
|
|
| <a href="../../tag/members-faq.html">FAQ</a>
|
|
| <a href="../../tag/kb.html">Knowledge base</a></p>
|
|
</center>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<p><hr><p>
|
|
<!-- begin 6 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>pseudo-chroot</H3>
|
|
|
|
|
|
<p><strong>From Faber Fedor
|
|
</strong></p>
|
|
|
|
<p align="right"><strong>Answered By Mike "Iron" Orr, Heather Stern
|
|
</strong></p>
|
|
<P><STRONG>
|
|
Hi guys (and Heather)!
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
Is there a way to chroot a user such that they can't travel out of heir
|
|
home dir but without having to copy a bunch of binaries to their home
|
|
dirs?
|
|
</STRONG></P>
|
|
<P><STRONG>
|
|
I'd like to restrict my users to not being able to see into <TT>/bin</TT>, <TT>/etc</TT>,
|
|
and most importantly <TT>/home/httpd</TT> without jumping through hoops.
|
|
</STRONG></P>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Iron]
|
|
For <TT>/home/httpd</TT>, set the ownership and permissions so the webserver
|
|
process has read access, the person who maintains the content has
|
|
read/write access, and nobody else has any access.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
The standard <A HREF="http://www.debian.org/">Debian</A> setup is for the webserver to run as user
|
|
'www-data', group 'www-data', and the HTML directory (<TT>/var/www</TT>) is:
|
|
</blockQuote>
|
|
|
|
<blockquote><pre>drwxrwsr-x 11 root www-data 1024 Nov 12 17:25 /var/www/
|
|
</pre></blockquote>
|
|
<blockQuote>
|
|
Unix comes with a catchall user 'nobody', group 'nogroup', for processes
|
|
that shouldn't have any privileges. But in that case, you'd either have
|
|
to make <TT>/home/httpd</TT> world-readable (which is what you said you don't
|
|
want), or owned by 'nobody' or group 'nogroup' (which is bad because
|
|
'nobody' should never own any files, although some sysadmins disagree).
|
|
</blockQuote>
|
|
<blockQuote>
|
|
Chroot requires you to copy the binaries, as you say.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
The 'bind' filesystem in recent 2.4 kernels allows you to make a
|
|
directory appear to be in two different locations, and the shadow
|
|
location <EM>can</EM> be inside a chroot jail. Or so some documentation I saw
|
|
a few months ago said. That may or may not be more convenient than
|
|
copying binaries and shared libraries.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
Why don't you want your users reading files in <TT>/bin</TT> and <TT>/etc?</TT> Normally
|
|
it's only a few senstitive files that need to be protected (those
|
|
containing passwords). For each case, you'll need to think of a
|
|
strategy that allows the user to do their work without being able to
|
|
read the password. For programs, make the file world-executable but
|
|
not world-readable (mode -rwxrwx--x).
|
|
</blockQuote>
|
|
<blockQuote>
|
|
To prevent users from listing the files in <TT>/bin</TT> (to discover commands
|
|
they didn't know existed), but still allow them to run or list programs
|
|
whose names they know, make the directry itself world-executable but not
|
|
world-readable (mode -rwxrwx--x).
|
|
</blockQuote>
|
|
<blockQuote>
|
|
To prevent users from reading sensitive files in <TT>/etc</TT>, arrange to have
|
|
the program run as a different user or group, and give only that
|
|
user/group access to the configuration file(s). But that means making
|
|
the program setuid or setgid, so that it will run under its own
|
|
permissions rather than the user's, but set[ug]id itself is a security risk.
|
|
Relatively speaking, setgid is safer than setuid.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
As an alternative to setuid, you can arrange for the programs to run
|
|
via 'sudo' or 'super', two proxy programs that do something like suid
|
|
but in a safer and more configurable way.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
It's probably a bad idea to make <TT>/etc</TT> non-world-readable. Numerous
|
|
standard programs would break.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
<IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
> [Heather]
|
|
Hmm, if most of your users don't need to access the web server, and you
|
|
aren't offering home based web access... www.example.org/~username ...
|
|
then you <EM>could</EM> simply run the web daemon in a more complete than usual
|
|
chroot, and only give members of the webmaster team accounts within its
|
|
jail. You'd need more than one ssh running... one per jail, and one for
|
|
the top... but it can be very effective.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
Each "child jail" can have much more limited <TT>/etc</TT> contents and a seriously
|
|
stripped binaries tree, as well as only having the user accounts that
|
|
match its purpose. The top can house your syslog, as there's an easy option
|
|
for reading multiple <TT>/dev/log</TT> nodes. I think you get up to 19 extras.
|
|
</blockQuote>
|
|
<blockQuote>
|
|
The trick works especially well if combined with some of the recent
|
|
"chroot as a one way trip" patches being offered out there. These nearly
|
|
always prevent double chrooting, so you'll need to tweak the trapped
|
|
daemons to be ok with not being able to chroot any further. The patches
|
|
keep changing too, so I haven't settled on a preferred one yet.
|
|
</blockQuote>
|
|
|
|
<!-- end 6 -->
|
|
<P> <hr> </p>
|
|
<!-- *** BEGIN copyright *** -->
|
|
<H5 align="center">This page edited and maintained by the Editors
|
|
of <I>Linux Gazette</I>
|
|
<a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2002
|
|
<BR>Published in issue 74 of <I>Linux Gazette</I> January 2002</H5>
|
|
<H6 ALIGN="center">HTML script maintained by
|
|
<A HREF="mailto:star@starshine.org">Heather Stern</a> of
|
|
Starshine Technical Services,
|
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
|
</H6>
|
|
<!-- *** END copyright *** -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<p align="center">
|
|
<table width="100%" border="0"><tr>
|
|
<td align="right" valign="center"
|
|
><IMG ALT="" SRC="../../gx/navbar/left.jpg"
|
|
WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="middle" border="0"
|
|
><A HREF="..//"
|
|
><IMG SRC="../../gx/navbar/toc.jpg" align="middle"
|
|
ALT="[ Table Of Contents ]" border="0"></A
|
|
><A HREF="../lg_answer74.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.jpg" align="middle"
|
|
ALT="[ Answer Guy Current Index ]" border="0"></A></td>
|
|
<td align="center" valign="center"><A HREF="../lg_answer74.html#greeting"><img align="middle"
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A>
|
|
<A HREF="../tag/bios.html">Meet the Gang</A>
|
|
<A HREF="1.html">1</A>
|
|
<A HREF="2.html">2</A>
|
|
<A HREF="3.html">3</A>
|
|
<A HREF="4.html">4</A>
|
|
<A HREF="5.html">5</A>
|
|
<A HREF="6.html">6</A>
|
|
<A HREF="7.html">7</A>
|
|
<A HREF="8.html">8</A>
|
|
<A HREF="9.html">9</A>
|
|
</td>
|
|
<td align="left" valign="center"><A HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answerpast.jpg" align="middle"
|
|
ALT="[ Index of Past Answers ]" border="0"></A
|
|
><IMG ALT="" SRC="../../gx/navbar/right.jpg" align="middle"
|
|
WIDTH="14" HEIGHT="45" BORDER="0"></td></tr></table>
|
|
</p>
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<!--endcut ========================================================= -->
|
|
<P> <hr>
|
|
<!--startcut ======================================================= -->
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</p>
|
|
<!--endcut ========================================================= -->
|
|
<!--startcut ======================================================= -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|