Re: [Jailkit-users] Re: Question about jk_lsh (and the mailing list..)

[Stephen Tallowitz]

Hello list,

> you could use bash in the jail, and them remove the 'others' permissions
> from all binaries (0750), change the group of those binaries, and give
> users access to the groups of the binaries you want to allow them to
> use. e.g.
> chmod 0750 <jail>/usr/bin/cvs
> chgrp cvs <jail>/usr/bin/cvs

Using a bash-only chroot is very effective. Bash has a few, very limited 
built-in commands, so creating a chroot with only bash and say cvs will give 
the users the feel of a "real" interactive shell, yet limiting their actions to 
the cvs command. To see what I'm talking about, try this:

1. mkdir /srv/bashroot (or something similar)
2. jk_cp -v /srv/bashroot /bin/bash (-v is for the effect, to see what jk_cp is 
doing)
3. as user root: chroot /srv/bashroot /bin/bash

Now you've manually created and chrooted into a bash-only environment. Try a 
few commands (ls, rm, touch): they will not work - because they are external 
binaries that would also be needed to be copied to the chroot to be available. 
The only useful commands you will be able to use are "cd", "pwd" and "exit" 
because they are built-in bash commands (see man bash, section "shell builtin 
commands").
Beware: even with the builtin bash commands you could be doing potentially 
malicious things - such as 'echo "password=mypassword" >> 
/etc/mywebapp/global-config.php' - so being in a chroot is no excuse to not 
handle permissions as usual.

Cheers,
Stephen