[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] passwd inside the chroot
From: |
Olivier Sessink |
Subject: |
Re: [Jailkit-users] passwd inside the chroot |
Date: |
Thu, 19 Jul 2007 09:19:00 +0200 |
User-agent: |
Icedove 1.5.0.12 (X11/20070607) |
Gavin Rogers wrote:
Hey guys I'm really interested in using jailkit for my company's
servers. I have installed jailkit on several distros and in several
ways, including all the various scenarios described on the website. I
find jailkit to be much preferable to building a chroot environment
manually. Also, it's so fast and easy I've had more time to contemplate
questions of security such as:
Why is the passwd file inside the chroot used? Isn't this (kinda)
insecure, as one could perhaps change this file and change the UID of
the user to 0?
all jailkit utilities check if the user information inside the jail is
the same as outside the jail. If you have user 'foo' outside the jail
with UID 1234 and inside the jail with UID 0 jk_chrootsh will abort and
send a message to the syslog daemon.
The reason to have the passwd file in the jail is to allow
`ls -l` or `chown` or other commands that need to lookup from 'uid' to
'name' to work.
> I got this question while reading:
http://www.unixwiz.net/techtips/chroot-practices.html
What would be the best way to modify jailkit to take this into account?
I think it's in some cases a bad practice to remove it. Suppose you have
several accounts in a jail that need to share information. Given the
fact that jailkit checks if the user information in the jail is
identical, you're better off if these accounts can actually see who is
the owner of a file, instead of just the numeric UID.
Also, what about using the -r option for bash when starting a bash
session to be used for only one command (say, cvs)?
I've never used it, so I can't say..
Olivier