similar to: Running Samba in chroot as non-root user

I have a need to have users SSH into a server where they are limited to a chroot jail (sandbox). Once they are there, they need to be able to execute 'ssh' and 'scp' to other systems. I've no problem setting up the basic chroot jail and providing basic functionality (ls, cat, less, etc). The part that is stopping me is setting it up so that that user can then 'ssh'

> Klaas Jan Wierenga wrote: > > > I'm not using yp directory listings, but I can guess why it is not > > working. > > You're probably missing the libcurl.so library in your chroot jail > > directories. Here's the listing of files I have in the chroot jail: > > Definitely not, I rebuilt the whole lib structure i got from > ldd in my chroot But

Please post to the mailing list the next time Ralf. I'm not using yp directory listings, but I can guess why it is not working. You're probably missing the libcurl.so library in your chroot jail directories. Here's the listing of files I have in the chroot jail: -----%< cut here > ls -R .: admin etc lib opt usr var web ./admin: listclients.xsl listmounts.xsl

I suspect this has been asked before but I'll ask anyway. Q1: Is it possible for a non-root process to perform a chroot? My interest is this: I have a typical ISP hosting account (verio; on a FreeBSD 4.4 server.) I'd like to install and run various CGI packages, yet protect myself (and my email, and my .ssh keys) from bugs being exploited in those CGI packages. Chroot at the start

https://bugzilla.mindrot.org/show_bug.cgi?id=2556 Bug ID: 2556 Summary: on Linux non-root process can chroot Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org

Hi, Over the weekend I decided to create an icecast relay for Nicecast. I wanted this to run in a chroot jail on a redhat server. There did not seem to be much on the web about setting this up; I'm including some details here. This is my first encounter with icecast; I'm hoping to elicit comments and criticism (e.g., if my post is too long). First, there did not seem to be a startup

Hi, I've been working at getting a tftp server up an running in a chroot jail, and I have finally succeed getting almost everything working. The server itself works fine, however, it is implemented as a tcpwrapper application (ie: in.tftpd) and I am having trouble getting it to resolve DNS names. I copied my /etc/hosts.allow and /etc/hosts.deny in my chroot/etc folder, however, they

On Sun, 2018-01-07 at 18:41 +0000, halfdog wrote: > Hello list, > > I created a page to demonstrate, what would happen when chroot > root directory is writeable. In fact, code execution is possible > already, when only /etc and /bin are writable. I also tried to > escape the chroot jail, but that did not work for non-root users. > > As the 2009 CVE activities mention,

Plagued with an error I can't get past: ==> dovecot_info.log <== dovecot: Mar 04 22:09:06 Info: Dovecot starting up ==> dovecot.log <== dovecot-auth: Mar 04 22:09:07 Fatal: Can't open configuration file /usr/local/etc/dovecot-pgsql.conf: No such file or directory dovecot: Mar 04 22:09:07 Error: child 18211 (auth) returned error 89 dovecot: Mar 04 22:09:07 Error: Auth process

Anyone recognized yet that the yp functions do not work toogether with chroot enabled? I'm running icecast2 and it successfully announces to yp servers if i don't have the chroot enabled. Then i do nothing else than enabling chroot and the log says: [2004-09-14 00:07:59] DBUG geturl/curl_print_header_result SID -> () [2004-09-14 00:07:59] DBUG geturl/curl_print_header_result Message

On Sat, 2004-09-18 at 12:15, ACiDAngel wrote: > Afte noone could gave me a help I found a solution for myself. > In icecast chroot mode the resolving/nscd does not work. > Also not, if the libresolv is copied to the icecast chroot. > (dunno if this is a chroot problem or if it is a problem/feature in > combination with gresecurity kernel patches which i use) > > If I put

hi, i hope i'm not reporting something well-known; i tried to understand the available bug tracking information. please excuse me if my problem report should not meet your standards, but i want to direct your attention to the following: http://koffein.org/av/rsync-bugreport/ problem report for rsync 2.6.9 on linux/IA32, 09 Dec 2006 Herwig Wittmann

hi! i need ssh users and sftp users on my server. they don't mix so sftp users have a /bin/false as their shell. however when i try a ssh connect to such a user. he does not get disconnected but hangs forever. can it be that sshd searches foer /bin/false in the chroot environment? but i tried to place it there including ldd requirements. no success. i just want sftp users to get no shell

Hello, I've got strange problem with centos (as well as rhel btw) chrooted environment. First of all I created simple directory with only the libs for 'bash' and 'id' tools: ---- # chroot testcase/ bash-3.1# id uid=0 gid=0 groups=0,1,2,3,4,6,10 ---- Yes, I even do not have /etc/ directory inside testcase/ , but id shows groups from the _host_ root account. I tried to

Am 07.01.2018 um 19:41 schrieb halfdog: > Hello list, > > I created a page to demonstrate, what would happen when chroot > root directory is writeable. In fact, code execution is possible > already, when only /etc and /bin are writable. I also tried to > escape the chroot jail, but that did not work for non-root users. > > As the 2009 CVE activities mention, that creating

I successfully chrooted R running Rserve with an unprivileged user, and thought I'd publish the process. Attached is a jailkit.ini for use with jailkit;* and a chroot/setuid wrapper, chwrap.c. To set up the chroot in, for instance, /var/R; perform: mkdir -v /var/R jk_init -v -c jailkit.ini -j /var/R R then create the unprivileged user `r': useradd r After compiling chwrap

On Fri, 2018-01-05 at 16:00 +1030, David Newall wrote: > On 05/01/18 02:44, Thomas G?ttler wrote: > > I set up a chroot sftp server [...] > > Is there a way to get both? > > > > - chroot > > > > - writable root > > The source code (sftpd.c) seems to require that the root directory > be > owned by root and not group or world writable, so I

On Fri, Jan 05, 2018 at 09:42:18PM +1030, David Newall wrote: > On 05/01/18 20:06, Jakub Jelen wrote: > > if the confined user has write access to the chroot directory, > > there are ways how to get out, gain privileges and or do other > > nasty things. > > I'm not inexperienced with UNIX and unix-like operating systems (30+ years), > and I can't think what

Martin Pool wrote: > > > From: Stefan Monnier <monnier+/news/lists/linux/security@TEQUILA.SYSTEMSZ.CS.YALE.EDU> > > Date: 05 May 1997 12:23:05 -0400 > > > [mod: Yes. One "catchall" would be to modify "suser()" to return > > (uid==0) && (current->root == THE_ROOT). That would make a uid==0 in a > > chrooted environment just

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Currently some of our organizational roles uses shared secrets (aka the password) to access the mail account of an organizational role, say "sales" for example. For one, I don't like shared secrets, for second, there had been some changes to shared mailboxes, I can only say "user sales has deleted the message at then and