[ale] Chrooting a user logged in over telnet

[mike at trausch.us]

On 08/21/2012 02:12 PM, Ted W wrote:
> bind mounting /dev was just to get the thing working. Now that I've
> seen this working I will try and bind mounting only the necessary
> devices for telnet to work properly. Thanks for the heads up about
> the insecurity of mount /dev (I'm not well read on block devices and
> the like).

You're going to need (at least):

	/dev/fuse (if you permit file-backed or network-backed
	           filesystems that are user-mounted)
	/dev/full
	/dev/hpet (if anything running in the chroot needs the
	           system HPET [High-Precision Event Timer])
	/dev/kvm  (if anything will be running CPU-assisted
	           virtualization in the chroot)
	/dev/null
	/dev/random
	/dev/urandom
	/dev/zero

Anything else which might be required will need to be determined on a
per-application basis.

If you wish to support applications such as GNU Screen and/or tmux,
you'll need to have /dev/ptmx and /dev/pts inside the chroot, as well,
and you'll therefore want to restrict the ability to run as root inside
that chroot, since that exposes components from the host system to the
chroot (namely, other user's PTYs).

I believe that there is support for multiple PTY namespaces in the
kernel, but I can't be sure without looking that up.  *LOTS* of things
are namespaced these days, such that you can enforce far better
isolation than used to be possible.

Mike Warfield knows a decent amount about this, I believe.

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120821/289caf7b/attachment.bin