[ale] Chrooting a user logged in over telnet
mike at trausch.us
mike at trausch.us
Tue Aug 21 14:19:32 EDT 2012
On 08/21/2012 02:12 PM, Ted W wrote:
> bind mounting /dev was just to get the thing working. Now that I've
> seen this working I will try and bind mounting only the necessary
> devices for telnet to work properly. Thanks for the heads up about
> the insecurity of mount /dev (I'm not well read on block devices and
> the like).
You're going to need (at least):
/dev/fuse (if you permit file-backed or network-backed
filesystems that are user-mounted)
/dev/full
/dev/hpet (if anything running in the chroot needs the
system HPET [High-Precision Event Timer])
/dev/kvm (if anything will be running CPU-assisted
virtualization in the chroot)
/dev/null
/dev/random
/dev/urandom
/dev/zero
Anything else which might be required will need to be determined on a
per-application basis.
If you wish to support applications such as GNU Screen and/or tmux,
you'll need to have /dev/ptmx and /dev/pts inside the chroot, as well,
and you'll therefore want to restrict the ability to run as root inside
that chroot, since that exposes components from the host system to the
chroot (namely, other user's PTYs).
I believe that there is support for multiple PTY namespaces in the
kernel, but I can't be sure without looking that up. *LOTS* of things
are namespaced these days, such that you can enforce far better
isolation than used to be possible.
Mike Warfield knows a decent amount about this, I believe.
--- Mike
--
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
--- Carveth Read, “Logic”
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120821/289caf7b/attachment.bin
More information about the Ale
mailing list