[ale] Need wacky chroot setup help

DJ-Pfulio djpfulio at jdpfu.com
Fri Aug 21 10:01:01 EDT 2015


Just riffing here ... "bind mount" from ~T1000/dept-fun-times/ to their own area?



On 08/21/2015 09:17 AM, James Sumners wrote:
> I have some craptastic software that allows users to submit background jobs
> that are executed by a common system account. Let's call that account
> 't1000'. This system supports a configuration where the end user's
> submitted job can be written to a directory in their home directory,
> provided t1000's group is able to write to it. Otherwise, job output files
> get dumped in t1000's home directory. Further, I have departments with
> users that need to share a common job output directory.
> 
> So let's pretend I have users "foobar" and "bazbar" that need to submit
> jobs to a common output directory. Let's further assume I have the
> following file system layout:
> 
> - /home/t1000/
> - /home/t1000/dept-fun-times/
> - /home/foobar/
> - /home/foobar/jobout/ => /home/t1000/dept-fun-times/
> - /home/barbaz/
> - /home/barbaz/jobout/ => /home/t1000/dept-fun-times/
> 
> Each user t1000, foobar, and barbaz are members of a group "vomit". Each
> "jobout" directory and the "dept-fun-times" directory have mode `0770`.
> Thus when either foobar or barbaz submit a job, that job's output will end
> up in `/home/t1000/dept-fun-times/`. Any other user that submits a job will
> result in the job output going to `/home/t1000/`.
> 
> All files in `/home/t1000/` and `/home/t1000/dept-fun-times/` are mode
> `0660`.
> 
> Now for the fun part:
> 
> I need foobar and barbaz to be able to ssh/sftp to the system and be
> "chrooted" to `/home/t1000/dept-fun-times/` such that they cannot change
> from that directory nor open any files outside of that directory.
> 
> SSHD requires the destination chroot to (rightly) be a proper jail. As does
> the rssh shell (when chrooting). Bash's restricted mode is also not a
> solution.
> 
> Do you guys have any ideas how I can accomplish this goal?
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 



More information about the Ale mailing list