[ale] Need wacky chroot setup help
Brian Mathis
brian.mathis+ale at betteradmin.com
Fri Aug 21 10:49:29 EDT 2015
Create directories owned by root for chrooted users in something like:
/srv/sftp/$USER
Setup ssh to chroot those users into that directory
Create a directory /srv/sftp/$USER/jobout
Use a bind mount (mount -o bind) to mount /home/t1000/dept-fun-times to
/srv/sftp/$USER/jobout for each user
This is the only way I know of since the chroot can't follow symlinks.
❧ Brian Mathis
@orev
On Fri, Aug 21, 2015 at 9:17 AM, James Sumners <james.sumners at gmail.com>
wrote:
> I have some craptastic software that allows users to submit background
> jobs that are executed by a common system account. Let's call that account
> 't1000'. This system supports a configuration where the end user's
> submitted job can be written to a directory in their home directory,
> provided t1000's group is able to write to it. Otherwise, job output files
> get dumped in t1000's home directory. Further, I have departments with
> users that need to share a common job output directory.
>
> So let's pretend I have users "foobar" and "bazbar" that need to submit
> jobs to a common output directory. Let's further assume I have the
> following file system layout:
>
> - /home/t1000/
> - /home/t1000/dept-fun-times/
> - /home/foobar/
> - /home/foobar/jobout/ => /home/t1000/dept-fun-times/
> - /home/barbaz/
> - /home/barbaz/jobout/ => /home/t1000/dept-fun-times/
>
> Each user t1000, foobar, and barbaz are members of a group "vomit". Each
> "jobout" directory and the "dept-fun-times" directory have mode `0770`.
> Thus when either foobar or barbaz submit a job, that job's output will end
> up in `/home/t1000/dept-fun-times/`. Any other user that submits a job will
> result in the job output going to `/home/t1000/`.
>
> All files in `/home/t1000/` and `/home/t1000/dept-fun-times/` are mode
> `0660`.
>
> Now for the fun part:
>
> I need foobar and barbaz to be able to ssh/sftp to the system and be
> "chrooted" to `/home/t1000/dept-fun-times/` such that they cannot change
> from that directory nor open any files outside of that directory.
>
> SSHD requires the destination chroot to (rightly) be a proper jail. As
> does the rssh shell (when chrooting). Bash's restricted mode is also not a
> solution.
>
> Do you guys have any ideas how I can accomplish this goal?
>
> --
> James Sumners
> http://james.sumners.info/ (technical profile)
> http://jrfom.com/ (personal site)
> http://haplo.bandcamp.com/ (band page)
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150821/f1005aa3/attachment.html>
More information about the Ale
mailing list