Re: chroot-ing users coming in via SSH and/or SFTP?
On Tuesday 21 December 2004 03:30, Brett Glass wrote:
> At 03:19 PM 12/20/2004, Nigel Houghton wrote:
> >Take a look at the Jail project, you'll find it here...
> >
> > http://www.jmcresearch.com/projects/jail/
> >
> >..and in ports/sysutils/ along with some other jail tools, it may
> >provide some of the features you are looking for.
>
> Looks useful. (Shame it's GPLed.) In any case, it seems to me that
> creation of a jail the way this tool does it (and the way most people
> have to do it in general) requires a lot of redundant copies of
> files. Wouldn't it be neat if there were a type of link (not quite
> soft, not quite hard; call it "firm") that would let you link to the
> current master copies of executables (rather than copying them) but
> not let the inmates out of their jails? Hard links have the
> disadvantage that they're broken when you upgrade an executable; soft
> links can't be used because, well, you're in a jail. The type of link
> I have in mind would be symbolic but resolved by the system behind
> the scenes; from inside the jail it wouldn't look like a link.
>
> --Brett
This can be done with nullfs, unionfs or nfs over the loopback
interface.
BTW, hard drives are quite cheap nowdays, so the main problem with
redundant copies is not the space they waste, it's that they are hard
to manage. IMHO `firm` links wont help you a bit.
m.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 9 之 9 篇):