[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Jailkit-users] Re: Question about jk_lsh (and the mailing list..)
|
From: |
Olivier Sessink |
|
Subject: |
[Jailkit-users] Re: Question about jk_lsh (and the mailing list..) |
|
Date: |
Thu, 22 Sep 2005 20:58:40 +0200 |
|
User-agent: |
Debian Thunderbird 1.0.6 (X11/20050802) |
stefAN wrote:
[..]
CC to jailkit-users now, since you should be subscribed now
>>> Second, me and another ebuild writer are wondering,
>>> if jk_lsh is a real, interactive shell, like bash.
>> no, by definition not, the contrary: it is designed to disable
>> interactive sessions, and only allow non-interactive sessions, such as
>> used for cvs, rsync, sftp, scp etc..
>>> Both of
>>> us weren't able to login with jk_lsh as shell for users.
>>> And, on top of that, i can't start any prog with the -c
>>> option.
>> jk_lsh may *only* be used with the -c option
>> for example 'ssh address@hidden rsync ..options..' will work if jk_lsh is
>> configured to allow rsync
> Is there any chance to get a shell that does what i thought
> jk_lsh would do? (I think it is hard to build such a shell without
> any security issue.)
you could use bash in the jail, and them remove the 'others' permissions
from all binaries (0750), change the group of those binaries, and give
users access to the groups of the binaries you want to allow them to
use. e.g.
chmod 0750 <jail>/usr/bin/cvs
chgrp cvs <jail>/usr/bin/cvs
then edit <jail>/etc/group and add users that are allowed to use cvs to
group cvs
> About the usage:
> If i put it in CHROOTJAIL/etc/passwd for a user, do i need any ""
> for the commands? Like jk_lsh -c "any command here"?
no, commands like cvs, rsync, sftp and scp will execute the shell with
-c automatically. so adding jk_lsh as shell is enough.
regards,
Olivier
- [Jailkit-users] Re: Question about jk_lsh (and the mailing list..),
Olivier Sessink <=