[scponly] Install for many accounts

Matthew Moffitt moffitt.10 at sociology.osu.edu
Sun Aug 24 12:21:30 EDT 2003 

At 11:03 AM 8/24/2003, Sven Hoexter wrote:
>On Sun, Aug 24, 2003 at 10:26:52AM -0400, Matthew Moffitt wrote:
>
>Hi Matthew,
>have you ever heard about line wrapping?
>Would be great if you break your lines at about 70 signs

Sorry about that, forgot I had it off.


> > Once glitch I'm running into is in setting up the chroot 
> option.  Walking through the instructions and looking through the 
> setup_chroot.sh script I see how we set this up for a particular user 
> with the binaries in their chroot'd directory.
>Wich flavour of unix do you use? setup_chroot.sh is heavily
>optimised for FreeBSD and other *BSD.

This is on FreeBSD.

>
> > However I'd like to have a single installation of the binaries but 
> allow all users to have the scponly shell.  That would avoid having usr, 
> bin, etc, and other folders tacked into their home directories.
> >
> > I tried modifying the setup in config.h to build these so it would look 
> for a '.scponly/usr' and other folders instead of the default which I 
> thought I could then symlink for each person but this won't work, it 
> can't follow the symlink out of the jail.  Even if I copied this over to 
> each person's home, making it look a little cleaner from their 
> perspective, I still have the problem with programs like sftp-server 
> having a hard coded path to find ld-elf.so.1 in /usr/libexec.
>Well what you can do is setup one big chroot with scponlyc + needed
>binarys and the users $HOME. Then you've to restrict the access to
>the homedirs through the normal unix right system.

I've thought about this, putting an scponly install 1 level above the users 
home directories.  It would work but would just give the users 1 extra 
thing to possibly look at and get confused about.

>
> > Is there another approach that would facilitate creating an install for 
> several hundred accounts still using a jail but not having the binaries 
> copied over for each person?  I would think there must be a clean way to 
> do this but I don't see it.
>The problem with ssh/sftp/scponly is that there is no buildin ls
>support and other things. So scponly always needs access to the
>fileutils und linked libs.

Got it, I see the problem and perhaps there isn't an elegant 
solution.  Hrm, I may just drop trying to use chroot altogether for 
now.  I'm worried about maintaining it if I have various installation 
scattered around as a kludge but I'll see if I can come up with anything else.

-Matt


>Sven
>--
>http://www.comboguano.de
>http://sven.linux-ist-pleite.de
>I'm root, if you see me laughing you better have a backup!
>_______________________________________________
>scponly mailing list
>scponly at lists.ccs.neu.edu
>https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list