[scponly] scponly 4.1

[Kaleb Pederson]

It is a bit "dangerous" but not quite what you indicated.

passwd does have to be called from outside of the chroot or access files 
outside of the chroot.  The latter shouldn't be possible at the filesystem 
level, so the former is an option.

The process I have taken is as follows.  Note that 90-95% of the code that I 
have has been taken from elsewhere in the code as most of it didn't need to 
be original:

... before chroot() has been called, see if the command is passwd.
if the command is password, drop privileges, fork(), exec passwd, then exit.

This mechanism shouldn't depend on the OS in the least, whatever passwd 
program is found by configure at configure time is used to change the users 
password.

I'll provide a patch soon so everyone can look at it.  It does need to be well 
tested.  I'm in the process of testing it on several systems....

Thanks.

--Kaleb


On Thursday 24 March 2005 4:51 am, Ralf Durkee wrote:
> Are you talking about putting a password command inside the chroot, so that
> users can change their password?
> If so it sounds like a high risk item to throw in at the last minute
> without careful consideration.
>
> -- Ralf Durkee, CISSP, GSEC, GCIH
> Principal Consultant
> http://rd1.net
>
> At 05:05 PM 3/23/2005, Kaleb Pederson wrote:
> >Thanks Joe!
> >
> >I don't know if you'll have time to add in my patch for changing the
> > password outside of the chroot when using a chrooted environment, but I'm
> > in the middle of testing it out right now.  Assuming my implementation is
> > reasonable of course.... (and I added in all the autoconf stuff as well
> > this time).
> >
> >Is there any way that I can test a pre-release version to make sure
> >everything
> >works on AIX before the release?
> >
> >I should be done testing and have the patch done later tonight.
> >
> >Thanks.
> >
> >--Kaleb
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly