[scponly] Install for many accounts
Matthew Moffitt
moffitt.10 at sociology.osu.edu
Sun Aug 24 12:21:30 EDT 2003
At 11:03 AM 8/24/2003, Sven Hoexter wrote:
>On Sun, Aug 24, 2003 at 10:26:52AM -0400, Matthew Moffitt wrote:
>
>Hi Matthew,
>have you ever heard about line wrapping?
>Would be great if you break your lines at about 70 signs
Sorry about that, forgot I had it off.
> > Once glitch I'm running into is in setting up the chroot
> option. Walking through the instructions and looking through the
> setup_chroot.sh script I see how we set this up for a particular user
> with the binaries in their chroot'd directory.
>Wich flavour of unix do you use? setup_chroot.sh is heavily
>optimised for FreeBSD and other *BSD.
This is on FreeBSD.
>
> > However I'd like to have a single installation of the binaries but
> allow all users to have the scponly shell. That would avoid having usr,
> bin, etc, and other folders tacked into their home directories.
> >
> > I tried modifying the setup in config.h to build these so it would look
> for a '.scponly/usr' and other folders instead of the default which I
> thought I could then symlink for each person but this won't work, it
> can't follow the symlink out of the jail. Even if I copied this over to
> each person's home, making it look a little cleaner from their
> perspective, I still have the problem with programs like sftp-server
> having a hard coded path to find ld-elf.so.1 in /usr/libexec.
>Well what you can do is setup one big chroot with scponlyc + needed
>binarys and the users $HOME. Then you've to restrict the access to
>the homedirs through the normal unix right system.
I've thought about this, putting an scponly install 1 level above the users
home directories. It would work but would just give the users 1 extra
thing to possibly look at and get confused about.
>
> > Is there another approach that would facilitate creating an install for
> several hundred accounts still using a jail but not having the binaries
> copied over for each person? I would think there must be a clean way to
> do this but I don't see it.
>The problem with ssh/sftp/scponly is that there is no buildin ls
>support and other things. So scponly always needs access to the
>fileutils und linked libs.
Got it, I see the problem and perhaps there isn't an elegant
solution. Hrm, I may just drop trying to use chroot altogether for
now. I'm worried about maintaining it if I have various installation
scattered around as a kludge but I'll see if I can come up with anything else.
-Matt
>Sven
>--
>http://www.comboguano.de
>http://sven.linux-ist-pleite.de
>I'm root, if you see me laughing you better have a backup!
>_______________________________________________
>scponly mailing list
>scponly at lists.ccs.neu.edu
>https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list