[scponly] scpjailer woes
Charles Fry
scponly at frogcircus.org
Fri Jan 23 15:00:01 EST 2004
> That gave me an idea. In the latest scpjailer, I changed it so that
> instead of creating directories and symlinks to the files directly, it
> just sets up 4 symlinks that point most everything to 'bin' (which is
> where scpjailer puts all its files).
Smooth. I like it.
> To upgrade existing dirs that have been created with setup_chroot.sh
> or scpjailer-0.1, you just just be able to run 'scpjailer
> --skip-config /the/dir'.
This gave me an idea. It may not be sufficiently portable for the
vanilla scpjailer distribution, but it would be sweet in Debian. The
idea would be to install the three static binaries (busybox, scp,
and sftp-server) in a central location, and then to create hard links
from each chroot to the central installation. This would have the
advantages that:
- Each chroot would add 24K to the system, instead of a whopping 236K ;)
- When the binaries were updated, they would only need to be changed in
one location. This would facilitate security updates as well.
The only disadvantage I can think of is that home directories would need
to be located on the same physical disk as the staticly linked binaries,
which might not be the case by default.
I don't have a feel for how useful this would be outside of an
environment like Debian. Another nice thing in Debian is that the
busybox-static package already contains a staticly linked busybox
executable, which would be perfect for this purposes. This would allow
scponly (or scponlyc or scpjailer, should either ever merit existence in
a separate package) to simply depend on busybox-static.
Finally, regarding Debian, I've posted this idea in bug #228928. I
certainly don't mean to step on your toes, Thomas, but if anyone with
Debian development experience has any other ideas related to this, I'd
love to hear them.
Charles
--
Once a day the easy way
Burma-Shave
http://frogcircus.org/burmashave/1939/once_a_day.html
More information about the scponly
mailing list