[scponly] scpjailer woes

Tony J. White tjw at webteam.net
Fri Jan 23 14:22:36 EST 2004


> I don't have a feel for how useful this would be outside of an
> environment like Debian. Another nice thing in Debian is that the
> busybox-static package already contains a staticly linked busybox
> executable, which would be perfect for this purposes. This would allow
> scponly (or scponlyc or scpjailer, should either ever merit existence in
> a separate package) to simply depend on busybox-static.

Just a note about the Debian busybox package, it probably contains a great
deal more functionality than is required by scponly.  The one that comes
with scpjailer contains only the bare minimum features to make scponlyc
work.  On the other hand the deb package may contain a busybox binary
that contains lots of tools you probably don't want the scponly user to
have access to (e.g. 'dd', 'sysctl', 'ifconfig', and lots more).  I would
be wary of giving such a featured tool to a restricted user since if 
there were able to get root in the chroot, they could still destroy the
host system.

-Tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20040123/23ff0958/attachment.bin


More information about the scponly mailing list