[scponly] scponly 4.1
Kaleb Pederson
kpederson at mail.ewu.edu
Thu Mar 24 10:31:50 EST 2005
It is a bit "dangerous" but not quite what you indicated.
passwd does have to be called from outside of the chroot or access files
outside of the chroot. The latter shouldn't be possible at the filesystem
level, so the former is an option.
The process I have taken is as follows. Note that 90-95% of the code that I
have has been taken from elsewhere in the code as most of it didn't need to
be original:
... before chroot() has been called, see if the command is passwd.
if the command is password, drop privileges, fork(), exec passwd, then exit.
This mechanism shouldn't depend on the OS in the least, whatever passwd
program is found by configure at configure time is used to change the users
password.
I'll provide a patch soon so everyone can look at it. It does need to be well
tested. I'm in the process of testing it on several systems....
Thanks.
--Kaleb
On Thursday 24 March 2005 4:51 am, Ralf Durkee wrote:
> Are you talking about putting a password command inside the chroot, so that
> users can change their password?
> If so it sounds like a high risk item to throw in at the last minute
> without careful consideration.
>
> -- Ralf Durkee, CISSP, GSEC, GCIH
> Principal Consultant
> http://rd1.net
>
> At 05:05 PM 3/23/2005, Kaleb Pederson wrote:
> >Thanks Joe!
> >
> >I don't know if you'll have time to add in my patch for changing the
> > password outside of the chroot when using a chrooted environment, but I'm
> > in the middle of testing it out right now. Assuming my implementation is
> > reasonable of course.... (and I added in all the autoconf stuff as well
> > this time).
> >
> >Is there any way that I can test a pre-release version to make sure
> >everything
> >works on AIX before the release?
> >
> >I should be done testing and have the patch done later tonight.
> >
> >Thanks.
> >
> >--Kaleb
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list