[scponly] I _still_ don't understand --enable-quota-compat

Ensel Sharon user at dhp.com
Fri Mar 10 14:01:15 EST 2006 


On Fri, 10 Mar 2006, Kaleb Pederson wrote:

> > Finally, even if you do put fstab in your (chroot)/etc, it still doesn;t
> > work, presumably because the binary-data quota files taht the quota
> > command reads are in the root of the filesystem in question, and thus
> > outside of the chroot.
> 
> If you strace it, you'll probably find that it needs a bunch of device nodes 
> and other things that aren't present.
> 
> > So ... does anyone here actually use this option, and successfully call
> > the quota command ?  If so, how ?  Or is this only workable for people
> > _not_ doing a chroot ?
> 
> I would guess that it only works outside of a chroot.  I have never tried to 
> use it within a chroot.  A strace would show you exactly what the (next) 
> problem is.  There might be more than one problem.  Eg. you might have to 
> copy or create some device nodes and then <other action here>.
> 
> That's probably not what you wanted to hear... but I can't see how it might 
> work differently.


Well, since it's _you_ that answered :)  Couldn't it be made to work the
same way that your passwd-in-chroot patch is made to work ?  It seems to
be an analogous problem.

Perhaps instead of a different patch for every different command that
people want to hack into the chroot ... could there perhaps be a _general_
forking patch, that once applied allows a person to add any number of
binaries that can be run temporarily outside of the chroot (for instance,
I might allow passwd and quota and df, and you might just allow passwd)

(and it would be up to the user of that patch to decide whether the
exceptions they were allowing were safe ones or not)

Is this a silly idea ?

I would think that this patch would be just like the one you did, except
instead of being hard-coded for passwd, it would instead look at the
command coming in, if the command coming in is one of the already
acceptable commands that are in the chroot, behave as normal (scp, rsync,
ls), if it is not, then check a list of allowable-exceptions, and if it is
in that list, perform the actions that you are performing in your passwd
patch.

Perhaps the list of exceptions should exist outside the chroot ?  I don't
know.

Again, is this a silly idea ?

Thanks a lot.

More information about the scponly mailing list