|
Consider the following security problem:
I have a static base path ( /home/username/ ) to which I append a user-controlled sub-path (say foo/bar.txt ). The content of this file is then read and presented to the user.
In the case described the full path...
Started by knorv on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at stackoverflow):
Without using chroot....
You may try using recursive regexps and check for recursive nesting of ([[:alpha:]]+/..), like it outright, just strip any "../" from the path, like this :
sed -e 's/\..\///g'
You should be aware of that hierarchy.
|
|
I created /opt/chroot , create bin lib and other directories in it, copied libraries, bash and perl binaries in proper places. Also I placed my script into /opt/chroot/bin/ .
Now I can run the script such a way:
# chroot /opt/chroot script.pl
There are...
Started by Lexsys on
, 3 posts
by 3 people.
Answer Snippets (Read the full thread at serverfault):
Something like jailkit might be an easier way to manage this:
http....
Chroot's on linux are not for security, if you have root, or mount abilites inside a chroot to add a larger hunk of code in a copy of su, and the core bits of PAM.
|
|
Hi Guys,
I hear about needing to chroot BIND all the time. Fair enough. But what about other programs? What are the "rules" (either personal or widely accepted/established) for deciding which programs should be jailed?
-M
Started by Mikey B on
, 5 posts
by 5 people.
Answer Snippets (Read the full thread at serverfault):
However, it may not be feasible to do this for everything as it can get, only more so .
Is the use of light-weight virtual machines like OpenVZ/VServer, which are essentially like chroot be chroot-ed for security reasons.
|
Ask your Facebook Friends
|
I need a better resource than this or this on how to secure Apache2 using chroot on a Debian system. It seems most articles deal with Apache1. I tried to follow them and adapt to Apache2, but it only had bad results.
Started by pypmannetjies on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at serverfault):
I originally came up with....
SecChrootDir /chroot
Since you are running Debian, my advice would without any trouble.
This seems like an easy way, but is it really secure?
You can use mod_security to do this for you line to your apache.conf.
|
|
How might I create an SFTP login for an untrusted user in which he can only access the files in his own home directory and not run any commands?
The online tutorial OpenSSH SFTP chroot() with ChrootDirectory is almost exactly what I need, except I'd like...
Started by Ben Alpert on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at serverfault):
Ben, why do you want them to see their home as /home/user? Doesn't that kind of defeat the purpose of a chroot? Is it just pwd output MySecureShell which is doing what ....
In sftp-server with chroot was meant to address this need properly.
|
|
I would like to setup a chroot jail for most (not all) users logging in though SSH. I've heard it's possible with the latest versions of openssh, but I've not been able to find out how to do it. The How To's all talk of patching an old version, and the...
Answer Snippets (Read the full thread at serverfault):
User@host
Does this link help you? http://debian.chains.ch/chroot/chroot.html
As far as I know new versions of OpenSSH....
~/.ssh/authorized_keys:
command="/path/to/the/chroot/script" ssh-dss keydata keydata...
To setup the chroot jail.
|
|
Update
Got it! See my solution (fifth comment)
Here is my problen:
I have created a small binary called "jail" and in /etc/password I have made it the default shell for a test user.
Here is the -- simplified -- source code:
#define HOME "/home/user" #...
Started by Fusion on
, 6 posts
by 6 people.
Answer Snippets (Read the full thread at stackoverflow):
I can identify with wanting to do this yourself, but if you haven't already, check out jail chroot project....
The chroot() system call is only usable by root -- you'll need like ls , for instance.
This file, it's running under their UID.
|
|
I have written a small custom web server application in C running on Linux. When the application receives a request it calls fork() and handles the request in a separate process, which is chrooted into a specific directory containing the files I want ...
Started by codebox_rob on
, 8 posts
by 8 people.
Answer Snippets (Read the full thread at stackoverflow):
Using fork/chroot is simply not how things....
It is not precisely the same as chroot() but Windows folk use it to create something like a chroot jail by creating the directory path you previously used with chroot() there.
|
|
We have a webserver where users are allowed to upload (SFTP) large files in a chroot environment. We also want to be able to use SSH to manage this server.
In our old situation we used the system sshd and a chroot environment with a seperate sshd running...
Started by Jorisslob on
, 4 posts
by 4 people.
Answer Snippets (Read the full thread at serverfault):
ChrootDirectory /chroot/somedir Match Address 10.0.0.0/24 is the following:
Subsystem sftp internal-sftp ChrootDirectory....
Chroot by default and then negate the directive if connecting from the internal network.
You could use Match in a reverse way.
|
|
How can one detect being in a chroot jail without root privileges? Assume a standard BSD or Linux system. The best I came up with was to look at the inode value for "/" and to consider whether it is reasonably low, but I would like a more accurate method...
Started by Topaz on
, 6 posts
by 6 people.
Answer Snippets (Read the full thread at stackoverflow):
Preventing stuff liketest -x /sbin/init
Should return '0', for there's no reason for 'init' to exist in a chroot jail, unless of course the chroot jail is a single user....
I think you'd know whether you're in a chroot environment.
|
