Re: chroot ssh users

[Telent <telent@mordac.info>]

> OpenBSD 3.1                     March 16, 1991

Well, first of all, you said you were running 3.2.  But I'll let it
pass...
 
> I donīt undestand it!
> could u give an example?

Assuming that I really wanted to go about chrooting a user, I'd set up a
small shell script in /usr/bin.  Call it /usr/bin/chrootlogin.

/usr/bin/chrootlogin:
#!/bin/sh
/usr/bin/sudo /usr/sbin/chroot $HOME /bin/csh

Replace csh with your shell of choice, of course.

Now, make a group called chroot.  Add all the users who will be chrooted
into it.  Now, you need to add a permission declaration line for sudo. 
use "visudo" as root and add this:

%chroot ALL = NOPASSWD: /usr/sbin/chroot

Then, you'll need to add whatever utilities you want your shell users to
have into a directory called bin in their home dirs.  Don't forget the
things like ls and pwd and cd and echo, the stuff that you use every
day, as well as their shell of choice.

Then, add your users.  Put them in the "chroot" group, as well as their
personal groups.  Set /usr/bin/chrootlogin as their shell.  Make sure to
add that to /etc/shells if you want them to have ftp access.

And that's how you go about setting up a basic chroot environment on 3.2
or 3.1.

3.2-current has lots more features in it that make things easier.

But IMHO, you'd be better served by keeping the box patched.  chroots
look pretty, but for users, they're more trouble than they're worth.  If
you don't want them reading each other's files, set a umask of 600 or
some such.

-Sunny Raspet