jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] passwd inside the chroot

From: Gavin Rogers
Subject: Re: [Jailkit-users] passwd inside the chroot
Date: Fri, 20 Jul 2007 14:10:06 -0500
Thanks for the help!!

On 7/20/07, Olivier Sessink <address@hidden> wrote:

> What if there is only one account in a jail?

then there is probably no need for that file, but there is also no problem
having it there. You can always use the "skip_injail_passwd_check" option
in jk_chrootsh and supply the injail_shell option to set the shell.

Yeah, since we're using jk_lsh (thanks for the great tool) to allow scp, sftp, and rsync, then it will be best to have /etc/passwd in the jail.

However, if you want to use jk_lsh you need the passwd file because jk_lsh
needs the username of the current user in order to find the allowed
executables in the config file. (and without passwd file there is no
username in the jail, only the uid number)

> We are setting up sftp
> accounts
> for various paying customers, is it just paranoia on my part to set up a
> new jail for each user?

if all customers need just sftp, you can create a jail with just that, and
use the unix permissions to make sure they cannot read each other files.
Only if the file permission system would be flawed there would be a
security issue (but if the file permissions wound't work you have more
problem). Only if the permissions are set wrong different jails will still
help to keep file access separated. So different jails is an extra layer,
but in normal situations it wouldn't add extra security. So it's really up
to you.

Yeah, file permissions should be able to solve those problems, as you have said. We ran into problems though since the home directory for each user needed to be 755 (files needed to be downloaded and world readable). We had a test setup and really couldn't find a set of permissions that were adequate enough. Plus the face that individual users could mess up their own permissions and then blame us for it.... it's just easier to create a separate jail for each user (each jail is only about 4 meg anyways).

I've setup a script for installing a jail and a script for deleting a jail, it was quick work thanks to the tools you have provided! Big thanks!


regards,
Olivier




_______________________________________________
Jailkit-users mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/jailkit-users



--
http://vk6hgr.echidna.id.au/~gavin8or/
Gavin Rogers, full time problem solver.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]