[ale] Chrooting a user logged in over telnet
Scott Plante
splante at insightsys.com
Mon Aug 20 18:09:16 EDT 2012
Note it's actually spelled with caps: MAKEDEV. It is available in the OpenSuSE repository and is installed by default on my CentOS 6.2 and RHEL 5.2 boxes.
I don't know much about it, but if it really isn't available on your distro, and you don't want to include every /dev/* device in your /chroot/dev with your mount/bind solution, you might take a look at mknod . It's been a long time since I've had to use it, but I believe you can just use mknod to create the specific device files that you need in /chroot/dev/ (which you'd create yourself). You just need the type (block/character), and major/minor numbers, which you can get from ls -l /dev.
Sorry if this is wrong or outdated, but as I said, it's been a long time. It might be an avenue to explore, though.
Scott
----- Original Message -----
From: "Ted W" <ted at techmachine.net>
To: "Atlanta Linux Enthusiasts" <ale at ale.org>
Sent: Monday, August 20, 2012 5:39:58 PM
Subject: Re: [ale] Chrooting a user logged in over telnet
So, it looks like makedev is not available on the systems I'm working with. The server I'm configuring uses udev and after some digging I discovered that I was just missing one simple command, which makes complete sense in retrospect:
mount -o bind /dev /chroot/dev
Now, the next issue is with regards to setting a different chroot directory for each user that is logged in to the system. As far as I can tell, xinetd allows for a "server_args" line in the xinetd.conf files. I have the "server" line and "server_args" line setup as follows:
server = /usr/bin/chroot
server_args = /chroot /usr/sbin/in.telnetd
So far as I can tell, this is telling xinetd to listen on port 23. On connection, execute /usr/bin/chroot with args /chroot and /usr/sbin/in.telnetd. What I would like to accomplish is something similar to the "ChrootDirectory" line in /etc/ssh/sshd_config which, on my system reads:
ChrootDirectory %h
What I'm attempting to do now to accomplish this is a bit hackish but it's the first thing that popped into my head. Instead of launching "/usr/bin/chroot /chroot /usr/sbin/in.telnetd", xinetd will launch a script that will listen on port 23, on connection it will prompt for the username, run something equivalent to "getent passwd $user | awk -F: '{print $6}'" to obtain the homedirectory fot the user. The script will then run /chroot $homedir /usr/sbin/in.telnetd. I've not yet figured out the logistics of how to do this exactly as a simple bash script doesn't seem to be cutting it. I think this may be the best way to go about it unless there are any other suggestions.
--
Ted W. < Ted at Techmachine.net >
Registered GNU/Linux user #413569
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120820/40251855/attachment.html
More information about the Ale
mailing list