[ale] Need wacky chroot setup help

James Sumners james.sumners at gmail.com
Fri Aug 21 09:17:22 EDT 2015


I have some craptastic software that allows users to submit background jobs
that are executed by a common system account. Let's call that account
't1000'. This system supports a configuration where the end user's
submitted job can be written to a directory in their home directory,
provided t1000's group is able to write to it. Otherwise, job output files
get dumped in t1000's home directory. Further, I have departments with
users that need to share a common job output directory.

So let's pretend I have users "foobar" and "bazbar" that need to submit
jobs to a common output directory. Let's further assume I have the
following file system layout:

- /home/t1000/
- /home/t1000/dept-fun-times/
- /home/foobar/
- /home/foobar/jobout/ => /home/t1000/dept-fun-times/
- /home/barbaz/
- /home/barbaz/jobout/ => /home/t1000/dept-fun-times/

Each user t1000, foobar, and barbaz are members of a group "vomit". Each
"jobout" directory and the "dept-fun-times" directory have mode `0770`.
Thus when either foobar or barbaz submit a job, that job's output will end
up in `/home/t1000/dept-fun-times/`. Any other user that submits a job will
result in the job output going to `/home/t1000/`.

All files in `/home/t1000/` and `/home/t1000/dept-fun-times/` are mode
`0660`.

Now for the fun part:

I need foobar and barbaz to be able to ssh/sftp to the system and be
"chrooted" to `/home/t1000/dept-fun-times/` such that they cannot change
from that directory nor open any files outside of that directory.

SSHD requires the destination chroot to (rightly) be a proper jail. As does
the rssh shell (when chrooting). Bash's restricted mode is also not a
solution.

Do you guys have any ideas how I can accomplish this goal?

-- 
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (band page)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150821/6e3fbc21/attachment.html>


More information about the Ale mailing list