Re: [cobalt-security] Apache running as root . . . .

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Matt,

> You would not have to re-write Linux to provide this service, but you
> would have to write some type of daemon process that behaves just like
> in.telnetd, but is confined to a chrooted area.

Correct. You see, a co-worker of mine is a contributor / developer for 
Rocklinux and they use the following approach for SSH and FTP:

They do an NFS-export of the users home directory and of /usr/local/bin and 
/usr/local/sbin

Then they create a chrooted jail into which they mount the users home 
directory and the directories with the executables the user needs. The jail 
also contains its own /tmp and /dev/null and a few other essentials. Of 
course NFS / Portmapper is blocked to the outside world by a firewall rule.

Creating the jail isn't the problem, even on the Cobalts.

There certainly is a better ressource than the URL below, but you might want 
to look at it for the general idea:

http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap21sec167.html

As for SSH or a daemon that "spawns" into the jail ... this can possibly done 
without a rewrite of the daemon. Maybe as easy as by substituting a special 
shell for all the "jailed" users. See URL below:

http://www.aarongifford.com/computers/chrsh.html

I haven't tested "chrsh" yet, but I'll do so this weekend when I have some 
time at hand. It sounds quite promising.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer