View previous topic :: View next topic |
Author |
Message |
wg Tux's lil' helper
Joined: 09 Jan 2008 Posts: 88
|
Posted: Fri Jan 30, 2009 9:02 pm Post subject: Chroot |
|
|
Hi!
I need to disallow access to any previous directories for a linux user.
So if he is '/home/someone/here' - he can't get in 'someone'.
There is a problem.
Adding a home_dir won't do enough.
This directory is in a web page and can start a .php file.
That is bad because that could be a shell and that means a full access to any parent directories.
Secure-Mode for PHP helps, but that isn't the way that will work all things out, but a something like a chroot jail would do, because there seem to be some restrictions when users don't have access in a directory and chrooting will simply disallow any kind of access in parent directories, right?
So what could be the best way to "lock" the user in this directory?
Don't mind PHP here, it's just mentioned. _________________ Give me a cookie ^^ |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54327 Location: 56N 3W
|
Posted: Fri Jan 30, 2009 9:48 pm Post subject: |
|
|
wg,
If you don't trust your users, don't let them on your system in the first place.
A chroot jail will help but there are several ways to break out of a chroot.
A chroot on a hardened system makes that sort of thing much harder, so you should look at a properly configured hardened install.
The down side is the some programs (e.g. Xorg) don't run with some important hard features turned on, so if you go Gentoo hardened, you should plan to be going without Xorg. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
wg Tux's lil' helper
Joined: 09 Jan 2008 Posts: 88
|
Posted: Fri Jan 30, 2009 10:12 pm Post subject: |
|
|
I wish I could not let them in and I could know when and who they are.
But this all is because hacking, php-shell can access everything.
If I add this folder as a chroot (files that are created by a file upload will be by a lighttpd user, if this user has only access to those directories then he can't get out, right?) then he don't get a shell access and (don't know, just guessing) isn't able to break the chroot jail.
Safe-mode for PHP seems to secure this problem, but makes some other things not to work.
I would simply enable the safe-mode if it wouldn't make some things not to work.
The system is only a console (simple server). _________________ Give me a cookie ^^ |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|