Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Chroot
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
wg
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jan 2008
Posts: 88
PostPosted: Fri Jan 30, 2009 9:02 pm    Post subject: Chroot Reply with quote
Hi!
I need to disallow access to any previous directories for a linux user.
So if he is '/home/someone/here' - he can't get in 'someone'.
There is a problem.
Adding a home_dir won't do enough.
This directory is in a web page and can start a .php file.
That is bad because that could be a shell and that means a full access to any parent directories.
Secure-Mode for PHP helps, but that isn't the way that will work all things out, but a something like a chroot jail would do, because there seem to be some restrictions when users don't have access in a directory and chrooting will simply disallow any kind of access in parent directories, right?
So what could be the best way to "lock" the user in this directory?
Don't mind PHP here, it's just mentioned.
_________________
Give me a cookie ^^
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54327
Location: 56N 3W
PostPosted: Fri Jan 30, 2009 9:48 pm    Post subject: Reply with quote
wg,

If you don't trust your users, don't let them on your system in the first place.

A chroot jail will help but there are several ways to break out of a chroot.
A chroot on a hardened system makes that sort of thing much harder, so you should look at a properly configured hardened install.
The down side is the some programs (e.g. Xorg) don't run with some important hard features turned on, so if you go Gentoo hardened, you should plan to be going without Xorg.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
wg
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jan 2008
Posts: 88
PostPosted: Fri Jan 30, 2009 10:12 pm    Post subject: Reply with quote
I wish I could not let them in and I could know when and who they are.
But this all is because hacking, php-shell can access everything.

If I add this folder as a chroot (files that are created by a file upload will be by a lighttpd user, if this user has only access to those directories then he can't get out, right?) then he don't get a shell access and (don't know, just guessing) isn't able to break the chroot jail.

Safe-mode for PHP seems to secure this problem, but makes some other things not to work.
I would simply enable the safe-mode if it wouldn't make some things not to work.

The system is only a console (simple server).
_________________
Give me a cookie ^^
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy