grsecurity forums

[komseh]

Is there a way to lock users, who are logged in via ssh, into their home directory. Chrooting sshd is pretty painful and seems un reliable. Can I use grsecurity's ACL system to accomplish this?

[Hue-Bond]

>Is there a way to lock users, who are logged in via ssh, into their home
>directory. Chrooting sshd is pretty painful and seems un reliable. Can I use
>grsecurity's ACL system to accomplish this?

ACL system is not for chrooting daemons. I think it would be a bigger pain to accomplish that via ACLs (although not totally impossible). I'd suggest you to do things the way they are meant to be done.

[incognito_]

you might want to look at pam_chroot

[superbock]

it can be done, and works great if u take the time to implement it right.

you need 4 things:

+ a chroot patch for sshd, freely available on the net, so that it executes a chroot() when the user logs in

+ a fs skeleton on every user's homedir (each with it's libs and allowed binaries)

+ a proper least-privilege-possible ACL that "hides" the system below the user's homedir and sets rules on what he can do in it's own fs skel

+ some scripting to help managing this in a easy way (optional)

It's as secure as it can get when giving shell access to users..

have fun