CHROOTING local users sshd or *

Submit your RBAC policies or suggest policy improvements

pam_chroot and pam_mount?

Postby dermike » Tue Dec 31, 2002 2:21 pm

In addition to the ACL jail, why not use pam_chroot and pam_mount?

pam_chroot can lock a user into a chroot upon login (it comes standard with gentoo pam, not sure about others)

pam_mount can make building a chroot easier as you can build a single file structure that you want the users to have access too and "mount -o bind,nosuid,nodev,ro...etc" it into the perfered chroot at login time. If you intend on chrooting a bunch of users, "mount -o bind" makes maintaining it much easier. pam_mount is also useful for encrypted home-dirs.

pam_mount can be found at http://www.flyn.org/#id5426299

Using both of those with grsecurity makes it very hard to break a system even with a local account.

Good rule of thumb... the more complex your security system, the harder it will be to maintain and keep secure. Keep all of your security consistant and clean. If it feels overwhelming and you start putting things off, you might be doing something wrong. :-)
dermike
 
Posts: 6
Joined: Mon Mar 04, 2002 6:56 pm

Chrooting/Security on shell Providers

Postby Sharky » Thu Feb 06, 2003 9:53 am

Drago email me @ admin@djakram.com
i can help you tighten up your box :)
Sharky
 
Posts: 43
Joined: Fri Nov 01, 2002 10:12 pm

Previous

Return to RBAC policy development

cron