restricted shell

[Gyepi SAM]

On Sun, Apr 29, 2001 at 06:03:04PM +0200, Markus Friedl wrote:
> On Sat, Apr 28, 2001 at 12:44:32PM -0400, Gyepi SAM wrote:
> > On Sat, Apr 28, 2001 at 06:24:48PM +0200, Markus Friedl wrote:
> > > it's easier if the sftp-server does chroot.
 
> if sshd chroots, you need to copy the (static?) sftp-server
> to every home-dir. this is no fun on solaris, just
> look at the mess ssh-chrootmgr(1) creates.

Precisely!  Which is why I am proposing a static shell which incorporates
the functionality of sftp-server and scp so that the shell chroots to $HOME
and we do not have to copy ANY static binaries into the chrooted environment.
This will even allow the paranoid admin to mount the $HOME filesystem noexec.

I do not believe that the chrooting should be done by sshd (because the user
shell then has to exist inside the chrooted filesystem) or sftp-server (OK,
but messy since we cannot allow such users to also use scp if they wish) or
scp (converse of sftp-server case).  Therefore, the chrooting should be done
by my restricted shell.

-Gyepi
-- 
What usually happens in the educational process is that the faculties are 
dulled,overloaded, stuffed and paralyzed so that by the time most people
are mature they have lost their innate capabilities. -- R. Buckminster Fuller