chrooting/jailing transfer-only accounts

Dan Astoorian djast at cs.toronto.edu
Tue May 28 04:20:42 EST 2002


On Mon, 27 May 2002 10:34:33 EDT, I wrote:
> 
> Note: the above is completely untested!  [...]

...in fact, it wasn't even _proofread_.  :-(

Now that I've had my morning coffee, this is a little closer to what I
had in mind.  It's still not well-tested, but it's not quite as
spectacularly wrong.

#define JAIL "/path/to/jail"
#define SHELL "/bin/sh"
int main(int argc, char **argv) {
    if (chroot(JAIL) != 0) {
        perror("chroot");
    } else if (chdir("/") != 0) {
        perror("chdir");
    } else if (setuid(getuid()) != 0) {
        perror("setuid");
    } else {
        execv(SHELL, argv);
        perror("execv");
    }
    exit(1);
}

My apologies for not paying attention.  <blush>

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list