toma@attctc.Dallas.TX.US (Tom Armistead) (11/28/89)
Could I get some help on the usage of the chroot command???
What I want to do is set up different root directories for different groups
of users on the same machine such that groupa uses /usr as it root, groupb
uses /usr2 as its root, etc...
Can I do this with chroot command???
Any help would be greatly appreciated!
Thanks,
Tom Armistead
--
-------------
Tom Armistead
UUCP: {ames,lll-winken,mit-eddie,osu-cis,texbell}!attctc!tomacpcahil@virtech.uucp (Conor P. Cahill) (11/28/89)
In article <10358@attctc.Dallas.TX.US>, toma@attctc.Dallas.TX.US (Tom Armistead) writes: > Could I get some help on the usage of the chroot command??? > > What I want to do is set up different root directories for different groups > of users on the same machine such that groupa uses /usr as it root, groupb > uses /usr2 as its root, etc... > > Can I do this with chroot command??? > > Any help would be greatly appreciated! A clean way to do this is to use a little known function of login (yes, it is documented). If login sees an * as the login shell for a particular user, it will chroot to the user's directory and re-execute /etc/login. Create an entry in the /etc/passwd file with a "*" as the login shell and the root of the sub-file system as it's login directory. For example: group2:x:999:99:Xenix login:/f:* This tells login to chroot to /f and then re-execute itself so the user has to login with the real login id and password for that root. Note that passwords used for this login will be in /f/etc/passwd or /f/etc/shadow. I usually make the password for group2 null, so the user doesn't have to know two passwords. This will require you to have a full root on each file system you wish to be able to use this on. Using this you will see something like: 386/ix... login: group2 Subsystem root: /f login: <-- This login is on /f -- +-----------------------------------------------------------------------+ | Conor P. Cahill uunet!virtech!cpcahil 703-430-9247 ! | Virtual Technologies Inc., P. O. Box 876, Sterling, VA 22170 | +-----------------------------------------------------------------------+
dab@myrias.com (Danny Boulet) (12/01/89)
In article <1989Nov28.134104.6252@virtech.uucp> cpcahil@virtech.uucp (Conor P. Cahill) writes: >A clean way to do this is to use a little known function of login (yes, it >is documented). If login sees an * as the login shell for a particular user, >it will chroot to the user's directory and re-execute /etc/login. Interesting. What versions of UNIX support this?
allbery@NCoast.ORG (Brandon S. Allbery) (12/02/89)
As quoted from <628454203.18188@myrias.com> by dab@myrias.com (Danny Boulet): +--------------- | In article <1989Nov28.134104.6252@virtech.uucp> cpcahil@virtech.uucp (Conor P. Cahill) writes: | >A clean way to do this is to use a little known function of login (yes, it | >is documented). If login sees an * as the login shell for a particular user, | >it will chroot to the user's directory and re-execute /etc/login. | | Interesting. What versions of UNIX support this? +--------------- System V release 2 and later. It's referred to as "sublogin" if/when it's documented. ++Brandon -- Brandon S. Allbery allbery@NCoast.ORG, BALLBERY (MCI Mail), ALLBERY (Delphi) uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu bsa@telotech.uucp *(comp.sources.misc mail to comp-sources-misc[-request]@backbone.site, please)* *Third party vote-collection service: send mail to allbery@uunet.uu.net (ONLY)* expnet.all: Experiments in *net management and organization. Mail me for info.
cpcahil@virtech.uucp (Conor P. Cahill) (12/02/89)
In article <628454203.18188@myrias.com>, dab@myrias.com (Danny Boulet) writes: > In article <1989Nov28.134104.6252@virtech.uucp> cpcahil@virtech.uucp (Conor P. Cahill) writes: > >A clean way to do this is to use a little known function of login (yes, it > >is documented). If login sees an * as the login shell for a particular user, > >it will chroot to the user's directory and re-execute /etc/login. > > Interesting. What versions of UNIX support this? I have found it documented back to System V Release 2.1. I don't know where it started. I never noticed it until I was working on some modifications to login in system V Release 3. -- +-----------------------------------------------------------------------+ | Conor P. Cahill uunet!virtech!cpcahil 703-430-9247 ! | Virtual Technologies Inc., P. O. Box 876, Sterling, VA 22170 | +-----------------------------------------------------------------------+