>
> Hi folks,
>
> A while ago, there where some mails about telnetting to a chrooted
> enviroment on a UNIX box. It's more of an experiment. I have two
> questions:
> - Can I somehow block outgoing traffic from the chrooted enviroment? My
> machine is part of a trusted network. So i don't want the users from the
> 'box' to be able to have the same privileges. First I tought to patch
> telnet en make it broadcast the ip of my virtual interface instead of the
> real one. However, this wouldn't do any good as recompiling telnet would
> solve the problem.
>
> - How can i get ps to work? I was able to mount /proc twice, once in the
> normal and one in the chrooted enviroment. However as /proc is not a
> normal filesystem and contains the cwd of each process (thus also of the
> ones outside the chrooted enviroment) I fear that a hacker might break
> trough.
When I have done this it has always been where the users in the
chrooted hole all have a very silly little shell that doesn't let them
do much. Ususally I do this to turn a favorite telnet daemon into a
non-transparent telnet proxy, so all that's required is that my users
connect to a "few" other machines. I use our "bounce" program for that.
In order to look at this at all, what sort of functionality
are you trying to provide to the people logging in via this mechanism?
If it's close to "full machine" capability you might be better off
just making a single bastion host for this function rather than
chrooting it on a machine that has other function.
-Bob
References:
|
|
