0

After failing to use makejail, I followed a howto for setting up a jail using a script (this one is for Debian etch, but I'm using lenny -- seems to work ok though). However, it gives the user a very limited environment with almost no applications available (e.g. no vim, emacs, cat, tail, etc).

To solve cat and tail I just copied the binaries from /bin to /home/jail/bin (which feels a little wrong). And for the other apps, I just used mount --bind /usr /home/jail/usr so that the user has access to most stuff (I also had to mount /lib and /etc/alternatives).

Now emacs and vim seem to work ok, but I'm not entirely convinced this was the best approach -- is there a more elegant and maintainable approach, or is jailing users generally a huge chore?

Community
  • 1
Nick Bolton
  • 5,126
  • 12
  • 54
  • 62

1 Answers1

1

Jailing users is generally a huge chore.

I'm not 100% sure on your implementation but its' almost certain that your bind mount to /usr and /lib specifically BREAK the jail. That's like providing an inmate with their own personal tunnel to the outside world ... it's just exactly what a chroot was supposed to avoid.

Instead you'll need to setup your jail creation script to COPY everything the jailed users will need into their own private environment as you started to do with cat and tail.

Caleb
  • 11,813
  • 4
  • 36
  • 49
  • Hmm, as I suspected. And what about all the supporting libs? I was hoping maybe there's a script that would somehow copy the Debian package contents to the jail. A command like this would be handy: `apt-get-jail install emacs /home/jail` – Nick Bolton Oct 08 '10 at 23:05
  • There are a few tools to create jails. See: http://packages.debian.org/search?keywords=jail – David Rickman Dec 06 '10 at 14:24