On Fri, Sep 07, 2007 at 07:22:39PM +0200, Wincent Colaiuta wrote: > El 4/9/2007, a las 23:20, Derek Martin escribió: > > >The best you can do is to set up one jail per user, which is generally > >horrible, but documented in the rssh documentation. > > I did this, and used hard-linked copies of the libraries to save on > disk space. What's the assessment on the security risk of doing so? > (ie. the concern that if one user somehow manages to get write access > to the libraries then they can effectively modify the one copy that > is shared across all jails).
Yeah, exactly. So if someone is able to modify the libraries, they could gain access to the files of everyone else using those same libraries. I would guess-timate the risk to be relatively low, mainly since this is such a specialized case, and because there are no known exploits against rssh at this time (other than documented cases where the sysadmin has misconfigured rssh/sshd or his jail). On the other hand, it's not any worse than having one common jail -- in fact in most ways, it's no different at all. So long as the users' directories are appropriately protected, and there is no root exploit possible from inside the jail, you're good. It's been almost 2 years since the last one reported, and I'm pretty confident there won't be any more... ymmv. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D
pgpr4JlOixzre.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
