From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.67) (envelope-from ) id 1IHKIe-0005u7-UZ for garchives@archives.gentoo.org; Sat, 04 Aug 2007 14:08:13 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l74E6tm8022694; Sat, 4 Aug 2007 14:06:55 GMT Received: from ender.volumehost.net (adsl-69-154-123-202.dsl.fyvlar.swbell.net [69.154.123.202]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l74E1o4h015874 for ; Sat, 4 Aug 2007 14:01:51 GMT Received: from localhost (localhost [127.0.0.1]) by ender.volumehost.net (Postfix) with ESMTP id BFDAB23DE5 for ; Sat, 4 Aug 2007 14:01:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at volumehost.net Received: from ender.volumehost.net ([127.0.0.1]) by localhost (ender.volumehost.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 6b279vG9zXYu for ; Sat, 4 Aug 2007 14:01:42 +0000 (UTC) Received: from dellbuntu.local (unknown [65.89.243.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ender.volumehost.net (Postfix) with ESMTP id 1E5AF23DD5 for ; Sat, 4 Aug 2007 14:01:42 +0000 (UTC) From: "Boyd Stephen Smith Jr." To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] rescrict command to certain dirs Date: Sat, 4 Aug 2007 09:01:40 -0500 User-Agent: KMail/1.9.6 References: <46B1E20D.8070304@gmx.ch> In-Reply-To: <46B1E20D.8070304@gmx.ch> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1304836.y6FqASGTT3"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708040901.40788.bss03@volumehost.net> X-Archives-Salt: bbe968f3-c825-48d3-848e-75782870fae7 X-Archives-Hash: bad6e54fac99c14cabd56d06c70930d3 --nextPart1304836.y6FqASGTT3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 02 August 2007 08:54:21 am Martin Gysel wrote: > I have a webserver running for multiple 'endusers'. No I want to give > some costumers access to certain files as user WEBSERVER for easy > editing configuration file owned by the webserver. > > it should do something like jail the user to > /var/www/vhosts/DOMAIN/httpdocs/DIRtoFILES and let him perform some > commands (rm, less, nano, etc) there as user WEBSERVER. As long as WEBSERVER isn't root, you should be able to use a combination of= =20 sudo/su and chroot. There are some ways to escape a chroot, but I *think*= =20 they all depend on being root inside the chroot, or exploiting other servic= e=20 running outside the chroot. (E.g. if connections from localhost=20 are "trusted".) =2D-=20 Boyd Stephen Smith Jr. =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 ,=3D ,-_-. =3D.=20 bss03@volumehost.net =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 `-'(. .= )`-'=20 http://iguanasuicide.org/ =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0\_/ =C2=A0 =C2=A0=20 --nextPart1304836.y6FqASGTT3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBGtIbEdNbfk+86fC0RAgL0AJ98DrxX206xQnuGewCKakYYsfyKXwCeI9RK zJH6/b1MJQgtV+EUlZWCu2o= =2sAS -----END PGP SIGNATURE----- --nextPart1304836.y6FqASGTT3-- -- gentoo-user@gentoo.org mailing list