Re: OpenSSH-5.3p1 selinux problem on CentOS-5.4.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, February 3, 2010 09:48, Ned Slider wrote:
> James B. Byrne wrote:
>> Note: I am digest subscriber so if you could copy me directly on
>> any reply to the list I would appreciate it very much.
>>
>
> <snip>
>
>>  After a modest amount of research we decided that the
>> best answer was to use a more recent version of OpenSSH
>> (5.3p1)that supports chroot as a configurable option.
>>
>
> I've not tested it, but I believe the chroot stuff was backported
> some while ago:
>

Thank you very much for the information for I was not aware of this.

Unfortunately, having tested the CentOS stock sshd server I discover
that this back-port is very similar to that of the sftponly hack of
several years ago.  It is not the configurable chroot of
OpenSSH-5.3.  To begin with, it very much appears from the
documentation as if this is an all or nothing setting; if it is on
then all ssh users are chrooted. Further, to use this feature with
interactive sessions one must copy all of the requisite system
utilities into directories under the chroot directory.

(For an interactive session this requires at least a shell,
typically sh(1), and basic /dev nodes such as null(4), zero(4),
stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.)

This is not a viable alternative since the system is remotely managed.

So, I am left still seeking answers to my original questions.

1. Is it possible to mount the selinux filesystem twice on the same
host having different roots?

2. If so, then how is this accomplished?

3. If not, then is there anything else that I can do, besides
disabling selinux support in the sshd daemon, to get OpenSSH-5.3
chroot to work with SELinux?



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux