Carsten Andrich wrote: > A while ago I used the following bubblewrap-based login shell to implement > said Linux namespace and bind mount solution to give restricted shell access > to a mostly trusted user. Using bwrap saves the perilous trouble of writing > a safe setuid solution yourself. Could be extended by looking at > $SSH_ORIGINAL_COMMAND to get the sftp/rsync behavior you're looking for. > Obviously, no guarantees about its safety. For example, a "Subsystem sftp" > directive in the sshd_config will bypass the login shell, IIRC. This is one of those ideas that appears at first glance to be so very different from my normal thinking such that it shakes my mental foundations of how to look at the problem! Which I appreciate very much! It is going to take me a little bit of time to process this idea. It's more clever than I can internalize all at once. > (exec bwrap \ > ... > --file 11 /etc/passwd \ > --file 12 /etc/group \ > --file 13 /etc/bash.bashrc \ > --file 14 /etc/hostname \ > --file 15 /etc/localtime \ > --file 16 /etc/nsswitch.conf \ > --file 17 /etc/profile \ > ... > 11< <(getent passwd $UID 65534) \ > 12< <(getent group $(id -g) 65534) \ > 13< <(cat /etc/bash.bashrc) \ > 14< <(cat /etc/hostname) \ > 15< <(cat /etc/localtime) \ > 16< <(cat /etc/nsswitch.conf) \ > 17< <(cat /etc/profile) I did not realize the capability to namespace open file descriptors to files was possible. And here you are using it very cleverly to set up the user accounts in the chroot. That's very clever and very cool! I have not been familiar with bubblewrap previously. I see that in the OS distribution being used that it is "new" in the grand scheme of things and so would not have previously been available. Which makes this a good time to reevaluate technology and try new things. Thanks! Bob _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
