<div dir="ltr">I have some craptastic software that allows users to submit background jobs that are executed by a common system account. Let's call that account 't1000'. This system supports a configuration where the end user's submitted job can be written to a directory in their home directory, provided t1000's group is able to write to it. Otherwise, job output files get dumped in t1000's home directory. Further, I have departments with users that need to share a common job output directory.<div><br></div><div>So let's pretend I have users "foobar" and "bazbar" that need to submit jobs to a common output directory. Let's further assume I have the following file system layout:</div><div><br></div><div>- /home/t1000/</div><div>- /home/t1000/dept-fun-times/</div><div>- /home/foobar/</div><div>- /home/foobar/jobout/ => /home/t1000/dept-fun-times/</div><div><div>- /home/barbaz/</div><div>- /home/barbaz/jobout/ => /home/t1000/dept-fun-times/</div><div><br></div><div>Each user t1000, foobar, and barbaz are members of a group "vomit". Each "jobout" directory and the "dept-fun-times" directory have mode `0770`. Thus when either foobar or barbaz submit a job, that job's output will end up in `/home/t1000/dept-fun-times/`. Any other user that submits a job will result in the job output going to `/home/t1000/`.</div><div><br></div><div>All files in `/home/t1000/` and `/home/t1000/dept-fun-times/` are mode `0660`.</div><div><br></div><div>Now for the fun part:</div><div><br></div><div>I need foobar and barbaz to be able to ssh/sftp to the system and be "chrooted" to `/home/t1000/dept-fun-times/` such that they cannot change from that directory nor open any files outside of that directory.</div><div><br></div><div>SSHD requires the destination chroot to (rightly) be a proper jail. As does the rssh shell (when chrooting). Bash's restricted mode is also not a solution.</div><div><br></div><div>Do you guys have any ideas how I can accomplish this goal?</div><div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>James Sumners<br><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a> (technical profile)</div><div><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a> (personal site)</div><div><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a> (band page)</div></div></div></div></div>
</div></div></div>