<div dir="ltr">Create directories owned by root for chrooted users in something like: /srv/sftp/$USER<br><div>Setup ssh to chroot those users into that directory<br></div><div>Create a directory /srv/sftp/$USER/jobout<br></div><div>Use a bind mount (mount -o bind) to mount /home/t1000/dept-fun-times to /srv/sftp/$USER/jobout for each user<br></div><div><br></div><div>This is the only way I know of since the chroot can't follow symlinks.<br></div><div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>❧ Brian Mathis<br></div>@orev<br></div></div></div>
<br><br><br><div class="gmail_quote">On Fri, Aug 21, 2015 at 9:17 AM, James Sumners <span dir="ltr"><<a href="mailto:james.sumners@gmail.com" target="_blank">james.sumners@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I have some craptastic software that allows users to submit background jobs that are executed by a common system account. Let's call that account 't1000'. This system supports a configuration where the end user's submitted job can be written to a directory in their home directory, provided t1000's group is able to write to it. Otherwise, job output files get dumped in t1000's home directory. Further, I have departments with users that need to share a common job output directory.<div><br></div><div>So let's pretend I have users "foobar" and "bazbar" that need to submit jobs to a common output directory. Let's further assume I have the following file system layout:</div><div><br></div><div>- /home/t1000/</div><div>- /home/t1000/dept-fun-times/</div><div>- /home/foobar/</div><div>- /home/foobar/jobout/ => /home/t1000/dept-fun-times/</div><div><div>- /home/barbaz/</div><div>- /home/barbaz/jobout/ => /home/t1000/dept-fun-times/</div><div><br></div><div>Each user t1000, foobar, and barbaz are members of a group "vomit". Each "jobout" directory and the "dept-fun-times" directory have mode `0770`. Thus when either foobar or barbaz submit a job, that job's output will end up in `/home/t1000/dept-fun-times/`. Any other user that submits a job will result in the job output going to `/home/t1000/`.</div><div><br></div><div>All files in `/home/t1000/` and `/home/t1000/dept-fun-times/` are mode `0660`.</div><div><br></div><div>Now for the fun part:</div><div><br></div><div>I need foobar and barbaz to be able to ssh/sftp to the system and be "chrooted" to `/home/t1000/dept-fun-times/` such that they cannot change from that directory nor open any files outside of that directory.</div><div><br></div><div>SSHD requires the destination chroot to (rightly) be a proper jail. As does the rssh shell (when chrooting). Bash's restricted mode is also not a solution.</div><div><br></div><div>Do you guys have any ideas how I can accomplish this goal?</div><span class="HOEnZb"><font color="#888888"><div><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr"><div>James Sumners<br><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a> (technical profile)</div><div><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a> (personal site)</div><div><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a> (band page)</div></div></div></div></div>
</div></font></span></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div></div></div>