If you can read this, you might want to skip straight to the content. Also, kindly take a moment to read my rant about Web design—especially if you’re wondering why this site looks a bit…dull.


A chroot jail wrapper for ordinary Unix shells

A frequent question among the security-minded is, “How can I restrict users of my computers to a single directory?” After all, the “default-deny” posture—in which all access to a system is denied except for that which is explicetly permitteed—is commonly regarded as the best starting point. The thought goes that, should there be some vulnerability on the system, hiding it from users will protect the system.

Unfortunately, this particular approach falls squarely into the “security (solely) through obscurity” category. There are other ways to interact with a system than through a login shell or file transfer session, and a determined attacker will likely find a way to exploit a vulnerability—if it exists—even if it would seem, at first blush, to be hidden and inaccessible.

That’s not to say that there is no call for restricting access to a system. In certain carefully designed situations, a chroot environment, as it is called, can provided useful functionality. For example, BIND on OpenBSD runs in a chroot “jail.”

I have at times provided access to one of my servers for students to save their assignments so I can grade them. Not surprisingly, I’d just as soon not have students reading each other’s work, especially if one student doesn’t know that other people can have a peek. The traditional way of dealing with this problem on Unix involves proper manipulation of file ownership and permissions. However, the owner of a file (the student, in this case) can generally change the permissions…and, unfortunately, some file transfer programs by default set permissions so anybody can read them. In this situation, a chroot jail is perfect: users who have access to the system are restricted to viewing their own files only.

Setting up a chroot jail, however, is not easy. Unless done properly, it’s trivial to break out of the jail. Fortunately for me, Aaron Gifford has taken the trouble to create a login shell that does all the hard work. He wrote it for FreeBSD, but it works just as well under OpenBSD. I’ve been meaning to make a port of it for some time; I’ve finally done so.

chrsh-1.0b2.tgz is available from http://www.trumpetpower.com/pub/OpenBSD_ports/.