From: Micah Anderson (micah_at_riseup.net)
Date: Mon 07 Mar 2005 - 21:01:19 GMT
I've recently had this script pointed out to me by Bertl:
http://vserver.13thfloor.at/Stuff/SCRIPT/trampoline.sh
I also found this IRC log which details the creation of it, and how to
use it:
http://www.sculpturedlife.com/vserver/irc-logs/index.php?date=2004-07-08
The basic idea is that you put this script in /root, then you add to
.ssh/authorized_keys something like the following:
command="/root/trampoline.sh",environment="CTX=$NAME" ssh-dss
AAAAB3NzaC1kc3MAAACBAN1V+DSc1RC...
substitute $NAME for the context that the user should be bounced into,
and change the ssh-dss AAAAAB3... into the actual ssh id_dsa.pub or
id_rsa.pub for the user.
This works great for the root user, however, if you try to do this for
a non-root user you run into problems:
ARGS:
CONTEXT: flat
----------------------
/bin/rm: cannot remove /usr/local/var/run/vservers/flat': Permission denied
'vserver ... suexec' is support for running vservers only; aborting...
the vserver is running for sure, so I changed the /root/trampoline.sh
script to add a --debug to see what is going on. The relevant portion
is below:
+++ _ivr_procnum=0
++ test 0 = 0
+++ /usr/local/lib/util-vserver/readlink
/usr/local/etc/vservers/flat/run
++ local runfile=/usr/local/var/run/vservers/flat
++ test -z 1
++ /bin/rm -f /usr/local/var/run/vservers/flat
/bin/rm: cannot remove /usr/local/var/run/vservers/flat': Permission
denied
++ return 1
++ return 1
++ is_stopped=1
++ test -z 1 -o ''
++ echo ''\''vserver ... suexec'\'' is support for running vservers
only; aborting...'
'vserver ... suexec' is support for running vservers only; aborting...
++ exit 1
Apparantly vserver $CTX exec /bin/bash is trying to remove
/usr/local/var/run/vservers/flat which cannot happen because that is
owned by root, not by the user that I am running as, so it fails to
allow me to enter. Is there a way around this, or perhaps a better way
to do this? Should I suid the trampoline.sh script (yikes!)?
Some additional questions:
1. What about users who do not have a ssh-key, but have a password
instead?
2. Will this work for sftp?
3. Can a user be bounced as that particular user into the vserver?
4. can I create a vserver whose purpose is to do this bouncing? If I
created a vserver called "sshtrampoline" this vserver would somehow
need to run the vserver command, but wouldn't be able to because it
was in its own context already
Micah
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver