About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Tue 08 Mar 2005 - 02:21:38 GMT


On Mon, Mar 07, 2005 at 03:01:19PM -0600, Micah Anderson wrote:
> I've recently had this script pointed out to me by Bertl:
> http://vserver.13thfloor.at/Stuff/SCRIPT/trampoline.sh
>
> I also found this IRC log which details the creation of it, and how to
> use it:
> http://www.sculpturedlife.com/vserver/irc-logs/index.php?date=2004-07-08
>
> The basic idea is that you put this script in /root, then you add to
> .ssh/authorized_keys something like the following:
>
> command="/root/trampoline.sh",environment="CTX=$NAME" ssh-dss
> AAAAB3NzaC1kc3MAAACBAN1V+DSc1RC...
>
> substitute $NAME for the context that the user should be bounced into,
> and change the ssh-dss AAAAAB3... into the actual ssh id_dsa.pub or
> id_rsa.pub for the user.
>
> This works great for the root user, however, if you try to do this for
> a non-root user you run into problems:
>
> ARGS:
> CONTEXT: flat
> ----------------------
> /bin/rm: cannot remove /usr/local/var/run/vservers/flat': Permission denied
> 'vserver ... suexec' is support for running vservers only; aborting...
>
> the vserver is running for sure, so I changed the /root/trampoline.sh
> script to add a --debug to see what is going on. The relevant portion
> is below:
>
> +++ _ivr_procnum=0
> ++ test 0 = 0
> +++ /usr/local/lib/util-vserver/readlink
> /usr/local/etc/vservers/flat/run
> ++ local runfile=/usr/local/var/run/vservers/flat
> ++ test -z 1
> ++ /bin/rm -f /usr/local/var/run/vservers/flat
> /bin/rm: cannot remove /usr/local/var/run/vservers/flat': Permission
> denied
> ++ return 1
> ++ return 1
> ++ is_stopped=1
> ++ test -z 1 -o ''
> ++ echo ''\''vserver ... suexec'\'' is support for running vservers
> only; aborting...'
> 'vserver ... suexec' is support for running vservers only; aborting...
> ++ exit 1
>
> Apparantly vserver $CTX exec /bin/bash is trying to remove
> /usr/local/var/run/vservers/flat which cannot happen because that is
> owned by root, not by the user that I am running as, so it fails to
> allow me to enter. Is there a way around this, or perhaps a better way
> to do this? Should I suid the trampoline.sh script (yikes!)?

yes, I guess if you want to do something excessive like that,
then a suid root wrapper which in turn uses vserver ... suexec

> Some additional questions:
>
> 1. What about users who do not have a ssh-key, but have a password
> instead?

you need a separate account for them, no? the idea of the
trampoline was to allow vserver root admins to reach their
server without having sshd installed on the vserver ...

typical users do reach their accounds (on vservers) via
ssh(d) running on them, which simplifies all this stuff ...

> 2. Will this work for sftp?

no idea, but probably if configured correctly (not with
the trampoline script though)

> 3. Can a user be bounced as that particular user into the vserver?

sure, given that you get the suid stuff right and manage
to find the right user in the right context ...

> 4. can I create a vserver whose purpose is to do this bouncing? If I
> created a vserver called "sshtrampoline" this vserver would somehow
> need to run the vserver command, but wouldn't be able to because it
> was in its own context already

that is not possible ... the sole purpose of linux-vserver
contexts is to prevent such things ...

HTH,
Herbert

PS: why use vservers for your purpose (whatever that might
be) why not just use chroot, namespaces or contexts where
you need them ...

> Micah
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 08 Mar 2005 - 02:21:59 GMT by hypermail 2.1.3