X-Git-Url: https://git.ralfj.de/schsh.git/blobdiff_plain/689f25b030b8e2704f7aec6243b4db155574b71f..ee2713792d210cf285ca0e82fb1a00ab3e5da213:/README diff --git a/README b/README index 5390557..66fa61d 100644 --- a/README +++ b/README @@ -1,12 +1,9 @@ -schsh -===== - Introduction ------------ -This is [schsh][0], a schroot-based shell. +Welcome to [schsh][SCHSH], a schroot-based shell. -The purpose is simple: I want to provide users with scp, sftp and rsync access +Its purpose is simple: I want to provide users with scp, sftp and rsync access to my server, such that they can only operate in a certain subdirectory. There are plenty of solutions for this problem out there, and all have one drawback in common: @@ -28,14 +25,14 @@ chroots automatically. For additional hardening, these bind-mounts are configured to be read-only and no-setuid, while the only user-writeable folder is no-exec. -[0]: http://www.ralfj.de/projects/schsh/ +[SCHSH]: http://www.ralfj.de/projects/schsh/ Setup ----- Before you start, make sure you have the dependencies installed: -schsh needs [Python 3][0] (I tested it with version 3.2) and [schroot][1] -(version 1.6 or newer). +schsh needs [Python 3][PYTHON] (I tested it with version 3.2) and +[schroot][SCHROOT] (version 1.6 or newer). Installation is simple: Just run ```make install```. That will copy some files to ```/usr/local/bin```, and some configuration to ```/etc/schroot/```. @@ -43,8 +40,8 @@ Before you create any users, make sure the directory ```/var/lib/schsh``` and a group called ```schsh``` exist. You should also set up SSH to disallow port forwarding for users controlled by -schsh. See ```sshd_config``` in this folder for an appropriate snippet of -OpenSSH configuration. +schsh. See ```sshd_config``` in the source folder for an appropriate snippet +of OpenSSH configuration. Before you can set up schsh for a user, you need to create it first: @@ -61,19 +58,19 @@ This does the following: subfolders as well as ```/etc/passwd``` and ```/etc/group``` containing only root, this user and the ```schsh``` group * Add the user to the ```schsh``` group -* Add a schroot called schsh-sandboxed for the given folder, and an fstab file - in ```/etc/schroot/schsh``` used by this schroot +* Set up a schroot called ```schsh-sandboxed``` for the given folder, and an + fstab file in ```/etc/schroot/schsh``` used by this schroot Now if the user logs in via SSH, ```/usr/local/bin/schsh``` will be executed, and it will lock the user into the schroot ```schsh-sandboxed```. It will only see some system folders and a folder called ```/data``` mapped to -```/home/sandboxed/data```. If you want to give the user access to more folders, -or another folder, simply edit ```/etc/schroot/schsh/sandboxed.fstab```. +```/home/sandboxed/data```. If you want to give the user access to more +folders, or another folder, simply edit ```/etc/schroot/schsh/sandboxed.fstab```. The only part of schsh writing any files is ```makeschsh```, so you can change the users' schroot configurations at your will. -[0]: http://www.python.org -[1]: http://packages.qa.debian.org/s/schroot.html +[PYTHON]: http://www.python.org +[SCHROOT]: https://wiki.debian.org/Schroot Configuration ------------- @@ -85,9 +82,10 @@ change the base paths, and to tell which commands are allowed. Source, License --------------- -You can find the sources in the [git repository][GIT]. They are provided under the [GPLv3][GPL3]. -In addition, all files except for ```schsh-rrsync``` are provided under the [GPLv2][GPL2] or -(at your option) any later vrsion of the GPL. +You can find the sources in the [git repository][GIT]. They are provided under +the [GPLv3][GPL3]. In addition, all files except for ```schsh-rrsync``` are +provided under the [GPLv2][GPL2] or (at your option) any later version of the +GPL. [GIT]: http://www.ralfj.de/git/schsh.git [GPL3]: https://www.gnu.org/licenses/gpl.html