About chrootsh
==============

chrootsh is a suidperl script (note the recent exploit
concerning mailx/suidperl spoof detection!!) that can be
used as a login shell (it does not do login itself), while
it still permits remote execution by analyzing the arguments
it is passed and either execing a real shell with "-" or
with those arguments.

Whistles and Bells
==================

- chrootsh uses the BSD/Resource.pm perl module (available from
  a CPAN mirror near you) to set resource limits for the process
  spawned

- chrootsh has an "enhanced mode" where a uid-0 login is stripped
  of all capabilities except CAP_BOOT (=shutdown/halt/reboot
  capability). Any other combination could be provided for in
  the source; in fact, different users could be granted different
  capabilities.

Prerequisites
=============

- Suidperl
  Imposing the limits should be possible for user processes,
  but chroot is not
  
http://www.cpan.org/
and mirrors at
http://www.cpan.org/SITES.html

- BSD/Resource.pm 
  This is not strictly necessary, you could as well start the shell
  with an elevated nicelevel
http://www.cpan.org/
e. g.
ftp://ftp.univie.ac.at/packages/perl/modules/by-module/BSD

- libcap for linux
  only necessary for using acoounts of limited capabilities
  
http://linux.kernel.org/pub/linux/libs/security/linux-privs/
ftp://ftp.*.kernel.org/pub/linux/libs/security/linux-privs/

enjoy!
   Alexander Oelzant <alexander@oelzant.priv.at>