[sudo-users] Using sudo in creating a chroot jail

[Eric Anderson]

Hello,

I am trying to create a chroot jail for each of my users on my linux
box. I have a script that mirrors the main filesystem via hardlinks
(except certain files of course) and now am trying to set it up so that
when the users log in they are automatically chrooted to their version
of the filesystem. I know a chroot environment doesn't provide total
security but I am just trying to reduce my risk by stopping them from
poking around in directories they shouldn't be poking around in.

Anyway I am following the instructions at the following URL:
http://www.tjw.org/chroot-login-HOWTO/

The last step is to modify sudoers so that each user will be able to
execute the chroot command with the specified options. My problem is
that I don't want to have to enter each user into this file (too much
maintenance). I was wondering if the sudo experts out there knew of a
way I can accomplish the same thing but generically for all users with a
single set of sudoers specification lines and not have to worry about
updating things as time goes on. The line for a single user is:

peon  ALL= NOPASSWD: /usr/sbin/chroot /home/peon /bin/su - peon*

(peon is some user)

The shell that is being executed when they login is:

#!/bin/sh
[ "$1" = "-c" ] && a="$*"
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER $a

I don't know enough about the sudoers file format to even know where to
start and reading through the man pages a number of times hasn't gotten
me much further. I want to make sure to do things correct because I know
improper use of sudo can lead to all sorts of unwanted access. Anyone
have any stabs at what I need or at least be able to point me in the
right direction?

Thanks for any help you can provide,

Eric