[scponly] Re: chdir in chroot problem (re-visited)
David Ramsden
david at hexstream.eu.org
Tue May 25 19:10:05 EDT 2004
On Tue, May 25, 2004 at 04:34:25PM -0600, Paul Hyder wrote:
> Ok, it is time to ask: Which operating system is this?
Debian GNU/Linux 3.0 (woody). Kernel 2.4.26 w/ grsecurity patch.
>
> The behavior you desire should already be working, i.e. if
> the top level /etc/passwd file has a home directory for a user
> that is /home/fred//www AND the directory /home/fred/www exists
> then that is the directory scponlyc should see as that user's home.
Yes - this is correct. get_uservar() in helper.c is indeed
setting the correct data in the global homedir variable. i.e.
/home/fred//www
But look in scponly.c:154 as I said - it takes homedir (chrootdir) and
using a pointer, removes any chdir stuff from it - i.e. everything after
two forward slashes are found. This is so it can chroot() correctly.
After this, there is no call to chdir() to make it honour //www for
example.
I also believe you need to force a chdir() after a chroot() for security
reasons.
Well, various sources say you MUST do a chdir() after the chroot
"otherwise the old current directory will be accessible as "." out the
new root!" (quoting from a website).
grsecurity in my case may be forcing a chdir("/") anyway.
> This also means the scponlyc support directories (etc,bin,etc)
> have been installed in /home/fred. (i.e. "This works for me on
> Linux. What's different in your setup?")
>
Yes - there is no problem with the chroot itself. There seems to be a
bug in scponly.c that needs to be addressed.
Thinking about this, the patch I posted should really force a chdir("/")
if no "//www" or whatever is found in homedir for security reasons. I
shall ammend that now.
Thanks.
David.
--
.''`. David Ramsden <david at hexstream.eu.org>
: :' : http://david.hexstream.eu.org/
`. `'` PGP key ID: 507B379B on wwwkeys.pgp.net
`- Debian - when you have better things to do than to fix a system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20040526/1c90c2bf/attachment.bin
More information about the scponly
mailing list