[scponly] Scponlyc chroot confusion.
GBloomberg
fin.ack at gmail.com
Fri Apr 22 04:03:53 EDT 2005
Hello,
Please bear with me. I'm new to Linux system administration and was
given the task of setting up a SFTP server for our cusotmers to upload
linux log and config files to and I'm hoping to gain some clairity on
if I'm doing this correctly or not given the tasks/objective on how my
management wants this SFTP sever setup.
I've installed scponly-4.0 on a Gentoo linux system running a 2.6
Kernel using openssh-3.9.
Using "emerge scponly" set everything up for me to include the
chrooted environment. Places /usr/bin/scponly and /usr/sbin/scponlyc
in /etc/shells. What has me confused is how this is suppose to work
versus how I'm trying to use it. When Gentoo built the scponly
package it created a scponly user called scponly and a group scponly
and automagically created the chrooted environment.
# cd /home/scponly
# ls -la
total 1
drwxr-xr-x 7 root root 168 Apr 17 05:54 .
drwxr-xr-x 7 root root 192 Apr 20 21:30 ..
drwxr-xr-x 2 root root 368 Apr 18 02:23 bin
drwxr-xr-x 2 root root 136 Apr 18 00:12 etc
drwxr-xr-x 2 scponly scponly 48 Apr 20 23:02 incoming
drwxr-xr-x 2 root root 480 Apr 18 00:12 lib
drwxr-xr-x 4 root root 96 Apr 17 05:54 usr
What I don't understand is what is the proper commnad to add an
account that I want jailed. I mean I understand howto add normal
accounts but chrooted ones have me confused. It seems the only way
that I can get this to work is via:
# useradd -d /home/scponly -G scponly -s /usr/sbin/scponlyc testuser
The keyfactor being that the home directory has to be /home/scponly.
Atleast that's how it appears to me. For some reason if I use anyting
other than /home/scponly for the given testuser's home directory, I'm
unable to login with SFTP. Am I doing this correctly or could there be
an alternative that I'm missing?
Actually I don't want them to see anything but the "incoming"
directory, preferrably. I tried taking of the execute bit for Others
and Group but this had the effect of the "incoming" dir disappearing
to those useing WinSCP's SFTP.
Here's a copy of how Gentoo built "scponly" just in case.
******************************************************
# emerge -v scponly
Calculating dependencies ...done!
>>> emerge (1 of 1) net-misc/scponly-4.0 to /
>>> md5 src_uri ;-) scponly-4.0.tgz
>>> Unpacking source...
>>> Unpacking scponly-4.0.tgz to /var/tmp/portage/scponly-4.0/work
>>> Source unpacked.
* econf: updating scponly-4.0/config.guess with
/usr/share/gnuconfig/config.guess
* econf: updating scponly-4.0/config.sub with /usr/share/gnuconfig/config.sub
./configure --prefix=/usr --host=i686-pc-linux-gnu
--mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share
--sysconfdir=/etc --localstatedir=/var/lib --enable-rsync-compat
--enable-chrooted-binary
configure: WARNING: If you wanted to set the --build type, don't use --host.
If a cross compiler is detected then cross compile mode will be used.
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for i686-pc-linux-gnu-gcc... i686-pc-linux-gnu-gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether i686-pc-linux-gnu-gcc accepts -g... yes
checking for a BSD-compatible install... /bin/install -c
checking whether ln -s works... yes
checking for cut... /bin/cut
checking for grep... /bin/grep
checking for sort... /bin/sort
checking for ldd... /usr/bin/ldd
checking for useradd... /usr/sbin/useradd
checking for chown... /bin/chown
checking for chmod... /bin/chmod
checking for dirname... /bin/dirname
checking for id... /bin/id
checking for pw... no
checking for rm... /bin/rm
checking for pwd_mkdb... no
configure: enabling core WinSCP and Vanilla SCP binaries...
checking for sftp-server... /usr/lib/misc/sftp-server
checking for ls... /bin/ls
checking for scp... /usr/bin/scp
checking for rm... /bin/rm
checking for ln... /bin/ln
checking for mv... /bin/mv
checking for chmod... /bin/chmod
checking for chown... /bin/chown
checking for chgrp... /bin/chgrp
checking for mkdir... /bin/mkdir
checking for rmdir... /bin/rmdir
configure: enabling WinSCP compatability...
checking for pwd... /bin/pwd
checking for groups... /bin/groups
checking for id... /bin/id
checking for echo... /bin/echo
configure: enabling rsync compatability...
checking for rsync... /usr/bin/rsync
configure: enabling SFTP compatability...
checking for sftp-server... (cached) /usr/lib/misc/sftp-server
checking how to run the C preprocessor... i686-pc-linux-gnu-gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking wordexp.h usability... yes
checking wordexp.h presence... yes
checking for wordexp.h... yes
checking glob.h usability... yes
checking glob.h presence... yes
checking for glob.h... yes
checking libgen.h usability... yes
checking libgen.h presence... yes
checking for libgen.h... yes
checking for i686-pc-linux-gnu-gcc option to accept ANSI C... none needed
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for working alloca.h... yes
checking for alloca... yes
checking for malloc... yes
checking for atexit... yes
checking for bzero... yes
checking for strchr... yes
checking for strerror... yes
checking for glob... yes
checking for wordexp... yes
checking for strspn... yes
checking for basename... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating setup_chroot.sh
config.status: creating config.h
i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
-I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
scponly.o -c scponly.c
i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
-I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
helper.o -c helper.c
i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
-I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
groups groups.c
i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
-I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
scponly scponly.o helper.o
>>> Test phase [not enabled]: net-misc/scponly-4.0
>>> Install scponly-4.0 into /var/tmp/portage/scponly-4.0/image/
category net-misc
echo "0" > debuglevel
/bin/install -c -d /var/tmp/portage/scponly-4.0/image//usr/bin
/bin/install -c -d /var/tmp/portage/scponly-4.0/image//usr/share/man/man8
/bin/install -c -d /var/tmp/portage/scponly-4.0/image//etc/scponly
/bin/install -c -o 0 -g 0 scponly
/var/tmp/portage/scponly-4.0/image//usr/bin/scponly
/bin/install -c -o 0 -g 0 -m 0644 scponly.8
/var/tmp/portage/scponly-4.0/image//usr/share/man/man8/scponly.8
/bin/install -c -o 0 -g 0 -m 0644 debuglevel
/var/tmp/portage/scponly-4.0/image//etc/scponly/debuglevel
if test "xscponlyc" != "x"; then \
/bin/install -c -d
/var/tmp/portage/scponly-4.0/image//usr/sbin;
\
rm -f /var/tmp/portage/scponly-4.0/image//usr/sbin/scponlyc;
\
cp scponly scponlyc; \
/bin/install -c -o 0 -g 0 -m 4755 scponlyc
/var/tmp/portage/scponly-4.0/image//usr/sbin/scponlyc; \
fi
man:
gzipping man page: scponly.8
prepallstrip:
strip: strip --strip-unneeded
strip: strip --strip-unneeded
usr/bin/scponly
usr/sbin/scponlyc
QA Notice: /usr/sbin/scponlyc is setXid, dynamically linked and using
lazy bindings.
This combination is generally discouraged. Try: CFLAGS='-Wl,-z,now'
emerge scponly
>>> Completed installing scponly-4.0 into /var/tmp/portage/scponly-4.0/image/
>>> Merging net-misc/scponly-4.0 to /
* >>> SetUID: [chmod go-r]
/var/tmp/portage/scponly-4.0/image//usr/sbin/scponlyc ...
[ ok ]
--- /etc/
>>> /etc/scponly/
>>> /etc/scponly/debuglevel
--- /usr/
--- /usr/bin/
>>> /usr/bin/scponly
--- /usr/sbin/
>>> /usr/sbin/scponlyc
--- /usr/share/
--- /usr/share/doc/
>>> /usr/share/doc/scponly-4.0/
>>> /usr/share/doc/scponly-4.0/CHANGELOG.gz
>>> /usr/share/doc/scponly-4.0/README.gz
>>> /usr/share/doc/scponly-4.0/TODO.gz
>>> /usr/share/doc/scponly-4.0/CONTRIB.gz
>>> /usr/share/doc/scponly-4.0/AUTHOR.gz
--- /usr/share/man/
--- /usr/share/man/man8/
>>> /usr/share/man/man8/scponly.8.gz
* Updating /etc/shells
*
* if you experience a warning with winscp regarding groups, please install
* the provided hacked out fake groups program into your chroot, like so:
* cp groups /home/scponly/bin/groups
>>> Regenerating /etc/ld.so.cache...
* Caching service dependencies...
>>> net-misc/scponly-4.0 merged.
>>> Recording net-misc/scponly in "world" favorites file...
>>> clean: No packages selected for removal.
>>> Auto-cleaning packages ...
>>> No outdated packages were found on your system.
* GNU info directory index is up-to-date.
*****************************************************
Is it possible to have "One" main "scponly" SFTP chrooted account that
all customers can use but at the same time only allow customers to
only see the files that they upload and not other customers files? If
so, how would this be done? It seems that anything I try in the
chrooted directory structure is really touchy.
Thanks for any help.
GBloomberg
More information about the scponly
mailing list