[scponly] Scponlyc chroot confusion.

Kaleb Pederson kpederson at mail.ewu.edu
Fri Apr 22 11:22:48 EDT 2005 

You basically have everything that you need, you just need to change a few 
things.

First, I would create a /home directory in which all the users' home 
directories will exist:

$ mkdir /home/scponly/home
$ chown root:root /home/scponly/home
$ chmod 755 /home/scponly/home

Now, when you create all the users, you will want to use a command like the 
following:

$ useradd -s /usr/sbin/scponlyc -d /home/scponly//home/<username> <username>

Now, note the double slashes.  That means that every user will first get 
chrooted to /home/scponly, and then their home directory will 
be /home/username (within the /home/scponly folder).

As that directory should be created with the right permissions, that user 
should then be able to do everything they need.

I hope that helps.

--Kaleb

On Friday 22 April 2005 1:03 am, GBloomberg wrote:
> Hello,
>
> Please bear with me. I'm new to Linux system administration and was
> given the task of setting up a SFTP server for our cusotmers to upload
> linux log and config files to and I'm hoping to gain some clairity on
> if I'm doing this correctly or not given the tasks/objective on how my
> management wants this SFTP sever setup.
>
> I've installed scponly-4.0 on a Gentoo linux system running a 2.6
> Kernel using openssh-3.9.
> Using "emerge scponly" set everything up for me to include the
> chrooted environment. Places /usr/bin/scponly and /usr/sbin/scponlyc
> in /etc/shells.  What has me confused is how this is suppose to work
> versus how I'm trying to use it.  When Gentoo built the scponly
> package it created a scponly user called scponly and a group scponly
> and automagically created the chrooted environment.
>
> # cd /home/scponly
> # ls -la
> total 1
> drwxr-xr-x  7 root    root    168 Apr 17 05:54 .
> drwxr-xr-x  7 root    root    192 Apr 20 21:30 ..
> drwxr-xr-x  2 root    root    368 Apr 18 02:23 bin
> drwxr-xr-x  2 root    root    136 Apr 18 00:12 etc
> drwxr-xr-x  2 scponly scponly  48 Apr 20 23:02 incoming
> drwxr-xr-x  2 root    root    480 Apr 18 00:12 lib
> drwxr-xr-x  4 root    root     96 Apr 17 05:54 usr
>
> What I don't understand is what is the proper commnad to add an
> account that I want jailed. I mean I understand howto add normal
> accounts but chrooted ones have me confused. It seems the only way
> that I can get this to work is via:
>
> # useradd -d /home/scponly -G scponly -s /usr/sbin/scponlyc testuser
>
> The keyfactor being that the home directory has to be /home/scponly.
> Atleast that's how it appears to me. For some reason if I use anyting
> other than /home/scponly for the given testuser's home directory, I'm
> unable to login with SFTP. Am I doing this correctly or could there be
> an alternative that I'm missing?
>
> Actually I don't want them to see anything but the "incoming"
> directory, preferrably. I tried taking of the execute bit for Others
> and Group but this had the effect of the "incoming" dir disappearing
> to those useing WinSCP's SFTP.
>
> Here's a copy of how Gentoo built "scponly" just in case.
>
> ******************************************************
>
> # emerge -v scponly
> Calculating dependencies ...done!
>
> >>> emerge (1 of 1) net-misc/scponly-4.0 to /
> >>> md5 src_uri ;-) scponly-4.0.tgz
> >>> Unpacking source...
> >>> Unpacking scponly-4.0.tgz to /var/tmp/portage/scponly-4.0/work
> >>> Source unpacked.
>
>  * econf: updating scponly-4.0/config.guess with
> /usr/share/gnuconfig/config.guess
>  * econf: updating scponly-4.0/config.sub with
> /usr/share/gnuconfig/config.sub ./configure --prefix=/usr
> --host=i686-pc-linux-gnu
> --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share
> --sysconfdir=/etc --localstatedir=/var/lib --enable-rsync-compat
> --enable-chrooted-binary
> configure: WARNING: If you wanted to set the --build type, don't use
> --host. If a cross compiler is detected then cross compile mode will be
> used. checking build system type... i686-pc-linux-gnu
> checking host system type... i686-pc-linux-gnu
> checking for i686-pc-linux-gnu-gcc... i686-pc-linux-gnu-gcc
> checking for C compiler default output... a.out
> checking whether the C compiler works... yes
> checking whether we are cross compiling... no
> checking for suffix of executables...
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether i686-pc-linux-gnu-gcc accepts -g... yes
> checking for a BSD-compatible install... /bin/install -c
> checking whether ln -s works... yes
> checking for cut... /bin/cut
> checking for grep... /bin/grep
> checking for sort... /bin/sort
> checking for ldd... /usr/bin/ldd
> checking for useradd... /usr/sbin/useradd
> checking for chown... /bin/chown
> checking for chmod... /bin/chmod
> checking for dirname... /bin/dirname
> checking for id... /bin/id
> checking for pw... no
> checking for rm... /bin/rm
> checking for pwd_mkdb... no
> configure: enabling core WinSCP and Vanilla SCP binaries...
> checking for sftp-server... /usr/lib/misc/sftp-server
> checking for ls... /bin/ls
> checking for scp... /usr/bin/scp
> checking for rm... /bin/rm
> checking for ln... /bin/ln
> checking for mv... /bin/mv
> checking for chmod... /bin/chmod
> checking for chown... /bin/chown
> checking for chgrp... /bin/chgrp
> checking for mkdir... /bin/mkdir
> checking for rmdir... /bin/rmdir
> configure: enabling WinSCP compatability...
> checking for pwd... /bin/pwd
> checking for groups... /bin/groups
> checking for id... /bin/id
> checking for echo... /bin/echo
> configure: enabling rsync compatability...
> checking for rsync... /usr/bin/rsync
> configure: enabling SFTP compatability...
> checking for sftp-server... (cached) /usr/lib/misc/sftp-server
> checking how to run the C preprocessor... i686-pc-linux-gnu-gcc -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking for stdlib.h... (cached) yes
> checking for string.h... (cached) yes
> checking syslog.h usability... yes
> checking syslog.h presence... yes
> checking for syslog.h... yes
> checking for unistd.h... (cached) yes
> checking wordexp.h usability... yes
> checking wordexp.h presence... yes
> checking for wordexp.h... yes
> checking glob.h usability... yes
> checking glob.h presence... yes
> checking for glob.h... yes
> checking libgen.h usability... yes
> checking libgen.h presence... yes
> checking for libgen.h... yes
> checking for i686-pc-linux-gnu-gcc option to accept ANSI C... none needed
> checking for an ANSI C-conforming const... yes
> checking for inline... inline
> checking for working alloca.h... yes
> checking for alloca... yes
> checking for malloc... yes
> checking for atexit... yes
> checking for bzero... yes
> checking for strchr... yes
> checking for strerror... yes
> checking for glob... yes
> checking for wordexp... yes
> checking for strspn... yes
> checking for basename... yes
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating setup_chroot.sh
> config.status: creating config.h
> i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
> -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
> scponly.o -c scponly.c
> i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
> -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
> helper.o -c helper.c
> i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
> -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
> groups groups.c
> i686-pc-linux-gnu-gcc -march=pentium2 -O3 -pipe -fomit-frame-pointer
> -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/etc/scponly/debuglevel"' -o
> scponly scponly.o helper.o
>
> >>> Test phase [not enabled]: net-misc/scponly-4.0
> >>>
> >>> Install scponly-4.0 into /var/tmp/portage/scponly-4.0/image/
>
> category net-misc
> echo "0" > debuglevel
> /bin/install -c -d /var/tmp/portage/scponly-4.0/image//usr/bin
> /bin/install -c -d /var/tmp/portage/scponly-4.0/image//usr/share/man/man8
> /bin/install -c -d /var/tmp/portage/scponly-4.0/image//etc/scponly
> /bin/install -c -o 0 -g 0 scponly
> /var/tmp/portage/scponly-4.0/image//usr/bin/scponly
> /bin/install -c -o 0 -g 0 -m 0644 scponly.8
> /var/tmp/portage/scponly-4.0/image//usr/share/man/man8/scponly.8
> /bin/install -c -o 0 -g 0 -m 0644 debuglevel
> /var/tmp/portage/scponly-4.0/image//etc/scponly/debuglevel
> if test "xscponlyc" != "x"; then                        \
>         /bin/install -c -d
> /var/tmp/portage/scponly-4.0/image//usr/sbin;
>       \
>         rm -f /var/tmp/portage/scponly-4.0/image//usr/sbin/scponlyc;
>                  \
>         cp scponly scponlyc;                            \
>         /bin/install -c -o 0 -g 0 -m 4755 scponlyc
> /var/tmp/portage/scponly-4.0/image//usr/sbin/scponlyc;       \
> fi
> man:
> gzipping man page: scponly.8
> prepallstrip:
> strip: strip --strip-unneeded
> strip: strip --strip-unneeded
>    usr/bin/scponly
>    usr/sbin/scponlyc
> QA Notice: /usr/sbin/scponlyc is setXid, dynamically linked and using
> lazy bindings.
> This combination is generally discouraged. Try: CFLAGS='-Wl,-z,now'
> emerge scponly
>
> >>> Completed installing scponly-4.0 into
> >>> /var/tmp/portage/scponly-4.0/image/
> >>>
> >>> Merging net-misc/scponly-4.0 to /
>
>  * >>> SetUID: [chmod go-r]
> /var/tmp/portage/scponly-4.0/image//usr/sbin/scponlyc ...
>                  [ ok ]
> --- /etc/
>
> >>> /etc/scponly/
> >>> /etc/scponly/debuglevel
>
> --- /usr/
> --- /usr/bin/
>
> >>> /usr/bin/scponly
>
> --- /usr/sbin/
>
> >>> /usr/sbin/scponlyc
>
> --- /usr/share/
> --- /usr/share/doc/
>
> >>> /usr/share/doc/scponly-4.0/
> >>> /usr/share/doc/scponly-4.0/CHANGELOG.gz
> >>> /usr/share/doc/scponly-4.0/README.gz
> >>> /usr/share/doc/scponly-4.0/TODO.gz
> >>> /usr/share/doc/scponly-4.0/CONTRIB.gz
> >>> /usr/share/doc/scponly-4.0/AUTHOR.gz
>
> --- /usr/share/man/
> --- /usr/share/man/man8/
>
> >>> /usr/share/man/man8/scponly.8.gz
>
>  * Updating /etc/shells
>  *
>  * if you experience a warning with winscp regarding groups, please install
>  * the provided hacked out fake groups program into your chroot, like so:
>  * cp groups /home/scponly/bin/groups
>
> >>> Regenerating /etc/ld.so.cache...
>
>  * Caching service dependencies...
>
> >>> net-misc/scponly-4.0 merged.
> >>> Recording net-misc/scponly in "world" favorites file...
> >>>
> >>> clean: No packages selected for removal.
> >>>
> >>> Auto-cleaning packages ...
> >>>
> >>> No outdated packages were found on your system.
>
>  * GNU info directory index is up-to-date.
>
> *****************************************************
>
> Is it possible to have "One" main "scponly" SFTP chrooted account that
> all customers can use but at the same time only allow customers to
> only see the files that they upload and not other customers files? If
> so, how would this be done?  It seems that anything I try in the
> chrooted directory structure is really touchy.
>
> Thanks for any help.
>
> GBloomberg
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list