[scponly] chroot functionality ...

Kaleb Pederson kpederson at mail.ewu.edu
Fri Mar 18 17:33:40 EST 2005 

Hmmm.... It appears I didn't know the possibility existed.  Just now, I 
re-read through README and INSTALL and see no reference to that capability 
anywhere, although I did find two references to it in CONTRIB and CHANGELOG.  
Did I just miss it somehow or is it not really documented?

I'm guessing then, that by using /path/to/chroot//user/homedir in /etc/passwd, 
scponly chroots to /path/to/chroot and then does a chdir to /user/homedir.

That seems reasonable.  I just tried it out, and it works fine.

Thanks.

--Kaleb

On Friday 18 March 2005 1:43 pm, you wrote:
> I'm curious, why did you need to change the scponly code?  What can't you
> implement by modifying the top level /etc/password file?
>       Paul Hyder
>       NOAA Forecast Systems Lab
>       Boulder, CO
> FYI: We have a done a couple of multi-user shared configuration scponly
> configurations that basically do what you indicate.  All it took was
> coordinated /etc/passwd and jail configuration (and careful placement
> of '//' in the /etc/passwd home directory path.)
>
> Kaleb Pederson wrote:
> > Ok.  We currently have hundreds of users.  Using scponly as delivered,
> > currently my only option is to setup a chroot per user.  If, for example,
> > the required chroot is 18 megs (it is on one of my systems), this results
> > in gigabytes of storage space.
> >
> > In our case, we need to protect users from the system, more than we do
> > from themselves, so I patched scponly so that it chroots to a fixed
> > directory for each user.
> >
> > For example, usera has /home/usera as a home directory.  When usera
> > sftp's in, scponly chroots to /path/to/chroot, and then cd's to
> > /home/usera.  Thus, I can have many users all within the same chroot and
> > without the fixed overhead of 18 megs per user.
> >
> > What does everyone think?  Does this seem reasonable?  Are other people
> > interested in this functionality?
> >
> > I have attached a small patch that does this.  A couple of things would
> > need to happen before this would work for everybody. The #define
> > CHROOT_FIXED_DIR would need to be set dynamically based on input to
> > configure, and configure would need to have an option to enable the fixed
> > chroot dir.  I believe this should be mutually exclusive to the
> > ENABLE_DEFAULT_CHDIR option.
> >
> > Other than that.... it works for me (and hopefully I didn't really mess
> > something up ;).
> >
> > Thanks.
> >
> > --Kaleb
> >
> >
> > ------------------------------------------------------------------------
> >
> > Index: config.h
> > ===================================================================
> > --- config.h	(revision 18)
> > +++ config.h	(revision 19)
> > @@ -28,6 +28,11 @@
> >  #define PROG_SFTP_SERVER "/usr/local/libexec/sftp-server"
> >  #endif
> >
> > +/* A fixed location that will be chrooted to instead of a per-user
> > chroot */ +#ifdef ENABLE_CHROOT_FIXED_DIR
> > +#define CHROOT_FIXED_DIR "/path/to/chroot"
> > +#endif
> > +
> >  /* Binaries launched by vanilla- and win-SCP modes */
> >  #ifdef ENABLE_SCP2
> >  /* #undef PROG_LS */
> > Index: scponly.c
> > ===================================================================
> > --- scponly.c	(revision 18)
> > +++ scponly.c	(revision 19)
> > @@ -100,7 +100,7 @@
> >  {
> >  	FILE *debugfile;
> >  	int logopts = LOG_PID|LOG_NDELAY;
> > -
> > +
> >  	/*
> >  	 * set debuglevel.  any nonzero number will result in debugging info to
> > log */
> > @@ -183,7 +183,11 @@
> >  	{
> >  		char *root_dir = chrootdir;
> >
> > +#ifdef ENABLE_CHROOT_FIXED_DIR
> > +		strcpy(chrootdir, CHROOT_FIXED_DIR);
> > +#else
> >  		strcpy(chrootdir, homedir);
> > +#endif
> >  		while((root_dir = strchr(root_dir, '/')) != NULL)
> >  		{
> >  			if (strncmp(root_dir, "//", 2) == 0)
> > @@ -204,6 +208,17 @@
> >  			syslog (LOG_ERR, "couldn't chroot to %s [%s]", chrootdir,
> > logstamp()); exit(EXIT_FAILURE);
> >  		}
> > +#ifdef ENABLE_CHROOT_FIXED_DIR
> > +		if (debuglevel)
> > +		{
> > +			syslog (LOG_DEBUG, "changing to homedir \"%s\" within chrootdir
> > \"%s\" [%s]", homedir, chrootdir, logstamp()); +		}
> > +		if (-1==(chdir(homedir))) {
> > +			syslog (LOG_ERR, "couldn't chdir to homedir \"%s\" within chrootdir
> > \"%s\" [%s]", homedir, chrootdir, logstamp()); +			exit(EXIT_FAILURE);
> > +		}
> > +#endif /* CHROOT_FIXED_DIR */
> > +
> >  	}
> >  #endif //CHROOTED_NAME
> >
> > Index: Makefile
> > ===================================================================
> > --- Makefile	(revision 18)
> > +++ Makefile	(revision 19)
> > @@ -11,7 +11,7 @@
> >  CHROOTED_NAME    = scponlyc
> >  CONFDIR          = ${prefix}/etc/scponly
> >  DEBUGFILE        = ${CONFDIR}/debuglevel
> > -DEFS		 = -DENABLE_PASSWD -DHAVE_CONFIG_H -DDEBUGFILE='"${DEBUGFILE}"'
> > +DEFS		 = -DENABLE_CHROOT_FIXED_DIR -DENABLE_PASSWD -DHAVE_CONFIG_H
> > -DDEBUGFILE='"${DEBUGFILE}"' LN_S		 = ln -s
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu
> > https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list