[scponly] chroot functionality ...

Hideyuki KURASHINA rushani at bl.mmtr.or.jp
Tue Mar 22 10:16:17 EST 2005 

Hi,

>>> On Fri, 18 Mar 2005 14:33:40 -0800, Kaleb Pederson <kpederson at mail.ewu.edu> said:

> Hmmm.... It appears I didn't know the possibility existed.  Just now, I 
> re-read through README and INSTALL and see no reference to that capability 
> anywhere, although I did find two references to it in CONTRIB and CHANGELOG.  
> Did I just miss it somehow or is it not really documented?

I think it is just not documented well.

As this is only related to chroot setup, it was mensioned in
setup_chroot.sh.in (v3.6 - 3.8).  After 3.9 was released, similar
notes will be shown up if you use build_extras/setup_chroot.sh.{RH9,debian}
scripts.

I tried to cover the issues you and ColinB pointed out, but it may
be incomplete.  Reviews and/or suggestions are welcome.

Thanks,

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff -urN scponly-4.0.orig/INSTALL scponly-4.0/INSTALL
--- scponly-4.0.orig/INSTALL	Mon Nov 29 05:17:56 2004
+++ scponly-4.0/INSTALL	Wed Mar 23 00:12:22 2005
@@ -76,6 +76,20 @@
 	required.  (However, I leave to option to disable turned off
 	by default until a later release.)
 
+	--with-default-chdir=DIR
+	
+	This option makes user "cd" to DIR after authentication.  For
+	security reason (again, see 18/08/02 item in CHANGELOG),
+	it is highly recommended to
+
+	  o make user's $HOME and $HOME/.ssh directories NOT writable
+	    by the user
+	  o provide other user writable directory (ex. public_html)
+
+	Because user needs to "cd" to the given writable directory
+	in order to transfer file in this manner, setting this option
+	may be convenient.
+ 
 	Other options can be seen using "./configure --help"
 
 
@@ -132,6 +146,15 @@
 	system to system.  check in the build_extras directory if
 	make jail has failed you.
 
+	In chroot setup, user goes to / directory after authentication
+	by default.  This behavior can be tunable by changing target
+	user's homedir field in passwd file from
+
+	  /chrootdir
+
+	to
+
+	  /chrootdir//homedir
 	
 That's it, you're done!
 
@@ -142,7 +165,7 @@
 the "groups" command.  Though "groups" is an allowable command, the 
 "#!/bin/sh" interpreter specification at the beginning of this script 
 will attempt to load /bin/sh, which is not available in the chrooted
-jail.  This is only a problem when you are also using WinSCP compatibiliy,
+jail.  This is only a problem when you are also using WinSCP compatibility,
 because WinSCP will attempt to run "groups" upon connection initialization.
 
 You have three choices:
diff -urN scponly-4.0.orig/README scponly-4.0/README
--- scponly-4.0.orig/README	Mon Nov 29 05:20:48 2004
+++ scponly-4.0/README	Tue Mar 22 23:31:01 2005
@@ -44,6 +44,10 @@
 
 - rsync compatibility
 
+- subversion compatibility
+
+- unison compatibility
+
 - security checks: root login is disallowed (though root
 should never be configured to be using scponly as the default shell.)
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- rushani

More information about the scponly mailing list