[scponly] strange problem

katsumi liquer katsumi at gmail.com
Wed Sep 21 16:41:18 EDT 2005 

Hi Paul,

Thank you very much for the response. Basically, what I mean is that
when using the SFTP protocol, I am able to login correctly and then
end up seeing the directory I would expect which is the CHROOTed user
directory. When using the SCP protocol, I end up logged in OUTSIDE the
chroot, so far outside in fact that it is the / directory, root of the
whole system. I don't see anything strange which looks relevant to
this strange behavior, but I am going to include in some debug logs
from both types of sessions. The first is SFTP, the second is SCP.

In the SFTP session, I get logged in to the correct user/chroot directory:

Sep 21 15:45:03 sftphost [17017]: chrooted binary in place, will chroot()
Sep 21 15:45:03 sftphost [17017]: 3 arguments in total.
Sep 21 15:45:03 sftphost [17017]: ^Iarg 0 is scponlyc
Sep 21 15:45:03 sftphost [17017]: ^Iarg 1 is -c
Sep 21 15:45:03 sftphost [17017]: ^Iarg 2 is /usr/libexec/sftp-server
Sep 21 15:45:03 sftphost [17017]: opened log at LOG_AUTHPRIV, opts 0x00000009
Sep 21 15:45:03 sftphost [17017]: retrieved home directory of
"/SFTP_ROOT/sftpuser" for user "sftpuser"
Sep 21 15:45:03 sftphost [17017]: chrooting to dir: "/SFTP_ROOT/sftpuser"
Sep 21 15:45:03 sftphost [17017]: setting uid to 1019
Sep 21 19:45:03 sftphost [17017]: processing request: "/usr/libexec/sftp-server"
Sep 21 19:45:03 sftphost [17017]: running: /usr/libexec/sftp-server
(username: sftpuser(1019), IP/port: 10.0.0.60 4674 4786)

In the SCP session, I end up at / for the whole system, outside of the
chroot completely, but no evidence apparently in the log:

Sep 21 15:46:40 sftphost [17039]: chrooted binary in place, will chroot()
Sep 21 15:46:40 sftphost [17039]: 1 arguments in total.
Sep 21 15:46:40 sftphost [17039]: ^Iarg 0 is -scponlyc
Sep 21 15:46:40 sftphost [17039]: opened log at LOG_AUTHPRIV, opts 0x00000009
Sep 21 15:46:40 sftphost [17039]: retrieved home directory of
"/SFTP_ROOT/sftpuser" for user "sftpuser"
Sep 21 15:46:40 sftphost [17039]: chrooting to dir: "/SFTP_ROOT/sftpuser"
Sep 21 15:46:40 sftphost [17039]: setting uid to 1019
Sep 21 19:46:40 sftphost [17039]: entering WinSCP compatibility mode
[username: sftpuser(1019), IP/port: 10.0.0.60 4688 4786]
Sep 21 19:46:41 sftphost [17039]: processing request: "groups"
Sep 21 19:46:41 sftphost [17039]: running: ./groups (username:
sftpuser(1019), IP/port: 10.0.0.60 4688 4786)
Sep 21 19:46:41 sftphost [17040]: failed: ./groups with error No such
file or directory(2) (username: sftpuser(1019), IP/port: 10.0.0.60
4688 4786)
Sep 21 19:46:49 sftphost [17040]: processing request: "pwd"
Sep 21 19:46:49 sftphost [17040]: running: /bin/pwd (username:
sftpuser(1019), IP/port: 10.0.0.60 4688 4786)
Sep 21 19:46:49 sftphost [17040]: processing request: "ls -la --full-time"
Sep 21 19:46:49 sftphost [17040]: running: /bin/ls -la --full-time
(username: sftpuser(1019), IP/port: 10.0.0.60 4688 4786)
Sep 21 19:46:49 sftphost [17040]: processing request: "ls -la "
Sep 21 19:46:49 sftphost [17040]: running: /bin/ls -la (username:
sftpuser(1019), IP/port: 10.0.0.60 4688 4786)

That error regarding 'groups' is fine, I can live with that and I
understand what it means -- but I have absolutely no idea why I end up
outside the chroot.

Any ideas??

Thank you very much,
katsu

On 9/15/05, Paul Hyder <Paul.Hyder at noaa.gov> wrote:
> Seems it might be helpful to turn on debugging (change the value in the debuglevel
> file to 1, it will be /usr/local/etc/scponly/debuglevel unless you changed
> the prefix at configure time).  That results in more detailed syslog messages.
>
> I'm not sure exactly what you mean by "the root directory of the entire
> filesystem" but more detailed syslog messages would show the process.
> If you mean that the scp sessions end up at the top level of the chroot
> then there might be missing "//" chroot indicators in the top level
> password file user home directory entries.  Try setting debug level and
> running sftp and scp.  If the resulting syslogs don't give you enough
> information please send a (small please) set of syslog messages to the list.
>         Paul Hyder
>         NOAA Forecast Systems Lab
>         Boulder, CO
>
> katsumi liquer wrote:
> > Hello,
> >
> > First of all thanks to everyone involved in this program because it is
> > definitely a major missing piece of the puzzle with our openssh based
> > installation here -- but I have noticed something strange which I
> > can't figure out. I have configured scponlyc for several users, and in
> > general everything seems to work fine. If I use the SFTP protocol to
> > connect, everything is normal and I get the chroot directory structure
> > which I would expect -- however, if I use the SCP protocol, for some
> > reason I am defaulted to the root directory of the entire filesystem!
> > I have checked my configurations and I can't find anything wrong, nor
> > do I see any strange messages in the system logs. Has anyone seen this
> > happen before and have any ideas on what it might be?
> >
> > I apologize if this is a poor question -- I did my best to try and
> > find an answer first, and I searched through several threads in the
> > archive and I didn't find anything. I appreciate any information
> > anyone has very much!
> >
> > katsu
> >
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu
> > https://lists.ccs.neu.edu/bin/listinfo/scponly
>
>

More information about the scponly mailing list