[scponly] strange problem

Paul Hyder Paul.Hyder at noaa.gov
Wed Sep 21 19:47:31 EDT 2005 

This trace indicates that you might not be using the latest release of
scponly.  Which version are you using?  If you are not using the 4.1
release can you try that?  (The latest release has some explicit
chdir behavior that might eliminate your problem.)
	Paul Hyder
	NOAA Forecast Systems Lab
	Boulder, CO

katsumi liquer wrote:
> Hi Paul,
> 
> Thank you very much for the response. Basically, what I mean is that
> when using the SFTP protocol, I am able to login correctly and then
> end up seeing the directory I would expect which is the CHROOTed user
> directory. When using the SCP protocol, I end up logged in OUTSIDE the
> chroot, so far outside in fact that it is the / directory, root of the
> whole system. I don't see anything strange which looks relevant to
> this strange behavior, but I am going to include in some debug logs
> from both types of sessions. The first is SFTP, the second is SCP.
> 
> In the SFTP session, I get logged in to the correct user/chroot directory:
> 
> Sep 21 15:45:03 sftphost [17017]: chrooted binary in place, will chroot()
> Sep 21 15:45:03 sftphost [17017]: 3 arguments in total.
> Sep 21 15:45:03 sftphost [17017]: ^Iarg 0 is scponlyc
> Sep 21 15:45:03 sftphost [17017]: ^Iarg 1 is -c
> Sep 21 15:45:03 sftphost [17017]: ^Iarg 2 is /usr/libexec/sftp-server
> Sep 21 15:45:03 sftphost [17017]: opened log at LOG_AUTHPRIV, opts 0x00000009
> Sep 21 15:45:03 sftphost [17017]: retrieved home directory of
> "/SFTP_ROOT/sftpuser" for user "sftpuser"
> Sep 21 15:45:03 sftphost [17017]: chrooting to dir: "/SFTP_ROOT/sftpuser"
> Sep 21 15:45:03 sftphost [17017]: setting uid to 1019
> Sep 21 19:45:03 sftphost [17017]: processing request: "/usr/libexec/sftp-server"
> Sep 21 19:45:03 sftphost [17017]: running: /usr/libexec/sftp-server
> (username: sftpuser(1019), IP/port: 10.0.0.60 4674 4786)
> 
> In the SCP session, I end up at / for the whole system, outside of the
> chroot completely, but no evidence apparently in the log:
> 
> Sep 21 15:46:40 sftphost [17039]: chrooted binary in place, will chroot()
> Sep 21 15:46:40 sftphost [17039]: 1 arguments in total.
> Sep 21 15:46:40 sftphost [17039]: ^Iarg 0 is -scponlyc
> Sep 21 15:46:40 sftphost [17039]: opened log at LOG_AUTHPRIV, opts 0x00000009
> Sep 21 15:46:40 sftphost [17039]: retrieved home directory of
> "/SFTP_ROOT/sftpuser" for user "sftpuser"
> Sep 21 15:46:40 sftphost [17039]: chrooting to dir: "/SFTP_ROOT/sftpuser"
> Sep 21 15:46:40 sftphost [17039]: setting uid to 1019
> Sep 21 19:46:40 sftphost [17039]: entering WinSCP compatibility mode
> [username: sftpuser(1019), IP/port: 10.0.0.60 4688 4786]
> Sep 21 19:46:41 sftphost [17039]: processing request: "groups"
> Sep 21 19:46:41 sftphost [17039]: running: ./groups (username:
> sftpuser(1019), IP/port: 10.0.0.60 4688 4786)
> Sep 21 19:46:41 sftphost [17040]: failed: ./groups with error No such
> file or directory(2) (username: sftpuser(1019), IP/port: 10.0.0.60
> 4688 4786)
> Sep 21 19:46:49 sftphost [17040]: processing request: "pwd"
> Sep 21 19:46:49 sftphost [17040]: running: /bin/pwd (username:
> sftpuser(1019), IP/port: 10.0.0.60 4688 4786)
> Sep 21 19:46:49 sftphost [17040]: processing request: "ls -la --full-time"
> Sep 21 19:46:49 sftphost [17040]: running: /bin/ls -la --full-time
> (username: sftpuser(1019), IP/port: 10.0.0.60 4688 4786)
> Sep 21 19:46:49 sftphost [17040]: processing request: "ls -la "
> Sep 21 19:46:49 sftphost [17040]: running: /bin/ls -la (username:
> sftpuser(1019), IP/port: 10.0.0.60 4688 4786)
> 
> That error regarding 'groups' is fine, I can live with that and I
> understand what it means -- but I have absolutely no idea why I end up
> outside the chroot.
> 
> Any ideas??
> 
> Thank you very much,
> katsu
> 
> On 9/15/05, Paul Hyder <Paul.Hyder at noaa.gov> wrote:
> 
>>Seems it might be helpful to turn on debugging (change the value in the debuglevel
>>file to 1, it will be /usr/local/etc/scponly/debuglevel unless you changed
>>the prefix at configure time).  That results in more detailed syslog messages.
>>
>>I'm not sure exactly what you mean by "the root directory of the entire
>>filesystem" but more detailed syslog messages would show the process.
>>If you mean that the scp sessions end up at the top level of the chroot
>>then there might be missing "//" chroot indicators in the top level
>>password file user home directory entries.  Try setting debug level and
>>running sftp and scp.  If the resulting syslogs don't give you enough
>>information please send a (small please) set of syslog messages to the list.
>>        Paul Hyder
>>        NOAA Forecast Systems Lab
>>        Boulder, CO
>>
>>katsumi liquer wrote:
>>
>>>Hello,
>>>
>>>First of all thanks to everyone involved in this program because it is
>>>definitely a major missing piece of the puzzle with our openssh based
>>>installation here -- but I have noticed something strange which I
>>>can't figure out. I have configured scponlyc for several users, and in
>>>general everything seems to work fine. If I use the SFTP protocol to
>>>connect, everything is normal and I get the chroot directory structure
>>>which I would expect -- however, if I use the SCP protocol, for some
>>>reason I am defaulted to the root directory of the entire filesystem!
>>>I have checked my configurations and I can't find anything wrong, nor
>>>do I see any strange messages in the system logs. Has anyone seen this
>>>happen before and have any ideas on what it might be?
>>>
>>>I apologize if this is a poor question -- I did my best to try and
>>>find an answer first, and I searched through several threads in the
>>>archive and I didn't find anything. I appreciate any information
>>>anyone has very much!
>>>
>>>katsu
>>>
>>>_______________________________________________
>>>scponly mailing list
>>>scponly at lists.ccs.neu.edu
>>>https://lists.ccs.neu.edu/bin/listinfo/scponly
>>
>>

More information about the scponly mailing list