[scponly] Limiting to home directory without chroot?

Kaleb Pederson kpederson at mail.ewu.edu
Fri Sep 30 12:44:13 EDT 2005 

On Friday 30 September 2005 7:38 am, scponly-7264 at tagged.lorens.org wrote:
> I want to set up secure communications for an existing FTP
> server. I thought I'd use scponly. The only way to limit a user
> to his home directory seems to be by chrooting the user. Is this
> correct? Why?

Although this is the only *sure* way, there are others depending on what your 
goals are.  For example, you can set it up so that the user can get to his 
home directory, but not list other peoples home directories (and, of course, 
permissions should prevent him from getting to other persons' directories).  
You could set it up using a sftp-patch (I think there is one out there) that 
prevents the user from CD'ing into different directories, but if you have 
enabled scp access, that isn't sufficient.

> I don't feel like setting up chroot environments for some 10000
> users, and the "set up a single chroot and hang all users off
> it" won't work for me (home dirs have to be accessible by
> others, but not coming through ftp/sftp/scp).

Can you explain why it won't work for you?  It works for many of us, so unless 
there are special conditions that you need to meet, it will probably work.

> Assuming the scponly server does not have severe
> vulnerabilities, isn't it simply a matter of forbidding cd to
> directories above the home directory?  Am I wrong in thinking
> that this is easy, or in thinking that it is not done?

Scponly isn't a server, it's a pseudo-shell.  All it does is [optionally] 
chroot the users to a directory and place them in a directory where they have 
access.  Depending on permissions and configure options, it then allows them 
to execute only limited commands, possible only sftp.

Scponly doesn't do the forbidding, sftp or the other command must do the 
forbidding.  In certain cases, sftp might not allow them to execute the cd 
command at all (for example, if only sftp access is allowed).

> If not possible with scponly, are there other programs that can
> provide a simple standard access over a secured channel to a
> directory tree?  I seem to remember an ssl/tls extension to ftp
> that was not the same thing as sftp.

There is FTP over SSL which several unix clients/servers support, as well as 
some commercial windows ones.  Google is your friend.

If you give us more detail, I'm sure we can help....

Thanks.

--Kaleb

> Thanks!
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20050930/47f1c2af/attachment.bin

More information about the scponly mailing list