From ylebihan at gmail.com Sun Apr 2 13:24:42 2006 From: ylebihan at gmail.com (YLB) Date: Sun Apr 2 13:24:52 2006 Subject: [scponly] Re: Still strange things with scp in chroot... :-| In-Reply-To: <7c263b6d0603301243x721c3338xcb3c99b460ab4412@mail.gmail.com> References: <7c263b6d0603301243x721c3338xcb3c99b460ab4412@mail.gmail.com> Message-ID: <7c263b6d0604021024l5839e801n3e819e65db51f9cd@mail.gmail.com> Hi ! :) Nobody has a clue ?... I'm still looking for the solution, but no idea. Only one question : the scp binary in the chrooted directory is supposed to be the same as in the normal system, isn't it ? or is it like "group" binary, which is a special one for jail ? Because at this time, I only used the /usr/bin/scp to put into the chrooted directory (/home/testuser/usr/bin/scp)... Cheers, YLB. P.S.: btw, the error message using WinSCP is [badly translated by myself ;o)] "Unable to start SCP transfer. Please check that SCP is well installed on the server and that it is in the PATH. You can also use SFTP rather than SCP. Command failed with error code 255.". :( 2006/3/30, YLB : > Hello everybody ! :-) > > Well, there's still one thing I don't understand. I'm now able to > connect to my server's chrooted account using scp. I get the result of > "ls -la" with no matter. > But when I try to transfer or get a file, scp doesn't work ! The > binary "scp" is well put in the directory {chroot}/usr/bin/ and the > system finds it. > > ------------------------------------- > > Using debug, I get this in the syslog : > > Mar 30 20:18:11 server scponly[11572]: running: /usr/bin/scp -t . > (username: testuser(517), IP/port: xxx.yyy.zzz.uu 55717 22) > > ------------------------------------- > > So, it's running. But on the client machine, I get this : > > [me@other-server me]$ scp file-to-test.txt testuser@server.domain.com: > Password: > unknown user 517 > lost connection > [me@other-server me]$ > > ------------------------------------- > > I thought of a problem with passwd / group files but I don't understand : > > Without chroot: > > [root@server root]# cat /etc/passwd | grep testuser > testuser:x:517:517::/home/testuser//testuser:/usr/local/sbin/scponlyc > [root@server root]# cat /etc/group | grep testuser > testuser:x:517: > [root@server root]# > > ------------------------------------- > > In chrooted directory: > > [root@server root]# cat /home/testuser/etc/passwd | grep testuser > testuser:x:517:517::/testuser:/usr/local/sbin/scponlyc > [root@server root]# cat /home/testuser/etc/group | grep testuser > testuser:x:517: > [root@server root]# > > ------------------------------------- > > Do you have any idea ? I've been working on that a long time and I'm > exhausted... I go asleep now, but I would be very happy if someone > could help me !! ;) > > Cheers, > > YLB. From glm at cyborgspiders.com Mon Apr 3 16:37:25 2006 From: glm at cyborgspiders.com (Gregory L. Magnusson) Date: Mon Apr 3 16:37:47 2006 Subject: [scponly] scponly make jail scripting advice In-Reply-To: <200603251700.k2PH0vaF064548@drizzle.sasknow.net> References: <200603251700.k2PH0vaF064548@drizzle.sasknow.net> Message-ID: <44318785.40306@cyborgspiders.com> Hello, This is my first post to this board and I hope this is the appropriate place for this question \ solution. I have installed scponly-4.6 on OpenBSD 3.8 with Apache 1.3.9. I have scponly chrooted inside Apache, which is also chrooted on OpenBSD by default. This is an ideal setup for my purposes. Nice work! I looked for this solution for a long time. My situation //var/www/users//username/incoming My issue. On a build using make jail, the users chrooted home directory is root owned and world readable from inside the Apache tree. That is fine. The issue is that this home directory is a part of Apache and can be viewed over the web. I work around this by including a php redirect script named index.php in each of the created folders and subfolders. echo "scponly-redirection" > index.php I put this index.php file in every directory created by the make jail script (substituting the username and incoming directory with real values) to prevent outside access and to redirect requests to the users public directory in a straightforward manner. bin etc usr usr/bin usr/lib usr/libexec incoming (optional) My question as a scripting newbie is this. I would like to generate this index.php file in each folder with the the make jail commnd. Where, and how would I add the above script creation to the command make jail to generate an index.php file in each folder? From kpederson at mail.ewu.edu Mon Apr 3 17:13:47 2006 From: kpederson at mail.ewu.edu (Kaleb Pederson) Date: Mon Apr 3 17:14:00 2006 Subject: [scponly] scponly make jail scripting advice In-Reply-To: <44318785.40306@cyborgspiders.com> References: <200603251700.k2PH0vaF064548@drizzle.sasknow.net> <44318785.40306@cyborgspiders.com> Message-ID: <200604031413.51382.kpederson@mail.ewu.edu> You would be better off using mod-rewrite to do this. It can handle it dynamically for any user if you used regex based find/replace. It would probably look something like this: RewriteRule ^/~([^/]+)[/]?$ /~$1/incoming/ [R] That said... I don't know off the top of my head where you would put the code to do this as I use a different methodology to create the chroots. Thanks. --Kaleb On Monday 03 April 2006 1:37 pm, Gregory L. Magnusson wrote: > Hello, > > This is my first post to this board and I hope this is the appropriate > place for this question \ solution. I have installed scponly-4.6 on > OpenBSD 3.8 with Apache 1.3.9. I have scponly chrooted inside Apache, > which is also chrooted on OpenBSD by default. This is an ideal setup for > my purposes. Nice work! I looked for this solution for a long time. > > My situation > //var/www/users//username/incoming > > My issue. > > On a build using make jail, the users chrooted home directory is root > owned and world readable from inside the Apache tree. That is fine. The > issue is that this home directory is a part of Apache and can be viewed > over the web. > > > > I work around this by including a php redirect script named index.php in > each of the created folders and subfolders. > > echo "scponly-redirection header(\"location: /~\$targetdir/\$incoming/"); ?>" > > index.php > > I put this index.php file in every directory created by the make jail > script (substituting the username and incoming directory with real > values) to prevent outside access and to redirect requests to the users > public directory in a straightforward manner. > > bin > etc > usr > usr/bin > usr/lib > usr/libexec > incoming (optional) > > My question as a scripting newbie is this. I would like to generate this > index.php file in each folder with the the make jail commnd. Where, and > how would I add the above script creation to the command make jail to > generate an index.php file in each folder? > > > > > _______________________________________________ > scponly mailing list > scponly@lists.ccs.neu.edu > https://lists.ccs.neu.edu/bin/listinfo/scponly -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20060403/21eb9c45/attachment.bin From benjamin at pythagoras.no-ip.org Mon Apr 3 19:54:15 2006 From: benjamin at pythagoras.no-ip.org (Benjamin Donnachie) Date: Mon Apr 3 19:54:20 2006 Subject: [scponly] scponly make jail scripting advice In-Reply-To: <44318785.40306@cyborgspiders.com> References: <200603251700.k2PH0vaF064548@drizzle.sasknow.net> <44318785.40306@cyborgspiders.com> Message-ID: <4431B5A7.9050006@pythagoras.no-ip.org> Gregory L. Magnusson wrote: > My question as a scripting newbie is this. I would like to generate this > index.php file in each folder with the the make jail commnd. Where, and > how would I add the above script creation to the command make jail to > generate an index.php file in each folder? As you've set up the home directories in /etc/passwd (Otherwise scponly would fail), why not use the apache userdir module? For example, in httpd.conf: # # UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions). # #UserDir disable # # To enable requests to /~user/ to serve the user's public_html # directory, remove the "UserDir disable" line above, and uncomment # the following line instead: # #UserDir public_html UserDir incoming UserDir disable root Ben From lists at danielwebb.us Wed Apr 5 00:28:56 2006 From: lists at danielwebb.us (Daniel Webb) Date: Wed Apr 5 00:29:01 2006 Subject: [scponly] danger of allowing -e in rsync ? In-Reply-To: <20060325175958.GC17769@lupe-christoph.de> References: <20060323191748.GF11143@drivebymail.com> <20060324065150.GA3706@sven.home.hoaxter.de> <20060325175958.GC17769@lupe-christoph.de> Message-ID: <20060405042856.GD17335@drivebymail.com> On Sat, Mar 25, 2006 at 06:59:58PM +0100, Lupe Christoph wrote: > On Friday, 2006-03-24 at 07:51:50 +0100, Sven Hoexter wrote: > > > Well from time to time someone has found a way to brake out of a chroot. > > So it might be possible that someone uploads his personal brake-out-of-chroot > > program and executes it and is out. > > The cracker needs to be able to exploit a vulnerability to become root. > POSIX prescribes that root *must* be able to escape a chroot. That's what I thought. So a scponly configure option for no command limitations in the chroot case would be a problem assuming an attacker has a local root exploit using the access they have in the chroot only. I'd think that's an acceptable risk for a lot of applications. From grover1711 at gmail.com Thu Apr 6 04:38:15 2006 From: grover1711 at gmail.com (ankush grover) Date: Thu Apr 6 04:38:20 2006 Subject: [scponly] how to chroot some users with scponly Message-ID: <5f638b360604060138r522e82edsdd036e7850036eb0@mail.gmail.com> Hey friends, I want to put some users in chroot jail and permitting them only sftp and scp commands. I downloaded rpm of scponly latest version 4.6 and added one user with its shell as /usr/bin/scponly. I cannot login into through user and everytime I get WinSCP: this is end-of-file:0 But the problem is that when I logged into through gftp using SSH2 protocol the user was able to move around means he was able to go into the different directories like /var/ /opt etc. What is want is to restrict some users to their home directories and give them only scp and sftp commands ? Please help me in configuring such a scenario. I am using centos4.0 and want to implement the same of Fedora Core 3 also. Thanks & Regards Ankush Grover -------------- next part -------------- HTML attachment scrubbed and removed From Paul.Hyder at noaa.gov Thu Apr 6 11:30:44 2006 From: Paul.Hyder at noaa.gov (Paul Hyder) Date: Thu Apr 6 11:30:49 2006 Subject: [scponly] how to chroot some users with scponly In-Reply-To: <5f638b360604060138r522e82edsdd036e7850036eb0@mail.gmail.com> References: <5f638b360604060138r522e82edsdd036e7850036eb0@mail.gmail.com> Message-ID: <44353424.2010208@noaa.gov> Start with "configure --help" It sounds like you want to run configure with at least: --enable-chrooted-binary --enable-scp-compat --enable-winscp-compat (maybe --disable-gftp-compat ?) There may be other options you want. The chrooted shell in the top level password file will then be scponlyc. Paul Hyder NOAA Earth System Research Laboratory, Global Systems Division Boulder, CO ankush grover wrote: > Hey friends, > > I want to put some users in chroot jail and permitting them only sftp and > scp commands. > > I downloaded rpm of scponly latest version 4.6 and added one user with its > shell as /usr/bin/scponly. > > I cannot login into through user and everytime I get > > WinSCP: this is end-of-file:0 > > But the problem is that when I logged into through gftp using SSH2 protocol > the user was able to move around means he was able to go into the different > directories like /var/ /opt etc. > > What is want is to restrict some users to their home directories and give > them only scp and sftp commands ? > > Please help me in configuring such a scenario. > > I am using centos4.0 and want to implement the same of Fedora Core 3 also. > > Thanks & Regards > > Ankush Grover > > > > ------------------------------------------------------------------------ > > _______________________________________________ > scponly mailing list > scponly@lists.ccs.neu.edu > https://lists.ccs.neu.edu/bin/listinfo/scponly From kpederson at mail.ewu.edu Thu Apr 6 11:31:29 2006 From: kpederson at mail.ewu.edu (Kaleb Pederson) Date: Thu Apr 6 11:31:42 2006 Subject: [scponly] danger of allowing -e in rsync ? In-Reply-To: <20060405042856.GD17335@drivebymail.com> References: <20060325175958.GC17769@lupe-christoph.de> <20060405042856.GD17335@drivebymail.com> Message-ID: <200604060831.34672.kpederson@mail.ewu.edu> On Tuesday 04 April 2006 9:28 pm, Daniel Webb wrote: > On Sat, Mar 25, 2006 at 06:59:58PM +0100, Lupe Christoph wrote: > > On Friday, 2006-03-24 at 07:51:50 +0100, Sven Hoexter wrote: > > > Well from time to time someone has found a way to brake out of a > > > chroot. So it might be possible that someone uploads his personal > > > brake-out-of-chroot program and executes it and is out. > > > > The cracker needs to be able to exploit a vulnerability to become root. > > POSIX prescribes that root *must* be able to escape a chroot. > > That's what I thought. So a scponly configure option for no command > limitations in the chroot case would be a problem assuming an attacker has > a local root exploit using the access they have in the chroot only. I'd > think that's an acceptable risk for a lot of applications. To me, it's still a huge risk -- the user has the ability to execute *any* program they wan't. For example, what if they statically compile a daemon and then upload it to the system. They could use it to scan the internal network, etc. etc. It's a risk I would never take. Also, if they can execute any program they want, if there is ever an exploit on any software on the system, including the kernel, it's likely they could take an advantage of the exploit and gain too much access. Just my thoughts. --Kaleb -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20060406/9bd367e2/attachment.bin From ylebihan at gmail.com Thu Apr 6 12:33:53 2006 From: ylebihan at gmail.com (YLB) Date: Thu Apr 6 12:34:00 2006 Subject: [scponly] how to chroot some users with scponly In-Reply-To: <44353424.2010208@noaa.gov> References: <5f638b360604060138r522e82edsdd036e7850036eb0@mail.gmail.com> <44353424.2010208@noaa.gov> Message-ID: <7c263b6d0604060933m7729cf71i1d037801825aa49f@mail.gmail.com> Hi ! :) 2006/4/6, Paul Hyder : > It sounds like you want to run configure with at least: > --enable-chrooted-binary > --enable-scp-compat :-( don't remind me this option, which is the most irritating one ! :-( With it, or without it, I'm always unable to use scp transfers... (the connection is good, "ls" and other functionalities are well-working, but "scp" binary doesn't run :-|) Cheers, YLB. From devnullinbox at yahoo.com Fri Apr 7 17:46:44 2006 From: devnullinbox at yahoo.com (jimmy ninefingers) Date: Fri Apr 7 17:46:50 2006 Subject: [scponly] scponly site temporarily down Message-ID: <20060407214644.71150.qmail@web53903.mail.yahoo.com> Hey all, Joe here. I just wanted to let everyone know that the main site is down due to a DSL bungle, but things should be back up monday. The mailing list should be fine. files are still available at https://sourceforge.net/projects/scponly/ during the outage. joe --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2?/min or less. -------------- next part -------------- HTML attachment scrubbed and removed From joe at sublimation.org Sat Apr 8 21:18:04 2006 From: joe at sublimation.org (wby oblyr) Date: Sat Apr 8 21:21:23 2006 Subject: [scponly] scponly site temporarily down In-Reply-To: <20060407214644.71150.qmail@web53903.mail.yahoo.com> References: <20060407214644.71150.qmail@web53903.mail.yahoo.com> Message-ID: <20060409011804.GA1663@paragon> Everything is back online now. joe jimmy ninefingers wrote this message on Fri, Apr 07, 2006 at 14:46 -0700: > > > Hey all, > > Joe here. I just wanted to let everyone know that the main site is down due to a DSL bungle, but things should be back up monday. > > The mailing list should be fine. > > files are still available at https://sourceforge.net/projects/scponly/ during the outage. > > joe > > > --------------------------------- > Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2?/min or less. > _______________________________________________ > scponly mailing list > scponly@lists.ccs.neu.edu > https://lists.ccs.neu.edu/bin/listinfo/scponly From adam_jh at hotmail.com Tue Apr 18 06:56:16 2006 From: adam_jh at hotmail.com (Adam Hamer) Date: Tue Apr 18 06:56:30 2006 Subject: [scponly] No space left on device Message-ID: I have recently moved migrated servers and followed my previous instructions on scponly. This time, when using scponly I get "No space left". The permissions set on the directory are fine, and the login process appears normal. Its just when I come to write something in the directory. I have looked at the help pages for an hour or so, but to no avail. Can anyone point me in the right direction? Thanks for any help, adam ERROR Command 'mkdir "s"' failed with return code 1 and error message /bin/mkdir: cannot create directory `s': No space left on device. SYSTEM debian sarge, standard install. INSTALLATION apt-get install scponly wizard... yes to chroot option cd /usr/share/doc/scponly/setup_chroot gzip -d setup_chroot.sh.gz copy setup_chroot.sh to windows computer, into notepad++ and Format - Convert to UNIX, copy back cd /usr/share/doc/scponly/setup_chroot sh ./setup_chroot.sh in the winscp - take off the 'lookup user groups' in the preferences - theres a solution to avoiding this From kpederson at mail.ewu.edu Tue Apr 18 10:19:30 2006 From: kpederson at mail.ewu.edu (Kaleb Pederson) Date: Tue Apr 18 10:19:48 2006 Subject: [scponly] No space left on device In-Reply-To: References: Message-ID: <200604180719.37002.kpederson@mail.ewu.edu> Check two things: 1) That you have enough free space (df) 2) That you have enough free inode space (df -i) --Kaleb On Tuesday 18 April 2006 3:56 am, Adam Hamer wrote: > I have recently moved migrated servers and followed my previous > instructions on scponly. > > This time, when using scponly I get "No space left". The permissions set on > the directory are fine, and the login process appears normal. Its just when > I come to write something in the directory. I have looked at the help pages > for an hour or so, but to no avail. Can anyone point me in the right > direction? > > Thanks for any help, > adam > > > ERROR > Command 'mkdir "s"' > failed with return code 1 and error message > /bin/mkdir: cannot create directory `s': No space left on device. > > SYSTEM > debian sarge, standard install. > > INSTALLATION > apt-get install scponly > wizard... > yes to chroot option > cd /usr/share/doc/scponly/setup_chroot > gzip -d setup_chroot.sh.gz > copy setup_chroot.sh to windows computer, into notepad++ and Format - > Convert to UNIX, copy back > cd /usr/share/doc/scponly/setup_chroot > sh ./setup_chroot.sh > in the winscp - take off the 'lookup user groups' in the preferences - > theres a solution to avoiding this > > > > _______________________________________________ > scponly mailing list > scponly@lists.ccs.neu.edu > https://lists.ccs.neu.edu/bin/listinfo/scponly -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20060418/309a91a6/attachment.bin From kl at os.lv Wed Apr 26 14:21:33 2006 From: kl at os.lv (Casper) Date: Wed Apr 26 14:21:41 2006 Subject: [scponly] chroot user to home directory Message-ID: <444FBA2D.7010603@os.lv> Hi, I wanted to make one user with only sftp/scp available and that user is chrooted to his home directory. I`m using freebsd 6.0 jail and compiled scponly-4.6 with: ./configure --prefix=/usr/scponly --enable-chrooted-binary && make && make install with "make jail" I created user and chroot. But when I try to login: root@server# sftp user@localhost Connecting to localhost... Password: Connection closed Logs: 20:42:17 server sshd[2119]: error: PAM: authentication error for user from server 20:42:18 server sshd[2119]: Accepted keyboard-interactive/pam for user from 172.1.1.1 port 57019 ssh2 20:42:18 server sshd[2123]: _secure_path: cannot stat /data//.login_conf: Permission denied 20:42:18 server sshd[2123]: subsystem request for sftp 20:42:18 server sshd[2124]: _secure_path: cannot stat /data//.login_conf: Permission denied 20:42:18 server scponly[2124]: chrooted binary in place, will chroot() 20:42:18 server scponly[2124]: running: /usr/libexec/sftp-server (username: user(1001), IP/port: 172.1.1.1 57019 22) 20:42:18 server scponly[2124]: failed: /usr/libexec/sftp-server with error Permission denied(13) (username: user(1001), IP/port: 172.1.1.1 57019 22) What is with .login_conf permissions, I created file and chmod 777 permission to test it, nothing changes... And with scponly debuglevel 1 I did not find more information about what sftp-server permission problems... Any body can comment how to chroot user with scponly? Chroot seems to have all files and sftp-server working... thanks, Casper From koch at uselinux.us Wed Apr 26 21:35:47 2006 From: koch at uselinux.us (Scott Koch) Date: Wed Apr 26 21:35:59 2006 Subject: [scponly] chroot problem on Redhat AS3 Message-ID: <20060427013547.GB19123@uselinux.us> I have scponly installed and setup to be used on my system. However it seems to be having some trouble chrooting. For some reason the ssh process is changing uids to the testuser before it does the chroot. I know that chrooting does not work for not uid 0 users, but I am not sure why it is changeing users *before* trying to chroot. Any help is appreciated. -Scott /etc/passwd entry: testuser:x:513:513:FTP test user:/testchroot//pub:/bin/scponlyc This is the message I get in my logs: Apr 26 21:28:09 myhost scponly[4834]: chrooted binary in place, will chroot() Apr 26 21:28:09 myhost scponly[4834]: 3 arguments in total. Apr 26 21:28:09 myhost scponly[4834]: arg 0 is scponlyc Apr 26 21:28:09 myhost scponly[4834]: arg 1 is -c Apr 26 21:28:09 myhost scponly[4834]: arg 2 is /usr/libexec/openssh/sftp-server Apr 26 21:28:09 myhost scponly[4834]: opened log at LOG_AUTHPRIV, opts 0x00000009 Apr 26 21:28:09 myhost scponly[4834]: retrieved home directory of "/testchroot//pub" for user "testuser" Apr 26 21:28:09 myhost scponly[4834]: chrooting to dir: "/testchroot" Apr 26 21:28:09 myhost scponly[4834]: chroot: Operation not permitted Apr 26 21:28:09 myhost scponly[4834]: couldn't chroot to /testchroot [username: testuser(513), IP/port: ::ffff:xxx.xxx.xxx.xxx 38295 15000] root# ls -la /testchroot total 96 drwxr-xr-x 7 root testuser 4096 Apr 26 19:27 . drwxr-xr-x 29 root root 4096 Apr 26 20:12 .. -rw-r--r-- 1 root testuser 304 Apr 23 00:59 .bash_logout -rw-r--r-- 1 root testuser 191 Apr 23 00:59 .bash_profile -rw-r--r-- 1 root testuser 124 Apr 23 00:59 .bashrc drwxr-xr-x 2 root testuser 4096 Apr 26 20:23 bin -rw-r--r-- 1 root testuser 383 Apr 23 00:59 .emacs drwxr-xr-x 2 root testuser 4096 Apr 26 19:31 etc -rw-r--r-- 1 root testuser 120 Apr 23 00:59 .gtkrc drwxr-xr-x 3 root testuser 4096 Apr 26 19:54 lib drwxr-xr-x 2 root testuser 4096 Apr 26 19:27 pub drwxr-xr-x 5 root testuser 4096 Apr 26 19:22 usr root# ls -la /bin/scponlyc -rwsr-xr-x 1 root root 30099 Apr 26 19:15 /bin/scponlyc -- ============================================== Scott Koch koch@uselinux.us http://www.uselinux.us ============================================== From koch at uselinux.us Wed Apr 26 22:25:41 2006 From: koch at uselinux.us (Scott Koch) Date: Wed Apr 26 22:25:48 2006 Subject: [scponly] Re: chroot problem on Redhat AS3[Solved] In-Reply-To: <20060427013547.GB19123@uselinux.us> References: <20060427013547.GB19123@uselinux.us> Message-ID: <20060427022541.GE19123@uselinux.us> Well, I was trying not to bother the current scponly setup while I was testing this, so the test below was on another sshd server that I was running on port 15000 on the same machine. I guess it didn't like something about it, because when I tried it on my main sshd server it worked fine. Not sure why, but it works now and I am happy. Thanks for everyone who has put time into this project. It is a big help. -Scott On Wed, Apr 26, 2006 at 09:35:47PM -0400, Scott Koch wrote: > I have scponly installed and setup to be used on my system. However > it seems to be having some trouble chrooting. For some reason the ssh > process is changing uids to the testuser before it does the chroot. I > know that chrooting does not work for not uid 0 users, but I am not sure > why it is changeing users *before* trying to chroot. Any help is > appreciated. > > -Scott > > /etc/passwd entry: > > testuser:x:513:513:FTP test user:/testchroot//pub:/bin/scponlyc > > This is the message I get in my logs: > > Apr 26 21:28:09 myhost scponly[4834]: chrooted binary in place, will > chroot() > Apr 26 21:28:09 myhost scponly[4834]: 3 arguments in total. > Apr 26 21:28:09 myhost scponly[4834]: arg 0 is scponlyc > Apr 26 21:28:09 myhost scponly[4834]: arg 1 is -c > Apr 26 21:28:09 myhost scponly[4834]: arg 2 is > /usr/libexec/openssh/sftp-server > Apr 26 21:28:09 myhost scponly[4834]: opened log at LOG_AUTHPRIV, > opts 0x00000009 > Apr 26 21:28:09 myhost scponly[4834]: retrieved home directory of > "/testchroot//pub" for user "testuser" > Apr 26 21:28:09 myhost scponly[4834]: chrooting to dir: "/testchroot" > Apr 26 21:28:09 myhost scponly[4834]: chroot: Operation not permitted > Apr 26 21:28:09 myhost scponly[4834]: couldn't chroot to /testchroot > [username: testuser(513), IP/port: ::ffff:xxx.xxx.xxx.xxx 38295 15000] > > root# ls -la /testchroot > total 96 > drwxr-xr-x 7 root testuser 4096 Apr 26 19:27 . > drwxr-xr-x 29 root root 4096 Apr 26 20:12 .. > -rw-r--r-- 1 root testuser 304 Apr 23 00:59 .bash_logout > -rw-r--r-- 1 root testuser 191 Apr 23 00:59 .bash_profile > -rw-r--r-- 1 root testuser 124 Apr 23 00:59 .bashrc > drwxr-xr-x 2 root testuser 4096 Apr 26 20:23 bin > -rw-r--r-- 1 root testuser 383 Apr 23 00:59 .emacs > drwxr-xr-x 2 root testuser 4096 Apr 26 19:31 etc > -rw-r--r-- 1 root testuser 120 Apr 23 00:59 .gtkrc > drwxr-xr-x 3 root testuser 4096 Apr 26 19:54 lib > drwxr-xr-x 2 root testuser 4096 Apr 26 19:27 pub > drwxr-xr-x 5 root testuser 4096 Apr 26 19:22 usr > > root# ls -la /bin/scponlyc > -rwsr-xr-x 1 root root 30099 Apr 26 19:15 /bin/scponlyc > > > -- > ============================================== > Scott Koch > koch@uselinux.us > http://www.uselinux.us > ============================================== > -- ============================================== Scott Koch koch@uselinux.us http://www.uselinux.us ============================================== From rushani at ruby.dti.ne.jp Thu Apr 27 06:44:36 2006 From: rushani at ruby.dti.ne.jp (Hideyuki KURASHINA) Date: Thu Apr 27 06:44:50 2006 Subject: [scponly] chroot user to home directory In-Reply-To: <444FBA2D.7010603@os.lv> References: <444FBA2D.7010603@os.lv> Message-ID: <20060427.194436.33328605.rushani@ruby.dti.ne.jp> Hi, >>> On Wed, 26 Apr 2006 21:21:33 +0300, Casper said: > I wanted to make one user with only sftp/scp available and that user > is chrooted to his home directory. > I`m using freebsd 6.0 jail and compiled scponly-4.6 with: > ./configure --prefix=/usr/scponly --enable-chrooted-binary && make && > make install > with "make jail" I created user and chroot. Could you please let us know how to create your user and chroot? -- rushani From kl at os.lv Thu Apr 27 09:31:59 2006 From: kl at os.lv (Casper) Date: Thu Apr 27 09:32:14 2006 Subject: [scponly] chroot user to home directory In-Reply-To: <20060427.194436.33328605.rushani@ruby.dti.ne.jp> References: <444FBA2D.7010603@os.lv> <20060427.194436.33328605.rushani@ruby.dti.ne.jp> Message-ID: <4450C7CF.7070406@os.lv> root@server# make jail /usr/bin/install -c -d /usr/scponly/bin /usr/bin/install -c -d /usr/scponly/man/man8 /usr/bin/install -c -d /usr/scponly/etc/scponly /usr/bin/install -c -o 0 -g 0 scponly /usr/scponly/bin/scponly /usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/scponly/man/man8/scponly.8 /usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/scponly/etc/scponly/debuglevel if test "xscponlyc" != "x"; then /usr/bin/install -c -d /usr/scponly/sbin; rm -f /usr/scponly/sbin/scponlyc; cp scponly scponlyc; /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/scponly/sbin/scponlyc; fi chmod u+x ./setup_chroot.sh ./setup_chroot.sh Next we need to set the home directory for this scponly user. please note that the user's home directory MUST NOT be writeable by the scponly user. this is important so that the scponly user cannot subvert the .ssh configuration parameters. for this reason, a writeable subdirectory will be created that the scponly user can write into. -en Username to install [scponly] user -en home directory you wish to set for this user [/home/user] /data/ -en name of the writeable subdirectory [incoming] creating /data//incoming directory for uploading files Your platform (FreeBSD) does not have a platform specific setup script. This install script will attempt a best guess. If you perform customizations, please consider sending me your changes. Look to the templates in build_extras/arch. - joe at sublimation dot org please set the password for user: Changing local password for user: New Password: Retype New Password: if you experience a warning with winscp regarding groups, please install the provided hacked out fake groups program into your chroot, like so: cp groups /data//bin/groups thats all. Hideyuki KURASHINA wrote: > Hi, > >>>> On Wed, 26 Apr 2006 21:21:33 +0300, Casper said: > >> I wanted to make one user with only sftp/scp available and that user >> is chrooted to his home directory. >> I`m using freebsd 6.0 jail and compiled scponly-4.6 with: >> ./configure --prefix=/usr/scponly --enable-chrooted-binary && make && >> make install >> with "make jail" I created user and chroot. > > Could you please let us know how to create your user and chroot? > > -- rushani >