[joe@sublimation.org: Re: [scponly] when do I, and when do I not, use the "/./" syntax ?]

Paul Hyder Paul.Hyder at noaa.gov
Tue Jan 24 11:35:15 EST 2006 

Ensel Sharon wrote:
> 
> On Tue, 20 Dec 2005, wby oblyr wrote:
> 
> 
>>I think you guys mean the "//" syntax.
>>
>>And yes, I'm painfully aware of how inadquate the documentation is around this feature.  Basically, the gist is 
>>this:
>>
>>Users of the scponlyc shell must not be able to modify their home directories, lest they be able to subvert the 
>>restricted shell by modifying things like ssh configuration.  Many people complained that after logging into a 
>>scponly shell, they could not upload files, so the '//' thing was devised.
>>
>>imagine this home directory:
>>
>>/home/scponlyuser//incoming
>>
>>everything BEFORE the // is the chroot path (/home/scponlyuser) and everything after the // is a directory to 
>>chdir() into after chrooting.  This way a user can log into their scponly shell and the following will happen:
>>
>>- scponlyc will chroot to /home/scponlyuser
>>- scponlyc will then chdir to /incoming (inside the chroot), dropping the user into a directory they can upload 
>>to.
> 
> 
> 
> Sorry to respond to this so late, but I am still a bit unclear ... why not
> give everyone the exact same home directory, such as:
> 
> /home
> 
> and by that, I mean, every scponly user has /home defined as their
> home directory in the /etc/passwd file.  They're all the same.
> 
> Then when setting up the scponly chroot, tell scponly chroot that their
> writeable directory is /home/(username)
> 
> So that way, they get a home directory that is just like a normal home
> directory (/home/(username) )
> 
> and you don't need to do the /some/path//other/path thing ...
> 
> Is there some major downside to having all scponly users all have the
> exact same home directory (that they cannot write to) in /etc/passwd ?
> 
> I tried it and it seemed to work, and I would like
> comments/suggestions/ridicule if you please ...
> 
> 
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

The "//" syntax is a tool for building more complicated chrooted configurations.
Individual chroot structures for example.  You don't have to use it if your
configuration doesn't need it.

The disadvantage of having everyone in the same directory is that they can
gather information on other users and can probably see or at least detect
the presence of other users files.  Building individual user jails can
eliminate this overlap.  Mixes of shared and individual chroots are common.
   Paul Hyder

More information about the scponly mailing list