[scponly] how does scponly determine the writeable,
incoming directory ?
Paul Hyder
Paul.Hyder at noaa.gov
Thu Jan 26 15:46:29 EST 2006
Ensel Sharon wrote:
>
> On Thu, 26 Jan 2006, Paul Hyder wrote:
>
>
>>The default setup_chroot.sh creates a new user with an individual
>>jailed home directory that contains a writeable directory named
>>"incoming". It is configured to chroot into the unwriteable
>>home directory. The document you are citing is discussion for
>>"Building scponly jail configurations manually".
>>
>>And the actual answer to this discussion is that the setup-chroot.sh
>>process is just a starting point.
>>
>>If you want to help out by writing additional code for the build_extras
>>directory or submitting specific additions/fixes for setup_chroot.sh the
>>community would benefit.
>> Paul Hyder
>> NOAA Earth System Research Laboratory, Global Systems Division
>
>
>
> Ok, I see - so if I leave "incoming" as the default, then the chrooted
> password file will contain /home/user/incoming as the directory to chroot
> into, while the actual home directory is /home/user
With the default setup_chroot.sh, neither the top level nor
chrooted password files (or databases) should contain "incoming".
A chroot directory structure is built under /home/${targetuser}
and includes the writeable "incoming" directory (plus bin, sbin,
... and the selected subset of associated files).
Without the // syntax in the top level password file or db,
the scponly code chroot's into the home directory, default is
/home/${targetuser}, where the session can use the writeable
directory "incoming".
>
> BUT, if I choose anything other than "incoming", it is ignored by
> setup-chroot.sh, and BOTH password files (the base and the chrooted
> one) will both contain /home/user as the home directory.
Changing the name doesn't change the behavior just the name of
the created writeable directory.
>
> Is that a correct interpretation ?
>
> Further, would it be a proper response to simply edit (with the proper db
> tool) the resulting .db file in the chroot, and add the writeable
> directory to the end of the home directory, and all would be well ?
If you edit "incoming" into the top level password file or database
the chroot would be to /home/${targetuser}/incoming and the session
won't be able to reach the required binaries and libraries that are
installed in /home/${targetuser}. The session needs to initiate
in an unwriteable home directory that has a sub directory that is
writeable.
Paul Hyder
More information about the scponly
mailing list