[scponly] chroot fails without warning - everything still works

Kaleb Pederson kpederson at mail.ewu.edu
Fri Jun 16 11:27:05 EDT 2006 

On Friday 16 June 2006 8:03 am, Fred Fiat wrote:
[snip]
> > getent passwd test1 || grep test1 /etc/passwd
>
> test1:x:1035:100::/home/test1:/usr/local/sbin/scponlyc

Ok.  The shell is setup correctly, but the configuration for the user is not.  
Scponly looks for '//' as a separator between the chroot directory and the 
users home directory within the chroot.  So, if you wanted scponly to chroot 
to /home/chroot and then cd to /home/test1 within that hierarchy you would 
have a home directory set of:

/home/chroot//home/test1.

Thus, /home/chroot contains all the normal chroot pieces -- /bin, /etc,
/lib, ... and /home.  /home, within /home/chroot then contains the home 
directories.

I'm not too familiar with the setup_chroot script but it should work once you 
figure out what it's really asking.  I helped somebody out with it earlier 
this week and it work fine, once I figured out what it wanted.  Here's a log 
of events:

################ LOG ##################
[root at myhost scponly-4.6]# ./setup_chroot.sh

Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.

for this reason, a writeable subdirectory will be created that
the scponly user can write into.

Username to install [scponly]
home directory you wish to set for this user [/home/scponly]/var/chroot
name of the writeable subdirectory [incoming] <<HIT ENTER>>

creating  /var/chroot/home/scponly/incoming directory for uploading files

Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
 - joe at sublimation dot org

please set the password for scponly:
Changing password for user scponly.
New password: <<ENTER PASSWORD>>
BAD PASSWORD: it is based on a dictionary word
Retype new password: <<ENTER PASSWORD AGAIN>>
BAD PASSWORD: it is based on a dictionary word
passwd: all authentication tokens updated successfully.
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /var/chroot/home/scponly/bin/groups

# verify that the chroot looks ok.
[root at myhost scponly-4.6]# cd /var/chroot
[root at myhost chroot]# ls -l
total 20
drwxr-xr-x    2 root     root         4096 Jun 12 10:52 bin
drwxr-xr-x    2 root     root         4096 Jun 12 10:52 etc
drwxr-xr-x    2 scponly  scponly      4096 Jun 12 10:52 incoming
drwxr-xr-x    3 root     root         4096 Jun 12 10:52 lib
drwxr-xr-x    6 root     root         4096 Jun 12 10:52 usr

# and it does...
################# END LOG ###################

You can probably figure out what changes need to be made given the above.

Hope that helps.

--Kaleb


> # ls -l /usr/local/sbin/scponlyc
> -rwsr-xr-x    1 root     root        62565 Jun 16 16:59
> /usr/local/sbin/scponlyc
>
> Interestingly perhaps, a "pwd" once sftped to the server shows /home/test1,
> not /
>
> > Thanks.
>
> Thanks!
>
> > --Kaleb
> >
> > On Friday 16 June 2006 7:34 am, Fred Fiat wrote:
> >> Hello,
> >>
> >> scponly seemed to be working great, until I tested the chroot
> >> functionality. With chroot, I am able to view the root / dir, and files
> >> in
> >> the root /tmp/ dir (i.e. dirs outside of the chroot).
> >>
> >> Hope someone can help.
> >>
> >> The install went fine, I built using
> >>  ./configure --enable-chrooted-binary --disable-wildcards
> >> --disable-winscp-compat
> >>
> >> I'm now trying the "make jail" script, here is what I answered:
> >>
> >>  # make jail
> >> [snip]
> >> Username to install [scponly]test1
> >> home directory you wish to set for this user [/home/test1]
> >> name of the writeable subdirectory [incoming]
> >> creating  /home/test1/incoming directory for uploading files
> >>
> >> Your platform (Linux) does not have a platform specific setup script.
> >> This install script will attempt a best guess.
> >> If you perform customizations, please consider sending me your changes.
> >> Look to the templates in build_extras/arch.
> >>  - joe at sublimation dot org
> >>
> >> please set the password for test1:
> >> New password:
> >> Bad password: too short
> >> Re-enter new password:
> >> Password changed
> >> [snip]
> >>
> >>
> >>
> >> then I tried the new account:
> >>
> >> # sftp test1 at localhost
> >> Warning: Need basic cursor movement capability, using vt100
> >> warning: Need basic cursor movement capability, using vt100
> >> test1 at localhost's password:
> >> sftp> ls -l /tmp
> >>
> >> It lets me see the contents of the root (i.e. out of chroot) /tmp/
> >> directory! Yikes!
> >>
> >> What have I done wrong?
> >>
> >> _______________________________________________
> >> scponly mailing list
> >> scponly at lists.ccs.neu.edu
> >> https://lists.ccs.neu.edu/bin/listinfo/scponly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20060616/b838eef5/attachment.bin

More information about the scponly mailing list