[scponly] chroot fails without warning - everything still works
Kaleb Pederson
kibab at icehouse.net
Sat Jun 17 17:10:00 EDT 2006
Hmm.... not sure what to think. Using version 4.6 of scponly, this is what I
see when I connect using a chroot with /home/scponly as the chroot and home
directory:
scponly[2535]: chrooted binary in place, will chroot()
scponly[2535]: 3 arguments in total.
scponly[2535]: arg 0 is scponlyc
scponly[2535]: arg 1 is -c
scponly[2535]: arg 2 is /usr/lib/misc/sftp-server
scponly[2535]: opened log at LOG_AUTHPRIV, opts 0x00000009
scponly[2535]: retrieved home directory of "/home/scponly" for user "scponly"
scponly[2535]: chrooting to dir: "/home/scponly"
scponly[2535]: chdiring to dir: "/"
scponly[2535]: setting uid to 1015
scponly[2535]: processing request: "/usr/lib/misc/sftp-server"
scponly[2535]: running: /usr/lib/misc/sftp-server (username: scponly(1015),
IP/port: 10.10.10.1 54861 22)
Actually, I notice one difference. I have 'scponlyc' as the firs argument,
you have '/usr/local/sbin/scponlyc'. The comparison happens as follows:
strncmp(argv[0],CHROOTED_NAME,FILENAME_MAX))
So, that would be the problem. You would have to
have /usr/local/sbin/scponlyc as your CHROOTED_NAME for it to match. I'm not
sure why it would show up that way. This is what I have for the user
account:
scponly:x:1015:1021::/home/scponly:/usr/local/sbin/scponlyc
I guess it's reasonable that the compare strips the directory prefix, but this
is the first case where I have seen this problem.
Could you try with a couple of other sftp clients and see what happens?
Thanks.
--Kaleb
On Saturday 17 June 2006 4:40 am, Fred Fiat wrote:
> >> Jun 16 17:00:53 HOST scponly[8806]: 3 arguments in total.
> >> Jun 16 17:00:53 HOST scponly[8806]: arg 0 is /usr/local/sbin/scponlyc
> >> Jun 16 17:00:53 HOST scponly[8806]: arg 1 is -c
> >> Jun 16 17:00:53 HOST scponly[8806]: arg 2 is sftp-server
> >> Jun 16 17:00:53 HOST scponly[8806]: opened log at LOG_AUTHPRIV, opts
> >> 0x00000009
> >> Jun 16 17:00:53 HOST scponly[8806]: retrieved home directory of
> >> "/home/test1" for user "test1"
> >> Jun 16 17:00:53 HOST scponly[8806]: setting uid to 1035
> >> Jun 16 17:00:53 HOST scponly[8806]: processing request: "sftp-server"
> >> Jun 16 17:00:53 HOST scponly[8806]: running: /usr/bin/sftp-server
> >> (username: test1(1035), IP/port: ::1 51149 ::1 22)
> >
> > Fred,
> > Quick sanity check: Where there other scponly syslog lines? In a
> > chrooted environment
> > there would have been a set starting with:
> > "chrooted binary in place, will chroot()"
> > and ending with
> > "chrooting to dir: ..."
> > {and a couple of chdir messages}
>
> Yes, they were the only lines.
>
> > If they weren't there (I doubt they were) please check the value of
> > CHROOTED_NAME in
> > config.h. {i.e. It sounds like there may be one more thing going on in
> > your case.}
>
> I have "scponlyc" as the CHROOTED_NAME in config.h
>
> > The trace above indicates that a full path is seen for scponlyc. That
> > would in fact
> > disable the chroot since the code checks argv[0] for the exact string in
> > CHROOTED_NAME
> > and that is normally "scponlyc".
> >
> > What is the OS? (The quick fix >might< be to change CHROOTED_NAME but it
> > would be
> > better to find out exactly what is happening.)
>
> Suse 7.3
>
> > Paul Hyder
> > NOAA Earth System Research Laboratory, Global Systems Division, HPC
> > Boulder, CO
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20060617/7f6d6c17/attachment.bin
More information about the scponly
mailing list