[scponly] won't someone _please_ think of the archives ? (scponly
+ unison + chroot)
Kaleb Pederson
kibab at icehouse.net
Wed Oct 4 01:11:49 EDT 2006
On Tuesday 03 October 2006 3:11 pm, Ensel Sharon wrote:
> Ok, this isn't the problem.
>
> The problem is, when I use unison, it sits back errors to me (the remote
> user) in the form of:
>
> Fatal error: exception Util.Fatal("Cannot find canonical name of
> /home/.unison: unable to cd either to it
>
> And when I add my incoming directory to the users' home directory in the
> base systems' /etc/passwd, it says:
>
> Fatal error: exception Util.Fatal("Cannot find canonical name of
> /home//incoming/.unison: unable to cd either to it
That seems really strange and doesn't make sense to me. Can you strace the
ssh process that execs unison (capturing output for child processes) and send
it to me?
If you can, I'll take a look and let you know.
> See the problem ? In both cases unison is spitting back to the _remote
> user_ the full path leading into the chroot - something that, IMO, they
> should never see.
Yes. Unless it is somehow in the chroot (like the /etc/passwd file within the
chroot) or scponly is doing something strange, it don't see how that would
happen -- note that I haven't looked at any of the unison specific code
though.
> So of course unison can't get to its .unison directory - because it is
> trying to put it in /home/home, or /home/home//incoming, respectively.
>
> Let me repeat that in a different way - the remote user is chrooted into
> /home, and unison reads the home directory from the base systems
> /etc/passwd
Unless scponly is broken or you indeed are not using a chroot, this can't
happen. The strace I mentioned above should give me a much better idea
what's really happening.
I have posted instructions on the mailing list a couple of times -- check the
archives (I'll try to add them to the wiki/faq at some point).
> Honestly, at this point, I would be happy if anyone could simply confirm
> or deny that unison has ever worked in a scponly chroot in any way. I
> don't think that it does, or has, and I don't think anyone has tried it.
Sorry -- I wish I had time to do more...
Hope that helps.
--Kaleb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20061004/39e00b68/attachment.bin
More information about the scponly
mailing list