[scponly] Suggestion for home dir in jail

Graham Toal gtoal at gtoal.com
Wed Aug 1 14:57:00 EDT 2007 

If I understand this right, the way to set the default home directory
for a chrooted user such as scponly is to set the home dir in the
external password file to something like  "/home/scponly//home/scponly".

Two suggestions; 1) Quick hack:  if there's no "//" in the string, use
the whole string as the chrooted home dir, *not* "/".  By making it "/",
you break the expected behaviour of commands like
"scp file scponly at host.com:" as it tries to write it to / rather than the
user's home dir.  That way you just need to duplicate the same home
directory naming convention (eg /home/scponly) inside the jail.

or 2) Less quick hack: once chrooted, re-read /etc/passwd and get the
*internal* home dir from the dummy password file.  This is the more
general and useful solution, and it behaves the way you would expect.

I don't mind writing the code, I just want to check that it'll be used
before I start.  I don't want to apply personal patches to a piece of
security software as the first urgent upgrade that comes along, they
get forgotten about in the rush to install it...

I have one related question - in the spirit of unix and having one
tool do one thing well, isn't there some jail package somewhere
that could do all the jailing work, which you could just use rather
than building it in to scponly?  There's got to be all sorts of
problems in getting a really good jail and it's not productive for
every jailed tool designer to have to reinvent the wheel... and
keep up with security alerts on the subject... just a thought.
(It's been some time since I worked in this area and I'm not
up to date on generic jailing tools, so can't recommend one.  Last one
I used was one I wrote myself back in the 386bsd V0.1 days :-) )

regards,


Graham

PS the problem in the thread "segfault when trying to connect" is most
likely a file or directory missing in the chroot environment, and some
part of the code not checking a return code or file handle for the error.
I hit it several times while working out from scratch by trial and error
which files were all necessary to make scponlyc work under
SuSE.  I suspect a code review looking at file-related library calls
would find it.  If I come across it myself I'll let you know. (I only
started using scponly this morning so I'm not
totally up to speed on the software yet)

If anyone's interested, here's my current config under SuSE.  Note
there are some unneeded files that I plan to remove as I erred on
the side of generosity when picking what to include.  Most (but not all)
of the libnss modules can go, as can /bin/sh and several of the utilities
in /bin (chgrp, chmod etc etc)

I think the inner scponlyc can probably go too.  But you might find the list of
library modules useful if you're setting this up for the first time.
It's an iterative process finding them - turn on the debugging, then issue an
scp or ssh command and look at the reported missing module errors
until you get them all.  Hmmm... maybe a process that could be automated
with 'expect'..?

It was only with libnss (to get the usernames corresponding to UIDs) that the
module name was not reported. (Hence why I threw them all in to make it work)

.:
total 1
drwxr-xr-x 2 root root  288 2007-07-31 11:10 bin
drwxr-xr-x 2 root root   72 2007-07-31 10:51 dev
drwxr-xr-x 2 root root  120 2007-07-31 10:40 etc
drwxr-xr-x 3 root root   72 2007-07-31 10:41 home
drwxr-xr-x 2 root root 1072 2007-07-31 10:57 lib
drwxr-xr-x 5 root root  120 2007-07-31 10:41 usr

./bin:
total 857
-rwxr-xr-x 1 root root  35944 2007-07-31 11:08 chgrp
-rwxr-xr-x 1 root root  33108 2007-07-31 11:08 chmod
-rwxr-xr-x 1 root root  38332 2007-07-31 11:08 chown
-rwxr-xr-x 1 root root  25384 2007-07-31 11:08 ln
-rwxr-xr-x 1 root root  79108 2007-07-31 11:08 ls
-rwxr-xr-x 1 root root  24364 2007-07-31 11:08 mkdir
-rwxr-xr-x 1 root root  66720 2007-07-31 11:08 mv
-rwxr-xr-x 1 root root  36816 2007-07-31 11:08 rm
-rwxr-xr-x 1 root root  15072 2007-07-31 11:08 rmdir
-rwxr-xr-x 1 root root 501804 2007-07-31 11:10 sh

./dev:
total 0
crw-r--r-- 1 root root 1, 3 2007-07-31 10:51 null

./etc:
total 12
-rw-r--r-- 1 root root 831 2007-07-31 10:40 group
-rw-r--r-- 1 root root 339 2007-07-31 11:11 passwd
-rw-r----- 1 root root 165 2007-07-31 11:00 shadow

./home:
total 0
drwxr-xr-x 2 scponly root 80 2007-07-31 11:21 scponly

./home/scponly:
total 4
-rw-r--r-- 1 scponly users 2 2007-07-31 11:21 test.txt

./lib:
total 3294
-rwxr-xr-x 1 root root  124463 2007-07-31 10:29 ld-linux.so.2
-rwxr-xr-x 1 root root   23960 2007-07-31 10:46 libacl.so.1
-rwxr-xr-x 1 root root   13004 2007-07-31 10:46 libattr.so.1
-rwxr-xr-x 1 root root    6272 2007-07-31 10:36 libcom_err.so.2
-rwxr-xr-x 1 root root   47259 2007-07-31 10:35 libcrypt.so.1
-rwxr-xr-x 1 root root 1404242 2007-07-31 10:37 libc.so.6
-rwxr-xr-x 1 root root   13814 2007-07-31 10:38 libdl.so.2
-rwxr-xr-x 1 root root   87850 2007-07-31 10:35 libnsl.so.1
-rwxr-xr-x 1 root root   31943 2007-07-31 10:57 libnss_compat-2.4.so
-rwxr-xr-x 1 root root   31943 2007-07-31 10:57 libnss_compat.so.2
-rwxr-xr-x 1 root root   21283 2007-07-31 10:57 libnss_dns-2.4.so
-rwxr-xr-x 1 root root   21283 2007-07-31 10:57 libnss_dns.so.2
-rwxr-xr-x 1 root root   42109 2007-07-31 10:57 libnss_files-2.4.so
-rwxr-xr-x 1 root root   42109 2007-07-31 10:57 libnss_files.so.2
-rwxr-xr-x 1 root root   22077 2007-07-31 10:57 libnss_hesiod-2.4.so
-rwxr-xr-x 1 root root   22077 2007-07-31 10:57 libnss_hesiod.so.2
-r--r--r-- 1 root root   26532 2007-07-31 10:57 libnss_mdns-0.2.so
-r--r--r-- 1 root root   26532 2007-07-31 10:57 libnss_mdns.so.2
-rwxr-xr-x 1 root root   41986 2007-07-31 10:57 libnss_nis-2.4.so
-rwxr-xr-x 1 root root   49751 2007-07-31 10:57 libnss_nisplus-2.4.so
-rwxr-xr-x 1 root root   49751 2007-07-31 10:57 libnss_nisplus.so.2
-rwxr-xr-x 1 root root   41986 2007-07-31 10:57 libnss_nis.so.2
-rwxr-xr-x 1 root root   15952 2007-07-31 10:57 libnss_winbind.so.2
-rwxr-xr-x 1 root root  794836 2007-07-31 10:57 libnss_wins.so.2
-rwxr-xr-x 1 root root  100331 2007-07-31 10:38 libpthread.so.0
-rwxr-xr-x 1 root root   74278 2007-07-31 10:33 libresolv.so.2
-rwxr-xr-x 1 root root   40297 2007-07-31 10:45 librt.so.1
-rwxr-xr-x 1 root root   12789 2007-07-31 10:34 libutil.so.1
-rwxr-xr-x 1 root root   70512 2007-07-31 10:34 libz.so.1

./usr:
total 1
drwxr-xr-x 2 root root 120 2007-07-31 11:08 bin
drwxr-xr-x 3 root root 616 2007-07-31 10:56 lib
drwxr-xr-x 3 root root  72 2007-07-31 10:41 local

./usr/bin:
total 608
-rwxr-xr-x 1 root root 287384 2007-07-31 11:08 rsync
-rwxr-xr-x 1 root root  42852 2007-07-31 11:08 scp
-rwxr-xr-x 1 root root 285872 2007-07-31 10:49 ssh

./usr/lib:
total 3157
-r-xr-xr-x 1 root root 1207152 2007-07-31 10:33 libcrypto.so.0.9.8
-rwxr-xr-x 1 root root   92300 2007-07-31 10:35 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root  145588 2007-07-31 10:36 libk5crypto.so.3
-rwxr-xr-x 1 root root  440292 2007-07-31 10:35 libkrb5.so.3
-rwxr-xr-x 1 root root   10256 2007-07-31 10:39 libkrb5support.so.0
-rwxr-xr-x 1 root root  456740 2007-07-31 10:56 libnss3.so
-rwxr-xr-x 1 root root  242120 2007-07-31 10:56 libnssckbi.so
-rwxr-xr-x 1 root root   31943 2007-07-31 10:56 libnss_compat.so
-rwxr-xr-x 1 root root   21283 2007-07-31 10:56 libnss_dns.so
-rwxr-xr-x 1 root root   42109 2007-07-31 10:56 libnss_files.so
-rwxr-xr-x 1 root root   22077 2007-07-31 10:56 libnss_hesiod.so
-rwxr-xr-x 1 root root   49751 2007-07-31 10:56 libnss_nisplus.so
-rwxr-xr-x 1 root root   41986 2007-07-31 10:56 libnss_nis.so
-rwxr-xr-x 1 root root   26932 2007-07-31 10:38 libopenct.so.1
-rwxr-xr-x 1 root root  346784 2007-07-31 10:32 libopensc.so.1
-rwxr-xr-x 1 root root   18328 2007-07-31 10:37 libscconf.so.1
drwxr-xr-x 2 root root      80 2007-07-31 10:23 ssh

./usr/lib/ssh:
total 36
-rwxr-xr-x 1 root root 32984 2007-07-31 10:23 sftp-server

./usr/local:
total 0
drwxr-xr-x 2 root root 72 2007-07-31 10:42 sbin

./usr/local/sbin:
total 40
-rwsr-xr-x 1 root root 39831 2007-07-31 10:42 scponlyc

More information about the scponly mailing list