[scponly] Need help with chrooted scponly 4.6 on centos 5

Security Team security at peakpeak.com
Thu Sep 13 22:10:21 EDT 2007 



On 9/12/07 9:11 PM, "Kaleb Pederson" <kibab at icehouse.net> wrote:

> On Wednesday 12 September 2007, Security Team wrote:
>> In /etc/ssh/sshd_config I have:
>> 
>> Subsystem       sftp    /usr/local/sbin/scponlyc
> 
> You don't want this, this should be left at the default for your distro,
> whatever that was.
> 
> This is a different way of having the ssh server invoke a specific command,
> instead of the sftp-server.
> 
>> And finally, I built scponly with these options (here is my build script):
>> --------
>> tar xvfz scponly-4.6.tgz
>> cd scponly-4.6
>> 
>> ./configure -enable-chrooted-binary --enable-sftp-logging-compat
>> --enable-rsync-compat \
>>         --enable-scp-compat --enable-quota-compat --disable-chroot-checkdir
> 
> Unless you have the sftp-logging patch... you don't want this.  You still get
> logging, but not of the sftp-logging patch type.
> 
>> Sep 12 08:32:57 teton1 scponly[18677]: 3 arguments in total.
>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 0 is scponlyc
>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 1 is -c
>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 2 is /usr/local/sbin/scponlyc
> 
> arg 2 comes from the subsystem command that you specified... which is why
> scponly is rejecting it.
> 
> If everything else in the chroot is ok, then it should work after you make
> those changes.
> 
> --Kaleb

Hi Kaleb, just thought maybe my chroot tree might be a problem somehow,
so....

Here is what my chroot looks like after running the enclosed script
setup_chroot.sh

# ls -l /home/userguy/*
/home/userguy/bin:
total 476
-rwxr-xr-x 1 root root 41764 Sep 12 07:06 chgrp
-rwxr-xr-x 1 root root 38468 Sep 12 07:06 chmod
-rwxr-xr-x 1 root root 43956 Sep 12 07:06 chown
-rwxr-xr-x 1 root root 19856 Sep 12 07:06 echo
-rwxr-xr-x 1 root root 29840 Sep 12 07:06 ln
-rwxr-xr-x 1 root root 93560 Sep 12 07:06 ls
-rwxr-xr-x 1 root root 29588 Sep 12 07:06 mkdir
-rwxr-xr-x 1 root root 77180 Sep 12 07:06 mv
-rwxr-xr-x 1 root root 22916 Sep 12 07:06 pwd
-rwxr-xr-x 1 root root 43740 Sep 12 07:06 rm
-rwxr-xr-x 1 root root 18700 Sep 12 07:06 rmdir

/home/userguy/etc:
total 152
-rwxr-xr-x 1 root root 140480 Sep 12 07:06 ld.so.cache
-rwxr-xr-x 1 root root     42 Sep 12 07:06 ld.so.conf
-rw-r--r-- 1 root root     56 Sep 12 07:06 passwd

/home/userguy/incoming:
total 0

/home/userguy/lib:
total 3768
-rwxr-xr-x 1 root root  121684 Sep 12 07:06 ld-linux.so.2
-rwxr-xr-x 1 root root   26012 Sep 12 07:06 libacl.so.1
-rwxr-xr-x 1 root root   15780 Sep 12 07:06 libattr.so.1
-rwxr-xr-x 1 root root    7720 Sep 12 07:06 libcom_err.so.2
-rwxr-xr-x 1 root root 1238928 Sep 12 07:06 libcrypto.so.6
-rwxr-xr-x 1 root root   27848 Sep 12 07:06 libcrypt.so.1
-rwxr-xr-x 1 root root 1576952 Sep 12 07:06 libc.so.6
-rwxr-xr-x 1 root root   16540 Sep 12 07:06 libdl.so.2
-rwxr-xr-x 1 root root  101048 Sep 12 07:06 libnsl.so.1
-rwxr-xr-x 1 root root   36352 Sep 12 07:06 libnss_compat-2.5.so
-rwxr-xr-x 1 root root   36352 Sep 12 07:06 libnss_compat.so.2
-rwxr-xr-x 1 root root  125576 Sep 12 07:06 libpthread.so.0
-rwxr-xr-x 1 root root   76404 Sep 12 07:06 libresolv.so.2
-rwxr-xr-x 1 root root   44100 Sep 12 07:06 librt.so.1
-rwxr-xr-x 1 root root   93512 Sep 12 07:06 libselinux.so.1
-rwxr-xr-x 1 root root  242880 Sep 12 07:06 libsepol.so.1
-rwxr-xr-x 1 root root   15276 Sep 12 07:06 libutil.so.1

/home/userguy/usr:
total 12
drwxr-xr-x 2 root root 4096 Sep 12 07:06 bin
drwxr-xr-x 2 root root 4096 Sep 12 07:06 lib
drwxr-xr-x 3 root root 4096 Sep 12 07:06 libexec

More information about the scponly mailing list