[scponly] Need help with chrooted scponly 4.6 on centos 5

Kaleb Pederson kibab at icehouse.net
Sat Sep 15 10:49:42 EDT 2007 

You need a /dev/null device.

--Kaleb

On Thursday 13 September 2007, Security Team wrote:
> On 9/12/07 9:11 PM, "Kaleb Pederson" <kibab at icehouse.net> wrote:
> > On Wednesday 12 September 2007, Security Team wrote:
> >> In /etc/ssh/sshd_config I have:
> >>
> >> Subsystem       sftp    /usr/local/sbin/scponlyc
> >
> > You don't want this, this should be left at the default for your distro,
> > whatever that was.
> >
> > This is a different way of having the ssh server invoke a specific
> > command, instead of the sftp-server.
> >
> >> And finally, I built scponly with these options (here is my build
> >> script): --------
> >> tar xvfz scponly-4.6.tgz
> >> cd scponly-4.6
> >>
> >> ./configure -enable-chrooted-binary --enable-sftp-logging-compat
> >> --enable-rsync-compat \
> >>         --enable-scp-compat --enable-quota-compat
> >> --disable-chroot-checkdir
> >
> > Unless you have the sftp-logging patch... you don't want this.  You still
> > get logging, but not of the sftp-logging patch type.
> >
> >> Sep 12 08:32:57 teton1 scponly[18677]: 3 arguments in total.
> >> Sep 12 08:32:57 teton1 scponly[18677]:  arg 0 is scponlyc
> >> Sep 12 08:32:57 teton1 scponly[18677]:  arg 1 is -c
> >> Sep 12 08:32:57 teton1 scponly[18677]:  arg 2 is
> >> /usr/local/sbin/scponlyc
> >
> > arg 2 comes from the subsystem command that you specified... which is why
> > scponly is rejecting it.
> >
> > If everything else in the chroot is ok, then it should work after you
> > make those changes.
> >
> > --Kaleb
>
> Hi Kaleb, just thought maybe my chroot tree might be a problem somehow,
> so....
>
> Here is what my chroot looks like after running the enclosed script
> setup_chroot.sh
>
> # ls -l /home/userguy/*
> /home/userguy/bin:
> total 476
> -rwxr-xr-x 1 root root 41764 Sep 12 07:06 chgrp
> -rwxr-xr-x 1 root root 38468 Sep 12 07:06 chmod
> -rwxr-xr-x 1 root root 43956 Sep 12 07:06 chown
> -rwxr-xr-x 1 root root 19856 Sep 12 07:06 echo
> -rwxr-xr-x 1 root root 29840 Sep 12 07:06 ln
> -rwxr-xr-x 1 root root 93560 Sep 12 07:06 ls
> -rwxr-xr-x 1 root root 29588 Sep 12 07:06 mkdir
> -rwxr-xr-x 1 root root 77180 Sep 12 07:06 mv
> -rwxr-xr-x 1 root root 22916 Sep 12 07:06 pwd
> -rwxr-xr-x 1 root root 43740 Sep 12 07:06 rm
> -rwxr-xr-x 1 root root 18700 Sep 12 07:06 rmdir
>
> /home/userguy/etc:
> total 152
> -rwxr-xr-x 1 root root 140480 Sep 12 07:06 ld.so.cache
> -rwxr-xr-x 1 root root     42 Sep 12 07:06 ld.so.conf
> -rw-r--r-- 1 root root     56 Sep 12 07:06 passwd
>
> /home/userguy/incoming:
> total 0
>
> /home/userguy/lib:
> total 3768
> -rwxr-xr-x 1 root root  121684 Sep 12 07:06 ld-linux.so.2
> -rwxr-xr-x 1 root root   26012 Sep 12 07:06 libacl.so.1
> -rwxr-xr-x 1 root root   15780 Sep 12 07:06 libattr.so.1
> -rwxr-xr-x 1 root root    7720 Sep 12 07:06 libcom_err.so.2
> -rwxr-xr-x 1 root root 1238928 Sep 12 07:06 libcrypto.so.6
> -rwxr-xr-x 1 root root   27848 Sep 12 07:06 libcrypt.so.1
> -rwxr-xr-x 1 root root 1576952 Sep 12 07:06 libc.so.6
> -rwxr-xr-x 1 root root   16540 Sep 12 07:06 libdl.so.2
> -rwxr-xr-x 1 root root  101048 Sep 12 07:06 libnsl.so.1
> -rwxr-xr-x 1 root root   36352 Sep 12 07:06 libnss_compat-2.5.so
> -rwxr-xr-x 1 root root   36352 Sep 12 07:06 libnss_compat.so.2
> -rwxr-xr-x 1 root root  125576 Sep 12 07:06 libpthread.so.0
> -rwxr-xr-x 1 root root   76404 Sep 12 07:06 libresolv.so.2
> -rwxr-xr-x 1 root root   44100 Sep 12 07:06 librt.so.1
> -rwxr-xr-x 1 root root   93512 Sep 12 07:06 libselinux.so.1
> -rwxr-xr-x 1 root root  242880 Sep 12 07:06 libsepol.so.1
> -rwxr-xr-x 1 root root   15276 Sep 12 07:06 libutil.so.1
>
> /home/userguy/usr:
> total 12
> drwxr-xr-x 2 root root 4096 Sep 12 07:06 bin
> drwxr-xr-x 2 root root 4096 Sep 12 07:06 lib
> drwxr-xr-x 3 root root 4096 Sep 12 07:06 libexec


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20070915/81ff92ed/attachment.bin

More information about the scponly mailing list