[scponly] Need help with chrooted scponly 4.6 on centos 5

Security Team security at peakpeak.com
Sat Sep 15 11:55:59 EDT 2007 



On 9/15/07 8:49 AM, "Kaleb Pederson" <kibab at icehouse.net> wrote:

> You need a /dev/null device.
> 
> --Kaleb

OK, but adding one didn't fix anything.

Sep 15 09:53:10 teton1 sshd[10514]: subsystem request for sftp
Sep 15 09:53:11 teton1 scponly[10515]: chrooted binary in place, will
chroot()
Sep 15 09:53:11 teton1 scponly[10515]: 3 arguments in total.
Sep 15 09:53:11 teton1 scponly[10515]:  arg 0 is scponlyc
Sep 15 09:53:11 teton1 scponly[10515]:  arg 1 is -c
Sep 15 09:53:11 teton1 scponly[10515]:  arg 2 is /usr/local/sbin/scponlyc
Sep 15 09:53:11 teton1 scponly[10515]: opened log at LOG_AUTHPRIV, opts
0x00000029
Sep 15 09:53:11 teton1 scponly[10515]: retrieved home directory of
"/home/userguy" for user "userguy"
Sep 15 09:53:11 teton1 scponly[10515]: chrooting to dir: "/home/userguy"
Sep 15 09:53:11 teton1 scponly[10515]: chdiring to dir: "/"
Sep 15 15:53:11 teton1 scponly[10515]: setting uid to 816
Sep 15 15:53:11 teton1 scponly[10515]: processing request:
"/usr/local/sbin/scponlyc"
Sep 15 15:53:11 teton1 scponly[10515]: denied request:
/usr/local/sbin/scponlyc (resolved to: scponlyc) [username: userguy(816),
IP/port: 192.168.0.3 52500 22]
Sep 15 09:53:11 teton1 sshd[10512]: pam_unix(sshd:session): session closed
for user userguy

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
# added this, took this away, doesn't make it work any better
Subsystem       sftp    /usr/local/sbin/scponlyc

Regards,
Chris

> 
> On Thursday 13 September 2007, Security Team wrote:
>> On 9/12/07 9:11 PM, "Kaleb Pederson" <kibab at icehouse.net> wrote:
>>> On Wednesday 12 September 2007, Security Team wrote:
>>>> In /etc/ssh/sshd_config I have:
>>>> 
>>>> Subsystem       sftp    /usr/local/sbin/scponlyc
>>> 
>>> You don't want this, this should be left at the default for your distro,
>>> whatever that was.
>>> 
>>> This is a different way of having the ssh server invoke a specific
>>> command, instead of the sftp-server.
>>> 
>>>> And finally, I built scponly with these options (here is my build
>>>> script): --------
>>>> tar xvfz scponly-4.6.tgz
>>>> cd scponly-4.6
>>>> 
>>>> ./configure -enable-chrooted-binary --enable-sftp-logging-compat
>>>> --enable-rsync-compat \
>>>>         --enable-scp-compat --enable-quota-compat
>>>> --disable-chroot-checkdir
>>> 
>>> Unless you have the sftp-logging patch... you don't want this.  You still
>>> get logging, but not of the sftp-logging patch type.
>>> 
>>>> Sep 12 08:32:57 teton1 scponly[18677]: 3 arguments in total.
>>>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 0 is scponlyc
>>>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 1 is -c
>>>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 2 is
>>>> /usr/local/sbin/scponlyc
>>> 
>>> arg 2 comes from the subsystem command that you specified... which is why
>>> scponly is rejecting it.
>>> 
>>> If everything else in the chroot is ok, then it should work after you
>>> make those changes.
>>> 
>>> --Kaleb
>> 
>> Hi Kaleb, just thought maybe my chroot tree might be a problem somehow,
>> so....
>> 
>> Here is what my chroot looks like after running the enclosed script
>> setup_chroot.sh
>> 
>> # ls -l /home/userguy/*
>> /home/userguy/bin:
>> total 476
>> -rwxr-xr-x 1 root root 41764 Sep 12 07:06 chgrp
>> -rwxr-xr-x 1 root root 38468 Sep 12 07:06 chmod
>> -rwxr-xr-x 1 root root 43956 Sep 12 07:06 chown
>> -rwxr-xr-x 1 root root 19856 Sep 12 07:06 echo
>> -rwxr-xr-x 1 root root 29840 Sep 12 07:06 ln
>> -rwxr-xr-x 1 root root 93560 Sep 12 07:06 ls
>> -rwxr-xr-x 1 root root 29588 Sep 12 07:06 mkdir
>> -rwxr-xr-x 1 root root 77180 Sep 12 07:06 mv
>> -rwxr-xr-x 1 root root 22916 Sep 12 07:06 pwd
>> -rwxr-xr-x 1 root root 43740 Sep 12 07:06 rm
>> -rwxr-xr-x 1 root root 18700 Sep 12 07:06 rmdir
>> 
>> /home/userguy/etc:
>> total 152
>> -rwxr-xr-x 1 root root 140480 Sep 12 07:06 ld.so.cache
>> -rwxr-xr-x 1 root root     42 Sep 12 07:06 ld.so.conf
>> -rw-r--r-- 1 root root     56 Sep 12 07:06 passwd
>> 
>> /home/userguy/incoming:
>> total 0
>> 
>> /home/userguy/lib:
>> total 3768
>> -rwxr-xr-x 1 root root  121684 Sep 12 07:06 ld-linux.so.2
>> -rwxr-xr-x 1 root root   26012 Sep 12 07:06 libacl.so.1
>> -rwxr-xr-x 1 root root   15780 Sep 12 07:06 libattr.so.1
>> -rwxr-xr-x 1 root root    7720 Sep 12 07:06 libcom_err.so.2
>> -rwxr-xr-x 1 root root 1238928 Sep 12 07:06 libcrypto.so.6
>> -rwxr-xr-x 1 root root   27848 Sep 12 07:06 libcrypt.so.1
>> -rwxr-xr-x 1 root root 1576952 Sep 12 07:06 libc.so.6
>> -rwxr-xr-x 1 root root   16540 Sep 12 07:06 libdl.so.2
>> -rwxr-xr-x 1 root root  101048 Sep 12 07:06 libnsl.so.1
>> -rwxr-xr-x 1 root root   36352 Sep 12 07:06 libnss_compat-2.5.so
>> -rwxr-xr-x 1 root root   36352 Sep 12 07:06 libnss_compat.so.2
>> -rwxr-xr-x 1 root root  125576 Sep 12 07:06 libpthread.so.0
>> -rwxr-xr-x 1 root root   76404 Sep 12 07:06 libresolv.so.2
>> -rwxr-xr-x 1 root root   44100 Sep 12 07:06 librt.so.1
>> -rwxr-xr-x 1 root root   93512 Sep 12 07:06 libselinux.so.1
>> -rwxr-xr-x 1 root root  242880 Sep 12 07:06 libsepol.so.1
>> -rwxr-xr-x 1 root root   15276 Sep 12 07:06 libutil.so.1
>> 
>> /home/userguy/usr:
>> total 12
>> drwxr-xr-x 2 root root 4096 Sep 12 07:06 bin
>> drwxr-xr-x 2 root root 4096 Sep 12 07:06 lib
>> drwxr-xr-x 3 root root 4096 Sep 12 07:06 libexec
> 
>

More information about the scponly mailing list