[scponly] Need help with chrooted scponly 4.6 on centos 5

Security Team security at peakpeak.com
Sat Sep 15 12:21:51 EDT 2007 



On 9/15/07 8:51 AM, "Kaleb Pederson" <kibab at icehouse.net> wrote:

> On Thursday 13 September 2007, Security Team wrote:
>> Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_LOG_LEVEL" in
>> the environment
>> Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_LOG_FACILITY"
>> in the environment
> 
> This indicates that you don't have the sftp-logging patch applied to ssh, in
> which case you don't need to specify it as a part of your configure line.
> 
> --Kaleb

I modified my make script to be:

tar xvfz scponly-4.6.tgz
cd scponly-4.6

./configure -enable-chrooted-binary --enable-rsync-compat \
         --enable-quota-compat
# --disable-chroot-checkdir --enable-scp-compat

make
make install
chmod +x ./setup_chroot.sh
echo 2 > /usr/local/etc/scponly/debuglevel
chmod 4755 /usr/local/sbin/scponlyc

Then I tried:

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    /usr/local/sbin/scponlyc

And got:


Sep 15 09:53:10 teton1 sshd[10514]: subsystem request for sftp
Sep 15 09:53:11 teton1 scponly[10515]: chrooted binary in place, will
chroot()
Sep 15 09:53:11 teton1 scponly[10515]: 3 arguments in total.
Sep 15 09:53:11 teton1 scponly[10515]:  arg 0 is scponlyc
Sep 15 09:53:11 teton1 scponly[10515]:  arg 1 is -c
Sep 15 09:53:11 teton1 scponly[10515]:  arg 2 is /usr/local/sbin/scponlyc
Sep 15 09:53:11 teton1 scponly[10515]: opened log at LOG_AUTHPRIV, opts
0x00000029
Sep 15 09:53:11 teton1 scponly[10515]: retrieved home directory of
"/home/userguy" for user "userguy"
Sep 15 09:53:11 teton1 scponly[10515]: chrooting to dir: "/home/userguy"
Sep 15 09:53:11 teton1 scponly[10515]: chdiring to dir: "/"
Sep 15 15:53:11 teton1 scponly[10515]: setting uid to 816
Sep 15 15:53:11 teton1 scponly[10515]: processing request:
"/usr/local/sbin/scponlyc"
Sep 15 15:53:11 teton1 scponly[10515]: denied request:
/usr/local/sbin/scponlyc (resolved to: scponlyc) [username: userguy(816),
IP/port: 192.168.0.3 52500 22]
Sep 15 09:53:11 teton1 sshd[10512]: pam_unix(sshd:session): session closed
for user userguy


Then I tried (stock ssh conf file for the centos distro):

# override default of no subsystems
Subsystem      sftp    /usr/libexec/openssh/sftp-server
#Subsystem       sftp    /usr/local/sbin/scponlyc

And got:

Sep 15 10:03:49 teton1 scponly[10583]: chrooted binary in place, will
chroot()
Sep 15 10:03:49 teton1 scponly[10583]: 3 arguments in total.
Sep 15 10:03:49 teton1 scponly[10583]:  arg 0 is scponlyc
Sep 15 10:03:49 teton1 scponly[10583]:  arg 1 is -c
Sep 15 10:03:49 teton1 scponly[10583]:  arg 2 is
/usr/libexec/openssh/sftp-server
Sep 15 10:03:49 teton1 scponly[10583]: opened log at LOG_AUTHPRIV, opts
0x00000029
Sep 15 10:03:49 teton1 scponly[10583]: retrieved home directory of
"/home/chrism" for user "userguy"
Sep 15 10:03:49 teton1 scponly[10583]: chrooting to dir: "/home/userguy"
Sep 15 10:03:49 teton1 scponly[10583]: chdiring to dir: "/"
Sep 15 16:03:49 teton1 scponly[10583]: setting uid to 816
Sep 15 16:03:49 teton1 scponly[10583]: processing request:
"/usr/libexec/openssh/sftp-server"
Sep 15 16:03:49 teton1 scponly[10583]: running:
/usr/libexec/openssh/sftp-server (username: userguy(816), IP/port:
192.168.0.3 52585 22)
Sep 15 10:05:07 teton1 sshd[10588]: pam_unix(sshd:session): session closed
for user userguy

This latter one seems better, however, the SFTP client software still
reports "permission denied."

The /etc/passwd entry is:

userguy:x:816:817::/home/userguy:/usr/local/sbin/scponlyc

# ls -l /usr/local/sbin/scponlyc
-rwsr-xr-x 1 root root 33493 Sep 13 17:58 /usr/local/sbin/scponlyc

I tried specifying /incoming as the directory to go to, but then it fails
with:

userguy:x:816:817::/home/userguy/incoming:/usr/local/sbin/scponlyc

Sep 15 10:15:47 teton1 scponly[10708]: retrieved home directory of
"/home/userguy/incoming" for user "userguy"
Sep 15 10:15:47 teton1 scponly[10708]: chroot dir not owned by root:
/home/userguy/incoming

# ls -l /home/userguy
total 24
drwxr-xr-x 2 root   root   4096 Sep 12 08:52 bin
drwxr-xr-x 2 root   root   4096 Sep 15 09:52 dev
drwxr-xr-x 2 root   root   4096 Sep 12 07:06 etc
drwxr-xr-x 2 userguy userguy 4096 Sep 12 07:06 incoming
drwxr-xr-x 2 root   root   4096 Sep 12 07:06 lib
drwxr-xr-x 5 root   root   4096 Sep 12 07:06 usr

I must be close, any more ideas?

Thanks,
Chris

More information about the scponly mailing list