[scponly] scponly and umask
Kaleb Pederson
kaleb.pederson at gmail.com
Tue Mar 31 19:13:45 EDT 2009
On Tuesday 31 March 2009 02:59:27 pm Ken wrote:
> I follow. Since sshd_config was definitely reloaded, and I confirmed the
> instance of sshd that is listening on TCP:22 is the patched version of
> 5.1, and there was very little opportunity for human error in the
> patching process itself, what next?
>
> Regarding that patching process, does anything below stand out as a
> potentially error-prone step?
> 1) obtain OpenSSH-server v5.1p source in /usr/local/src with filename
> "openssh-5.1p1.tar.gz"
> 2) obtain sftpfilecontrol patch with filename
> "openssh-5.1p1.sftpfilecontrol-v1.3.patch"
> 3) execute:
> root at src%patch -p0 < openssh-5.1p1.sftpfilecontrol-v1.3.patch
> 4) ./configure;make;make install (defaults to /usr/local/sbin)
> 5) stop sshd, edit paths in /etc/init.d/sshd
> 7) backup existing sshd_config, I chose to use the sshd_config provided
> by the build process which includes the sftpfilecontrol directives at
> the foot
> 8) start sshd
> 9) confirm effective instance of sshd is patched version with: %netstat
> -lnp;ps u -p <pid of sshd>
> -or display banner-
> %nc localhost 22
> SSH-2.0-OpenSSH_5.1p1+sftpfilecontrol-v1.3
That all looks good.
Here's a few things you can try:
a) Confirm that the directives in sshd_config are being picked up correctly by placing an invalid entry in the file
b) Try putting 999 for the umask -- it should give a fatal error : "...bad value for umask"
c) Try putting 1 or 0 instead of yes/no for the permits on chmod/chown
d) Try removing the SftpUmask line, the environment variable should end up with a value of -1.
--Kaleb
>
> Ken Bingham
> SysAdmin, Booksurge
> (843) 760-8038 EDT
>
>
>
> Kaleb Pederson wrote:
> > That's what I thought. So, for some reason ssh is not pickup up the
> > values from sshd_config correctly (maybe it wasn't restarted, maybe it
> > wasn't correctly patched, etc.).
> >
> > SFTP_PERMIT_CHMOD should be 0, as should SFTP_PERMIT_CHOWN. I didn't
> > bother checking the umask environment variable, but if you can read
> > source code you could look through the patch and determine what it
> > should be set too as well.
> >
> > You'll need to figure out how to make the sftp file controls work in a
> > normal shell using the sftpfilecontrol patch. Once you have it
> > working in a normal shell, then you can switch over to the scponly
> > pseudo-shell and hopefully everything will just work at that point.
> >
>
More information about the scponly
mailing list