[scponly] Problem with scp-only and chroot on Centos

Kaleb Pederson kaleb.pederson at gmail.com
Tue Jan 4 11:23:17 EST 2011 

I'd recommend something like JailKit to setup the chroot. As the
various distributions add more and more features, it's becoming
increasingly difficult to setup a chroot by hand as it depends on
additional libraries and files.

--Kaleb


On Wed, Dec 29, 2010 at 9:10 AM, Ali Jawad <alijawad1 at gmail.com> wrote:
> Hi
> I followed the installation progress, did add a users using the scrip, did
> follow the FAQ on centos..created dev/null with appropriate permission ..and
> got a few hints online on what libraries to add, the thing is that scponly
> works just fine but scponlyc does not work at all, I did enable debugging
> but /var/log/messages does not show anything of interest that was not there
> before..as for /var/log/secure it shows
>
> Dec 29 12:09:21 domU-12-31-39-0A-48-62 sshd[26315]: pam_unix(sshd:session):
> session opened for user scponly by (uid=0)
> Dec 29 12:09:22 domU-12-31-39-0A-48-62 sshd[26319]: subsystem request for
> sftp
> Dec 29 12:09:22 domU-12-31-39-0A-48-62 scponly[26320]: chrooted binary in
> place, will chroot()
> Dec 29 12:09:22 domU-12-31-39-0A-48-62 scponly[26320]: 3 arguments in total.
> Dec 29 12:09:22 domU-12-31-39-0A-48-62 scponly[26320]:  arg 0 is scponlyc
> Dec 29 12:09:22 domU-12-31-39-0A-48-62 scponly[26320]:  arg 1 is -c
> Dec 29 12:09:22 domU-12-31-39-0A-48-62 scponly[26320]:  arg 2 is
> /usr/libexec/openssh/sftp-server
> Dec 29 12:09:22 domU-12-31-39-0A-48-62 scponly[26320]: opened log at
> LOG_AUTHPRIV, opts 0x00000029
> Dec 29 12:09:23 domU-12-31-39-0A-48-62 sshd[26315]: pam_unix(sshd:session):
> session closed for user scponly
>
>
>
>
> I did a strace and got :
>
> sftp.log.25491:execve("/usr/local/sbin/scponlyc", ["scponlyc", "-c",
> "/usr/libexec/openssh/sftp-server"], [/* 8 vars */]) = 0
> sftp.log.25491-brk(0)                                  = 0x606000
> sftp.log.25491-fcntl(0, F_GETFD)                       = 0
> sftp.log.25491-fcntl(1, F_GETFD)                       = 0
> sftp.log.25491-fcntl(2, F_GETFD)                       = 0
> sftp.log.25491-access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such
> file or directory)
> sftp.log.25491-mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaac7000
> sftp.log.25491-uname({sys="Linux", node="XXXXXXXXXXXXXXXXXXXXXXXXXX", ...})
> = 0
> sftp.log.25491-access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such
> file or directory)
> sftp.log.25491-open("/etc/ld.so.cache", O_RDONLY)      = 3
> sftp.log.25491-fstat(3, {st_mode=S_IFREG|0644, st_size=43144, ...}) = 0
> sftp.log.25491-mmap(NULL, 43144, PROT_READ, MAP_PRIVATE, 3, 0) =
> 0x2aaaaaac8000
> sftp.log.25491-close(3)                                = 0
> sftp.log.25491-open("/lib64/libc.so.6", O_RDONLY)      = 3
> sftp.log.25491-read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\332\1\0\0\0\0\0"...,
> 832) = 832
> sftp.log.25491-fstat(3, {st_mode=S_IFREG|0755, st_size=1712216, ...}) = 0
> sftp.log.25491-mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaaad3000
> sftp.log.25491-mmap(NULL, 3498328, PROT_READ|PROT_EXEC,
> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2aaaaacc8000
> sftp.log.25491-mprotect(0x2aaaaae15000, 2097152, PROT_NONE) = 0
> sftp.log.25491-mmap(0x2aaaab015000, 20480, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14d000) = 0x2aaaab015000
> sftp.log.25491-mmap(0x2aaaab01a000, 16728, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2aaaab01a000
>
> Please advice.
>
>
> Regards
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
>

More information about the scponly mailing list