[scponly] setting up chroot jail on solaris 8 (intel)

Sue Bauer-Lee sblee at tazmania.org
Mon Aug 23 15:06:03 EDT 2004 

Here's an excerpt of what we have setup on Solaris 8 Intel.
I may be able to grab the script that sets up the user space if needed.

The users entry in the real /etc/passwd is (tail -1 /etc/passwd):
test:x:50031:10000:Client - test:/home/test//test/incoming:/usr/local/scponly/sbin/scponlyc

The entire jailed etc/passwd (cat /home/test/etc/passwd) is:
test:x:50031:10000:://test/incoming:/usr/local/sbin/scponlyc

The entire jailed etc/group (cat /home/test/etc/group) is:
ftpcli::10000:test

The following jail environment is created in the user.s jail (/home/test):
d-.x.-x--x   7 root     sys  .
drwxr-xr-x   5 root     sys  ./usr
d-wx--x--x   2 root     sys  ./usr/bin
-r-xr-xr-x   1 root     bin  ./usr/bin/ls
-r-xr-xr-x   1 root     bin  ./usr/bin/mv
-r-xr-xr-x   1 root     bin  ./usr/bin/pwd
-r-xr-xr-x   1 root     bin  ./usr/bin/rm
-r-xr-xr-x   1 root     bin  ./usr/bin/groups
-rwxr-xr-x   1 bin      bin  ./usr/bin/scp
d.-x.-x--x   2 root     sys  ./usr/lib
-rwxr-xr-x   1 root     bin  ./usr/lib/libc.so.1
-rwxr-xr-x   1 root     bin  ./usr/lib/libdl.so.1
-rwxr-xr-x   1 root     bin  ./usr/lib/libresolv.so.2
-rwxr-xr-x   1 root     bin  ./usr/lib/librt.so.1
-rwxr-xr-x   1 root     bin  ./usr/lib/libsocket.so.1
-rwxr-xr-x   1 root     bin  ./usr/lib/libnsl.so.1
-rwxr-xr-x   1 root     bin  ./usr/lib/libaio.so.1
-rwxr-xr-x   1 root     bin  ./usr/lib/libmp.so.2
-rwxr-xr-x   1 root     bin  ./usr/lib/ld.so.1
-rwxr-xr-x   1 root     bin  ./usr/lib/nss_files.so.1
d.-x.-x--x   6 root     sys  ./usr/local
d--x--x--x   3 root     sys  ./usr/local/ssl
d--x--x--x   2 root     sys  ./usr/local/ssl/lib
-r-xr-xr-x   1 bin      bin  ./usr/local/ssl/lib/libcrypto.so.0.9.7
d--x--x--x   2 root     sys    ./usr/local/lib
-rwxr-xr-x   1 bin      bin    ./usr/local/lib/libz.so
-rw-r--r--   1 bin      bin    ./usr/local/lib/libgcc_s.so.1
d--x--x--x   2 root     sys    ./usr/local/libexec
-rwxr-xr-x   1 bin      bin    ./usr/local/libexec/sftp-server
d--x--x--x   3 root     sys    ./usr/local/scponly
d--x--x--x   2 root     sys    ./usr/local/scponly/sbin
-rwsr-xr-x   1 root     root   ./usr/local/scponly/sbin/scponlyc
d--x--x--x   3 root     sys    ./devices
d--x--x--x   2 root     sys    ./devices/pseudo
crw-rw-rw-   1 root     sys    ./devices/pseudo/mm at 0:zero
crw-rw-rw-   1 root     sys    ./devices/pseudo/mm at 0:null
d--x--x--x   2 root     sys    ./dev
lrwxrwxrwx   1 root     other  ./dev/zero ->../devices/psuedo/mm at 0:zero
lrwxrwxrwx   1 root     other  ./dev/null ->../devices/pseudo/mm at 0:null
d--x--x--x   2 root     sys    ./etc
-r--r--r--   1 root     sys    ./etc/passwd
-r--r--r--   1 root     sys    ./etc/group
lrwxrwxrwx   1 root     other  ./bin -> ./usr/bin
lrwxrwxrwx   1 root     other  ./lib -> ./usr/lib
drwxr-x---   2 testuser ftpadm ./test
drwxr-x---   2 testuser ftpadm ./test/incoming
drwxr-x---   2 testuser ftpadm ./test/incoming/.ssh
-rw-r--r--   2 testuser ftpadm ./test/incoming/.ssh/authorized_keys
drwxrwx---   2 testuser ftpadm ./test/outgoing



On Mon, Aug 23, 2004 at 10:55:55AM -0700, Chris Cheshire wrote:
> Hi,
> 
> I have openssh 3.8.1p1 installed (from sunfreeware.com) and have been 
> trying to configure scponly to use a chrooted jail. I can get scponly to 
> work fine with sftp but scponlyc doesn't. The setup_chroot.sh doesn't 
> work on this platform so I tried to manually do the bits and pieces, as 
> well as follow other suggestions from the archives here, but ssh seems 
> to close the connection straight after the key handshaking is done. (ssh 
> is configured to only do key authentication, not password).
> 
> The user dir has this structure:
> .:
> bin  etc  lib  pub  usr
> 
> ./bin:
> chgrp   chmod   chown   echo    groups  id      ln      ls      mkdir 
> mv      pwd     rm      rmdir
> 
> ./etc:
> passwd
> 
> ./lib:
> ld.so.1
> 
> ./pub:
> 
> ./usr:
> lib    local
> 
> ./usr/lib:
> libaio.so.1      libdl.so.1       libnsl.so.1      libresolv.so.2 
> libsocket.so.1
> libc.so.1        libgen.so.1      libpam.so.1      librt.so.1 
> nss_compat.so.1
> libcmd.so.1      libmp.so.2       libproject.so.1  libsecdb.so.1 
> nss_files.so.1
> 
> ./usr/local:
> bin      lib      libexec  ssl
> 
> ./usr/local/bin:
> scp
> 
> ./usr/local/lib:
> libgcc_s.so.1  libz.so
> 
> ./usr/local/libexec:
> sftp-server
> 
> ./usr/local/ssl:
> lib
> 
> ./usr/local/ssl/lib:
> libcrypto.so.0.9.7
> 
> Everything but the pub dir is writable only by root, but readable and 
> executable by all.
> 
> The debug output from ssh from when it spawns the sftp-server subsystem is:
> ......
> debug1: session_input_channel_req: session 0 req subsystem
> subsystem request for sftp
> debug1: subsystem: exec() /usr/local/libexec/sftp-server
> debug1: Received SIGCHLD.
> debug2: fd 11 setting O_NONBLOCK
> debug2: fd 11 is O_NONBLOCK
> debug2: notify_done: reading
> debug1: session_by_pid: pid 14240
> debug1: session_exit_message: session 0 channel 0 pid 14240
> debug2: channel 0: request exit-signal
> debug1: session_exit_message: release channel 0
> debug2: channel 0: write failed
> debug2: channel 0: close_write
> debug2: channel 0: output open -> closed
> debug1: session_close: session 0 pid 14240
> debug2: channel 0: read<=0 rfd 11 len 0
> debug2: channel 0: read failed
> debug2: channel 0: close_read
> debug2: channel 0: input open -> drain
> debug2: channel 0: ibuf empty
> debug2: channel 0: send eof
> debug2: channel 0: input drain -> closed
> debug2: channel 0: send close
> debug3: channel 0: will not send data after close
> debug3: channel 0: will not send data after close
> debug2: channel 0: rcvd close
> debug3: channel 0: will not send data after close
> debug2: channel 0: is dead
> debug2: channel 0: garbage collecting
> debug1: channel 0: free: server-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
>    #0 server-session (t4 r0 i3/0 o3/0 fd 11/11)
> 
> debug3: channel 0: close_fds r 11 w 11 e -1
> Connection closed by ....
> debug1: do_cleanup
> Closing connection to ....
> debug3: mm_request_send entering: type 56
> debug3: monitor_read: checking request 56
> debug3: mm_answer_term: tearing down sessions
> 
> 
> A succesful connection with just scponly as the shell looks like this:
> ....
> subsystem request for sftp
> debug1: subsystem: exec() /usr/local/libexec/sftp-server
> debug2: fd 11 setting O_NONBLOCK
> debug2: fd 11 is O_NONBLOCK
> debug2: channel 0: rcvd adjust 916
> 
> 
> Have I missed copying any libraries or commands to the jail? Any other 
> suggestions? Are there special permissions that need setting on anything?
> 
> Thanks
> 
> Chris
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list