[joe@sublimation.org: Re: [scponly] when do I, and when do I not, use the "/./" syntax ?]

wby oblyr joe at sublimation.org
Tue Dec 20 18:22:07 EST 2005 


whoops, forgot to sent this reply to the list...


----- Forwarded message from wby oblyr <joe at sublimation.org> -----

Date: Tue, 20 Dec 2005 15:21:34 -0800
From: wby oblyr <joe at sublimation.org>
To: Moti Levy <moti at flncs.com>
Subject: Re: [scponly] when do I, and when do I not, use the "/./" syntax ?
User-Agent: Mutt/1.4.2.1i
X-Operating-System: FreeBSD 5.4-RELEASE i386



I think you guys mean the "//" syntax.

And yes, I'm painfully aware of how inadquate the documentation is around this feature.  Basically, the gist is 
this:

Users of the scponlyc shell must not be able to modify their home directories, lest they be able to subvert the 
restricted shell by modifying things like ssh configuration.  Many people complained that after logging into a 
scponly shell, they could not upload files, so the '//' thing was devised.

imagine this home directory:

/home/scponlyuser//incoming

everything BEFORE the // is the chroot path (/home/scponlyuser) and everything after the // is a directory to 
chdir() into after chrooting.  This way a user can log into their scponly shell and the following will happen:

- scponlyc will chroot to /home/scponlyuser
- scponlyc will then chdir to /incoming (inside the chroot), dropping the user into a directory they can upload 
to.

that's it! hope it helps...

joe


Moti Levy wrote this message on Tue, Dec 20, 2005 at 16:06 -0500:
> /./ is used to change the default directory the user logs into at login 
> time .
> 
> for example , if you chrooted your users then they probably only have 
> one writable directory , say its called /incoming .
> 
> without /./ if they login they will be under /home/user
> with /./incoming the will be logged in under /home/user/incoming
> 
> Moti
> 
> 
> user wrote:
> >I have successfully set up scponly.  Specifically, I set up scponlyc
> >chroot shell, and built a chroot tree in /home.
> >
> >I then set every users home directory to /home, and set their scponlyc
> >chroot target as /home/(username).
> >
> >I believe I have tested it thoroughly - all users do indeed seem to be
> >chrooted into /home/(username) and do not seem to be able to access
> >anything outside of their chroot.
> >
> >However, I notice in documentation, and on this mailing list, the use of
> >the standard "/./" placeholder for chroot paths ... as you can see, I do
> >not have that in my home-path for any of my users.  Further, in other
> >tests when I had deeper directory paths than simply "/home", I still did
> >not make use of "/./"  ...  however, everything worked properly and I
> >noticed no problems.
> >
> >So, when do I need to use "/./", and when is it not necessary (and is my
> >implementation one of the ones where it is not necessary, or _should I_ be
> >using it ?)
> >
> >Thanks.
> >
> >
> >_______________________________________________
> >scponly mailing list
> >scponly at lists.ccs.neu.edu
> >https://lists.ccs.neu.edu/bin/listinfo/scponly
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

----- End forwarded message -----

More information about the scponly mailing list