[scponly] chroot fails without warning - everything still works
Fred Fiat
fred.fiat at inbox.com
Fri Jun 16 11:03:15 EDT 2006
> Fred,
>
> Please do the following to turn on debug mode:
>
> echo 1 > /usr/local/etc/scponly/debuglevel
Done. Thanks for the quick response.
>
> Once debug mode is on, you'll get additional syslog output. Please post
> that
> output and we should be better able to help.
Jun 16 17:00:53 HOST scponly[8806]: 3 arguments in total.
Jun 16 17:00:53 HOST scponly[8806]: arg 0 is /usr/local/sbin/scponlyc
Jun 16 17:00:53 HOST scponly[8806]: arg 1 is -c
Jun 16 17:00:53 HOST scponly[8806]: arg 2 is sftp-server
Jun 16 17:00:53 HOST scponly[8806]: opened log at LOG_AUTHPRIV, opts 0x00000009
Jun 16 17:00:53 HOST scponly[8806]: retrieved home directory of "/home/test1" for user "test1"
Jun 16 17:00:53 HOST scponly[8806]: setting uid to 1035
Jun 16 17:00:53 HOST scponly[8806]: processing request: "sftp-server"
Jun 16 17:00:53 HOST scponly[8806]: running: /usr/bin/sftp-server (username: test1(1035), IP/port: ::1 51149 ::1 22)
>
> Also, please run and provide us the output of:
>
> getent passwd test1 || grep test1 /etc/passwd
test1:x:1035:100::/home/test1:/usr/local/sbin/scponlyc
# ls -l /usr/local/sbin/scponlyc
-rwsr-xr-x 1 root root 62565 Jun 16 16:59 /usr/local/sbin/scponlyc
Interestingly perhaps, a "pwd" once sftped to the server shows /home/test1, not /
>
> Thanks.
Thanks!
>
> --Kaleb
>
> On Friday 16 June 2006 7:34 am, Fred Fiat wrote:
>> Hello,
>>
>> scponly seemed to be working great, until I tested the chroot
>> functionality. With chroot, I am able to view the root / dir, and files
>> in
>> the root /tmp/ dir (i.e. dirs outside of the chroot).
>>
>> Hope someone can help.
>>
>> The install went fine, I built using
>> ./configure --enable-chrooted-binary --disable-wildcards
>> --disable-winscp-compat
>>
>> I'm now trying the "make jail" script, here is what I answered:
>>
>> # make jail
>> [snip]
>> Username to install [scponly]test1
>> home directory you wish to set for this user [/home/test1]
>> name of the writeable subdirectory [incoming]
>> creating /home/test1/incoming directory for uploading files
>>
>> Your platform (Linux) does not have a platform specific setup script.
>> This install script will attempt a best guess.
>> If you perform customizations, please consider sending me your changes.
>> Look to the templates in build_extras/arch.
>> - joe at sublimation dot org
>>
>> please set the password for test1:
>> New password:
>> Bad password: too short
>> Re-enter new password:
>> Password changed
>> [snip]
>>
>>
>>
>> then I tried the new account:
>>
>> # sftp test1 at localhost
>> Warning: Need basic cursor movement capability, using vt100
>> warning: Need basic cursor movement capability, using vt100
>> test1 at localhost's password:
>> sftp> ls -l /tmp
>>
>> It lets me see the contents of the root (i.e. out of chroot) /tmp/
>> directory! Yikes!
>>
>> What have I done wrong?
>>
>> _______________________________________________
>> scponly mailing list
>> scponly at lists.ccs.neu.edu
>> https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list