[scponly] Further // usage confusion ... possible bug ?
Ensel Sharon
user at dhp.com
Thu Mar 30 12:17:42 EST 2006
A few months ago I asked for some clarification about the // usage in
/etc/passwd that divides the chroot point from the writeable user incoming
directory (or whatever you want to call it).
I am seeing behavior that confuses me and would like to know why that
behavior manifests itself, or if it is a bug.
On Tue, 20 Dec 2005, wby oblyr wrote:
> And yes, I'm painfully aware of how inadquate the documentation is around this feature. Basically, the gist is
> this:
>
> Users of the scponlyc shell must not be able to modify their home directories, lest they be able to subvert the
> restricted shell by modifying things like ssh configuration. Many people complained that after logging into a
> scponly shell, they could not upload files, so the '//' thing was devised.
>
> imagine this home directory:
>
> /home/scponlyuser//incoming
>
> everything BEFORE the // is the chroot path (/home/scponlyuser) and everything after the // is a directory to
> chdir() into after chrooting. This way a user can log into their scponly shell and the following will happen:
>
> - scponlyc will chroot to /home/scponlyuser
> - scponlyc will then chdir to /incoming (inside the chroot), dropping the user into a directory they can upload
Ok, I get it. I really do. But if that is the case, then a /etc/passwd
home-directory line like this:
/usr/home//username
(where the chroot supporting etc/usr/bin directories for multiple users
are in /usr/home)
Should allow me to scp like this:
scp /file username at servername:/
but it doesn't - I _still_ have to specify the subdirectory on the scp
command line:
scp /file username at servername:/username
So ... what gives ? If the purpose of the data after the // is to
"dropping the user into a directory they can upload" then why isn't it
dropping me in there ? I might as well just leave the home directory in
/etc/passwd as:
/usr/home
if I have to specify the sub-dir on the client remote command anyway...
Comments ?
More information about the scponly
mailing list