[scponly] Further // usage confusion ... possible bug ?

Kaleb Pederson kpederson at mail.ewu.edu
Thu Mar 30 12:28:28 EST 2006


If you are using the chroot, the sftp (scp) programs are going to pull the 
path information that they use when you upload from the /etc/passwd file 
within the chroot.  So, what does the passwd file within the chroot look 
like?  Is it correctly mapping their home directory to /username?

--Kaleb

On Thursday 30 March 2006 9:17 am, Ensel Sharon wrote:
> A few months ago I asked for some clarification about the // usage in
> /etc/passwd that divides the chroot point from the writeable user incoming
> directory (or whatever you want to call it).
>
> I am seeing behavior that confuses me and would like to know why that
> behavior manifests itself, or if it is a bug.
>
> On Tue, 20 Dec 2005, wby oblyr wrote:
> > And yes, I'm painfully aware of how inadquate the documentation is around
> > this feature.  Basically, the gist is this:
> >
> > Users of the scponlyc shell must not be able to modify their home
> > directories, lest they be able to subvert the restricted shell by
> > modifying things like ssh configuration.  Many people complained that
> > after logging into a scponly shell, they could not upload files, so the
> > '//' thing was devised.
> >
> > imagine this home directory:
> >
> > /home/scponlyuser//incoming
> >
> > everything BEFORE the // is the chroot path (/home/scponlyuser) and
> > everything after the // is a directory to chdir() into after chrooting. 
> > This way a user can log into their scponly shell and the following will
> > happen:
> >
> > - scponlyc will chroot to /home/scponlyuser
> > - scponlyc will then chdir to /incoming (inside the chroot), dropping the
> > user into a directory they can upload
>
> Ok, I get it.  I really do.  But if that is the case, then a /etc/passwd
> home-directory line like this:
>
> /usr/home//username
>
> (where the chroot supporting etc/usr/bin directories for multiple users
> are in /usr/home)
>
> Should allow me to scp like this:
>
> scp /file username at servername:/
>
> but it doesn't - I _still_ have to specify the subdirectory on the scp
> command line:
>
> scp /file username at servername:/username
>
> So ... what gives ?  If the purpose of the data after the // is to
> "dropping the user into a directory they can upload" then why isn't it
> dropping me in there ?  I might as well just leave the home directory in
> /etc/passwd as:
>
> /usr/home
>
> if I have to specify the sub-dir on the client remote command anyway...
>
> Comments ?
>
>
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20060330/8b11111f/attachment.bin


More information about the scponly mailing list