[scponly] why won't 'find' work in the chroot ?

wby oblyr joe at sublimation.org
Mon Oct 2 14:36:00 EDT 2006


Ensel Sharon wrote this message on Fri, Sep 22, 2006 at 14:52 -0400:
> Hi Kaleb,
> On Thu, 21 Sep 2006, Kaleb Pederson wrote:
> > On Thursday 21 September 2006 12:17 pm, Ensel Sharon wrote:
> > 
> > And I'm sure you disallowed -exec and anything else that might be dangerous!
> 
> Well, I'm considering it, but -exec would only offer execution of the
> binaries that are already a) allowed by scponly, and b) present in the
> chroot...
> 
> Or am I wrong and it would allow execution of any binary that the user
> puts into the chroot, but would still be limited in scope of action to the
> chroot ?

Point A is not true.  scponly only restricts commands invoked by the shell.  it has no oversight 
over what those programs do with their arguments.  One could simply upload code into the chroot 
and run it as an argument to find.

However, Point B is true.

The safest way to add 'find' is to add it to the commands vector in scponly.c (with a PROG_ macro 
defined in config.h or config.h.in).  Then, I would recommend adding an entry to the 
dangerous_args vector in scponly preventing the "-exec" argument from being used with find.

Personally, I dont think this is a good idea for a default configuration of scponly until it can 
be shown that there are not other 'dangerous arguments'.

joe




> 
> 
> > > However, it refuses to traverse the users chroot directory, and in a way
> > > that does not seem to match its normal respecting of unix permissions
> > >
> > > users home directory in /etc/passwd is:
> > >
> > > /home
> > 
> > The real /etc/passwd, or the one within the chroot?
> 
> 
> Both.  Thier home directory in both is:
> 
> /home
> 
> But they are not allowed to read home (chmod 0711, owned by root) , only
> execute, so that they can traverse through to their "incoming" directory
> (chmod 0700, owned by that user)
> 
> 
> > > So when I run:
> > >
> > > ssh user at host find /user
> > 
> > What does /user have to do with /home above? Are you assuming they are already 
> > chrooted to their home directory? Why would /user exist below their home 
> > directory then?
> 
> 
> Well ... again, /home is their home directory, in terms of the passwd
> files, but they cant touch that dir - only traverse through
> it.  So when they do things remotely over ssh, they cannot use plain "/",
> they have to specify their "incoming" dir, hence:
> 
> ssh user at host find /user
> 
> (which would run find on /home/user)
> 
> 
> > > I get:
> > >
> > > find: .: Permission denied
> > 
> > Mind giving us the debug output that would be in syslog on the server side?
> 
> 
> No errors:
> 
> Sep 22 11:47:20 hostname sshd[74995]: Accepted keyboard-interactive/pam
> for username from 10.10.10.6 port 55726 ssh2
> Sep 22 11:47:20 hostname scponly[74999]: chrooted binary in place, will
> chroot()
> Sep 22 11:47:20 hostname scponly[74999]: 3 arguments in total.
> Sep 22 11:47:20 hostname scponly[74999]:        arg 0 is scponlyc
> Sep 22 11:47:20 hostname scponly[74999]:        arg 1 is -c
> Sep 22 11:47:20 hostname scponly[74999]:        arg 2 is find /username
> Sep 22 11:47:20 hostname scponly[74999]: opened log at LOG_AUTHPRIV, opts
> 0x00000009
> Sep 22 11:47:20 hostname scponly[74999]: retrieved home directory of
> "/home" for user "username"
> Sep 22 11:47:20 hostname scponly[74999]: chrooting to dir: "/home"
> Sep 22 11:47:20 hostname scponly[74999]: chdiring to dir: "/"
> Sep 22 11:47:20 hostname scponly[74999]: setting uid to username
> Sep 22 11:47:20 hostname scponly[74999]: processing request: "find
> /username"
> Sep 22 11:47:20 hostname scponly[74999]: Found "HOME" and setting it to
> "/home"
> Sep 22 11:47:20 hostname scponly[74999]: Environment contains "HOME=/home"
> Sep 22 11:47:20 hostname scponly[74999]: set HOME environment variable to
> / username: username(username), IP/port: 10.10.10.6 55726 22
> Sep 22 11:47:20 hostname scponly[74999]: running: /usr/bin/find /username
> (username: username(username), IP/port: 10.10.10.6 55726 22)
> 
> I am using this setup with complete success in all other regards - this
> same user can ls, rm, mv, etc., in his chroot with this setup.  It's just
> find that barfs, and I suspect there is nothing wrong with scponly or with
> the chroot.
> 
> I just wonder what it is that find does that causes it to complain...
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly



More information about the scponly mailing list