[scponly] Suggestion for home dir in jail
Graham Toal
gtoal at gtoal.com
Wed Aug 1 14:57:00 EDT 2007
If I understand this right, the way to set the default home directory
for a chrooted user such as scponly is to set the home dir in the
external password file to something like "/home/scponly//home/scponly".
Two suggestions; 1) Quick hack: if there's no "//" in the string, use
the whole string as the chrooted home dir, *not* "/". By making it "/",
you break the expected behaviour of commands like
"scp file scponly at host.com:" as it tries to write it to / rather than the
user's home dir. That way you just need to duplicate the same home
directory naming convention (eg /home/scponly) inside the jail.
or 2) Less quick hack: once chrooted, re-read /etc/passwd and get the
*internal* home dir from the dummy password file. This is the more
general and useful solution, and it behaves the way you would expect.
I don't mind writing the code, I just want to check that it'll be used
before I start. I don't want to apply personal patches to a piece of
security software as the first urgent upgrade that comes along, they
get forgotten about in the rush to install it...
I have one related question - in the spirit of unix and having one
tool do one thing well, isn't there some jail package somewhere
that could do all the jailing work, which you could just use rather
than building it in to scponly? There's got to be all sorts of
problems in getting a really good jail and it's not productive for
every jailed tool designer to have to reinvent the wheel... and
keep up with security alerts on the subject... just a thought.
(It's been some time since I worked in this area and I'm not
up to date on generic jailing tools, so can't recommend one. Last one
I used was one I wrote myself back in the 386bsd V0.1 days :-) )
regards,
Graham
PS the problem in the thread "segfault when trying to connect" is most
likely a file or directory missing in the chroot environment, and some
part of the code not checking a return code or file handle for the error.
I hit it several times while working out from scratch by trial and error
which files were all necessary to make scponlyc work under
SuSE. I suspect a code review looking at file-related library calls
would find it. If I come across it myself I'll let you know. (I only
started using scponly this morning so I'm not
totally up to speed on the software yet)
If anyone's interested, here's my current config under SuSE. Note
there are some unneeded files that I plan to remove as I erred on
the side of generosity when picking what to include. Most (but not all)
of the libnss modules can go, as can /bin/sh and several of the utilities
in /bin (chgrp, chmod etc etc)
I think the inner scponlyc can probably go too. But you might find the list of
library modules useful if you're setting this up for the first time.
It's an iterative process finding them - turn on the debugging, then issue an
scp or ssh command and look at the reported missing module errors
until you get them all. Hmmm... maybe a process that could be automated
with 'expect'..?
It was only with libnss (to get the usernames corresponding to UIDs) that the
module name was not reported. (Hence why I threw them all in to make it work)
.:
total 1
drwxr-xr-x 2 root root 288 2007-07-31 11:10 bin
drwxr-xr-x 2 root root 72 2007-07-31 10:51 dev
drwxr-xr-x 2 root root 120 2007-07-31 10:40 etc
drwxr-xr-x 3 root root 72 2007-07-31 10:41 home
drwxr-xr-x 2 root root 1072 2007-07-31 10:57 lib
drwxr-xr-x 5 root root 120 2007-07-31 10:41 usr
./bin:
total 857
-rwxr-xr-x 1 root root 35944 2007-07-31 11:08 chgrp
-rwxr-xr-x 1 root root 33108 2007-07-31 11:08 chmod
-rwxr-xr-x 1 root root 38332 2007-07-31 11:08 chown
-rwxr-xr-x 1 root root 25384 2007-07-31 11:08 ln
-rwxr-xr-x 1 root root 79108 2007-07-31 11:08 ls
-rwxr-xr-x 1 root root 24364 2007-07-31 11:08 mkdir
-rwxr-xr-x 1 root root 66720 2007-07-31 11:08 mv
-rwxr-xr-x 1 root root 36816 2007-07-31 11:08 rm
-rwxr-xr-x 1 root root 15072 2007-07-31 11:08 rmdir
-rwxr-xr-x 1 root root 501804 2007-07-31 11:10 sh
./dev:
total 0
crw-r--r-- 1 root root 1, 3 2007-07-31 10:51 null
./etc:
total 12
-rw-r--r-- 1 root root 831 2007-07-31 10:40 group
-rw-r--r-- 1 root root 339 2007-07-31 11:11 passwd
-rw-r----- 1 root root 165 2007-07-31 11:00 shadow
./home:
total 0
drwxr-xr-x 2 scponly root 80 2007-07-31 11:21 scponly
./home/scponly:
total 4
-rw-r--r-- 1 scponly users 2 2007-07-31 11:21 test.txt
./lib:
total 3294
-rwxr-xr-x 1 root root 124463 2007-07-31 10:29 ld-linux.so.2
-rwxr-xr-x 1 root root 23960 2007-07-31 10:46 libacl.so.1
-rwxr-xr-x 1 root root 13004 2007-07-31 10:46 libattr.so.1
-rwxr-xr-x 1 root root 6272 2007-07-31 10:36 libcom_err.so.2
-rwxr-xr-x 1 root root 47259 2007-07-31 10:35 libcrypt.so.1
-rwxr-xr-x 1 root root 1404242 2007-07-31 10:37 libc.so.6
-rwxr-xr-x 1 root root 13814 2007-07-31 10:38 libdl.so.2
-rwxr-xr-x 1 root root 87850 2007-07-31 10:35 libnsl.so.1
-rwxr-xr-x 1 root root 31943 2007-07-31 10:57 libnss_compat-2.4.so
-rwxr-xr-x 1 root root 31943 2007-07-31 10:57 libnss_compat.so.2
-rwxr-xr-x 1 root root 21283 2007-07-31 10:57 libnss_dns-2.4.so
-rwxr-xr-x 1 root root 21283 2007-07-31 10:57 libnss_dns.so.2
-rwxr-xr-x 1 root root 42109 2007-07-31 10:57 libnss_files-2.4.so
-rwxr-xr-x 1 root root 42109 2007-07-31 10:57 libnss_files.so.2
-rwxr-xr-x 1 root root 22077 2007-07-31 10:57 libnss_hesiod-2.4.so
-rwxr-xr-x 1 root root 22077 2007-07-31 10:57 libnss_hesiod.so.2
-r--r--r-- 1 root root 26532 2007-07-31 10:57 libnss_mdns-0.2.so
-r--r--r-- 1 root root 26532 2007-07-31 10:57 libnss_mdns.so.2
-rwxr-xr-x 1 root root 41986 2007-07-31 10:57 libnss_nis-2.4.so
-rwxr-xr-x 1 root root 49751 2007-07-31 10:57 libnss_nisplus-2.4.so
-rwxr-xr-x 1 root root 49751 2007-07-31 10:57 libnss_nisplus.so.2
-rwxr-xr-x 1 root root 41986 2007-07-31 10:57 libnss_nis.so.2
-rwxr-xr-x 1 root root 15952 2007-07-31 10:57 libnss_winbind.so.2
-rwxr-xr-x 1 root root 794836 2007-07-31 10:57 libnss_wins.so.2
-rwxr-xr-x 1 root root 100331 2007-07-31 10:38 libpthread.so.0
-rwxr-xr-x 1 root root 74278 2007-07-31 10:33 libresolv.so.2
-rwxr-xr-x 1 root root 40297 2007-07-31 10:45 librt.so.1
-rwxr-xr-x 1 root root 12789 2007-07-31 10:34 libutil.so.1
-rwxr-xr-x 1 root root 70512 2007-07-31 10:34 libz.so.1
./usr:
total 1
drwxr-xr-x 2 root root 120 2007-07-31 11:08 bin
drwxr-xr-x 3 root root 616 2007-07-31 10:56 lib
drwxr-xr-x 3 root root 72 2007-07-31 10:41 local
./usr/bin:
total 608
-rwxr-xr-x 1 root root 287384 2007-07-31 11:08 rsync
-rwxr-xr-x 1 root root 42852 2007-07-31 11:08 scp
-rwxr-xr-x 1 root root 285872 2007-07-31 10:49 ssh
./usr/lib:
total 3157
-r-xr-xr-x 1 root root 1207152 2007-07-31 10:33 libcrypto.so.0.9.8
-rwxr-xr-x 1 root root 92300 2007-07-31 10:35 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 145588 2007-07-31 10:36 libk5crypto.so.3
-rwxr-xr-x 1 root root 440292 2007-07-31 10:35 libkrb5.so.3
-rwxr-xr-x 1 root root 10256 2007-07-31 10:39 libkrb5support.so.0
-rwxr-xr-x 1 root root 456740 2007-07-31 10:56 libnss3.so
-rwxr-xr-x 1 root root 242120 2007-07-31 10:56 libnssckbi.so
-rwxr-xr-x 1 root root 31943 2007-07-31 10:56 libnss_compat.so
-rwxr-xr-x 1 root root 21283 2007-07-31 10:56 libnss_dns.so
-rwxr-xr-x 1 root root 42109 2007-07-31 10:56 libnss_files.so
-rwxr-xr-x 1 root root 22077 2007-07-31 10:56 libnss_hesiod.so
-rwxr-xr-x 1 root root 49751 2007-07-31 10:56 libnss_nisplus.so
-rwxr-xr-x 1 root root 41986 2007-07-31 10:56 libnss_nis.so
-rwxr-xr-x 1 root root 26932 2007-07-31 10:38 libopenct.so.1
-rwxr-xr-x 1 root root 346784 2007-07-31 10:32 libopensc.so.1
-rwxr-xr-x 1 root root 18328 2007-07-31 10:37 libscconf.so.1
drwxr-xr-x 2 root root 80 2007-07-31 10:23 ssh
./usr/lib/ssh:
total 36
-rwxr-xr-x 1 root root 32984 2007-07-31 10:23 sftp-server
./usr/local:
total 0
drwxr-xr-x 2 root root 72 2007-07-31 10:42 sbin
./usr/local/sbin:
total 40
-rwsr-xr-x 1 root root 39831 2007-07-31 10:42 scponlyc
More information about the scponly
mailing list