[scponly] sFTP/scponly stopped working

Paul Hyder Paul.Hyder at noaa.gov
Wed Jun 20 19:04:49 EDT 2007 

Permissions of 755 are all that is necessary.  (!ABSOLUTELY avoid SUID!)

This is a failure of the exec of the sftp-server, looks like it isn't
permissions.  (Assumes the directories are also r_x for this user.)

What options were specified when the scponly build was configured?
   Paul Hyder

mephi wrote:
> Thanks for the quick reply.
> I've dug a bit deeper, but not solved it yet.
> 
> I've set /share/adellion/usr/lib/sftp-server permissions to be 777 just to
> check that, and it's still giving the same error.
> 
> I've read some things that have talked about the SUID bit, so I tried
> setting that with permissions 4777. (I think that's how you do it)
> 
> I then noticed that /share/adellion/usr/lib/sftp-server was different to
> /usr/lib/sftp-server, which is symlinked from /usr/lib/openssh/sftp-server
> so I've tried copying the new sftp-server over and setting the permissions
> on that to 4777 or 777, neither of which had any effect.
> 
> Matt
> 
> -----Original Message-----
> From: Paul Hyder [mailto:Paul.Hyder at noaa.gov] 
> Sent: 20 June 2007 18:56
> To: mephi
> Cc: scponly at lists.ccs.neu.edu
> Subject: Re: [scponly] sFTP/scponly stopped working
> 
> This indicates that there is something wrong with either the binary or
> the permissions that keep the user from executing
> /share/adellion/usr/lib/sftp-server
> 
> Something changed there?
>    Paul Hyder
>    NOAA Earth System Research Laboratory, Global Systems Division
>    Boulder, CO
> 
> mephi wrote:
>> I've had my sFTP server running for a while now, it's setup it's setup
> with
>> scponly so a single group of users all have access to a single directory,
> so
>> it's working as a classic, but more secure, FTP server.
>>
>> I'm running Debian stable, and although I have upgraded from Sarge to
> Etch,
>> I'm pretty sure that didn't coincide with this error.
>>
>> My users started complaining of an "error 13" about a week ago, which was
>> stopping them logging in. They almost exclusively use Winscp.
>>
>> I've upped the debug level to get more information, and the auth.log shows
>> the following:
>>
>> Jun 20 17:28:05 mephi-linux sshd[11987]: Connection from 192.168.0.254
> port
>> 1587
>> Jun 20 17:28:06 mephi-linux sshd[11987]: Accepted keyboard-interactive/pam
>> for matt123 from 192.168.0.254 port 1587 ssh2
>> Jun 20 17:28:06 mephi-linux sshd[11990]: (pam_unix) session opened for
> user
>> matt123 by (uid=0)
>> Jun 20 17:28:06 mephi-linux sshd[11990]: subsystem request for sftp
>> Jun 20 17:28:06 mephi-linux [11991]: chrooted binary in place, will
> chroot()
>> Jun 20 17:28:06 mephi-linux [11991]: 3 arguments in total.
>> Jun 20 17:28:06 mephi-linux [11991]: ^Iarg 0 is scponlyc
>> Jun 20 17:28:06 mephi-linux [11991]: ^Iarg 1 is -c
>> Jun 20 17:28:06 mephi-linux [11991]: ^Iarg 2 is /usr/lib/sftp-server
>> Jun 20 17:28:06 mephi-linux [11991]: opened log at LOG_AUTHPRIV, opts
>> 0x00000009
>> Jun 20 17:28:06 mephi-linux [11991]: retrieved home directory of
>> "/share/adellion" for user "matt123"
>> Jun 20 17:28:06 mephi-linux [11991]: chrooting to dir: "/share/adellion"
>> Jun 20 17:28:06 mephi-linux [11991]: chdiring to dir: "/"
>> Jun 20 17:28:06 mephi-linux [11991]: setting uid to 1003
>> Jun 20 17:28:06 mephi-linux [11991]: processing request:
>> "/usr/lib/sftp-server"
>> Jun 20 17:28:06 mephi-linux [11991]: set HOME environment variable to
>> HOME=/share/adellion (username: matt123(1003), IP/port: 192.168.0.254 1587
>> 22))
>> Jun 20 17:28:06 mephi-linux [11991]: running: /usr/lib/sftp-server
>> (username: matt123(1003), IP/port: 192.168.0.254 1587 22)
>> Jun 20 17:28:06 mephi-linux [11991]: failed: /usr/lib/sftp-server with
> error
>> Permission denied(13) (username: matt123(1003), IP/port: 192.168.0.254
> 1587
>> 22)
>> Jun 20 17:28:06 mephi-linux sshd[11990]: Connection closed by
> 192.168.0.254
>> Jun 20 17:28:06 mephi-linux sshd[11990]: (pam_unix) session closed for
> user
>> matt123
>> Jun 20 17:28:06 mephi-linux sshd[11990]: Closing connection to
> 192.168.0.254
>> And now I'm a bit stuck.
>>
>> Any ideas?
>>
>> Cheers,
>>
>> Matt
>>
>>
>> _______________________________________________
>> scponly mailing list
>> scponly at lists.ccs.neu.edu
>> https://lists.ccs.neu.edu/bin/listinfo/scponly
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list