[scponly] sFTP/scponly stopped working

Kaleb Pederson kibab at icehouse.net
Thu Jun 21 23:02:18 EDT 2007 

Matt,

Could you run an "ls -lR /share/adellion" for me (and provide the output)?
Also is /share/adellion (or anything under that hierarchy) mounted noexec such 
that even if the permissions were correct you wouldn't be able to execute it?

Thanks.

--Kaleb


On Thursday 21 June 2007, mephi wrote:
> I've removed the SUID bit, as that didn't fix things (and I've heard it can
> be dangerous)
>
> Su-ing to the user and running "ls -l" on the directories returns values
> for all of them, they are all set to 755 permissions.
>
> I didn't build the scponly binary, it was got from the Debian repository
> with apt-get.
>
> Matt
>
> -----Original Message-----
> From: Kaleb Pederson [mailto:kibab at icehouse.net]
> Sent: 21 June 2007 04:29
> To: mephi
> Cc: scponly at lists.ccs.neu.edu; Paul Hyder
> Subject: Re: [scponly] sFTP/scponly stopped working
>
> On Wednesday 20 June 2007, Paul Hyder wrote:
> > Permissions of 755 are all that is necessary.  (!ABSOLUTELY avoid SUID!)
>
> By setting sftp-server SUID root, you effectively give root permissions to
> every user -- which is hardly what you want.
>
> > This is a failure of the exec of the sftp-server, looks like it isn't
> > permissions.  (Assumes the directories are also r_x for this user.)
>
> As Paul just pointed out, the permissions on all of the folders up to the
> sftp-server must grant that user access.
>
> On many Linux machines, you can verify this by su'ing to the user in
> question
> as follows:
>
> su -s /bin/sh <user>
>
> Once you've done that, you should be able to check the permissions on each
> folder in the hierarchy.  For example,
>
> ls -l /share/adellion/usr/lib/sftp-server
> ls -l /share/adellion/usr/lib
> ls -l /share/adellion/usr
>
> The first one that works is the first directory that has correct
> permissions.
>
> I hope that clarifies things a bit.
>
> --Kaleb
>
> > What options were specified when the scponly build was configured?
> >    Paul Hyder
> >
> > mephi wrote:
> > > Thanks for the quick reply.
> > > I've dug a bit deeper, but not solved it yet.
> > >
> > > I've set /share/adellion/usr/lib/sftp-server permissions to be 777 just
> > > to check that, and it's still giving the same error.
> > >
> > > I've read some things that have talked about the SUID bit, so I tried
> > > setting that with permissions 4777. (I think that's how you do it)
> > >
> > > I then noticed that /share/adellion/usr/lib/sftp-server was different
> > > to /usr/lib/sftp-server, which is symlinked from
> > > /usr/lib/openssh/sftp-server so I've tried copying the new sftp-server
> > > over and setting the permissions on that to 4777 or 777, neither of
>
> which
>
> > > had any effect.
> > >
> > > Matt
> > >
> > > -----Original Message-----
> > > From: Paul Hyder [mailto:Paul.Hyder at noaa.gov]
> > > Sent: 20 June 2007 18:56
> > > To: mephi
> > > Cc: scponly at lists.ccs.neu.edu
> > > Subject: Re: [scponly] sFTP/scponly stopped working
> > >
> > > This indicates that there is something wrong with either the binary or
> > > the permissions that keep the user from executing
> > > /share/adellion/usr/lib/sftp-server
> > >
> > > Something changed there?
> > >    Paul Hyder
> > >    NOAA Earth System Research Laboratory, Global Systems Division
> > >    Boulder, CO
> > >
> > > mephi wrote:
> > >> I've had my sFTP server running for a while now, it's setup it's setup
> > >
> > > with
> > >
> > >> scponly so a single group of users all have access to a single
> > >> directory,
> > >
> > > so
> > >
> > >> it's working as a classic, but more secure, FTP server.
> > >>
> > >> I'm running Debian stable, and although I have upgraded from Sarge to
> > >
> > > Etch,
> > >
> > >> I'm pretty sure that didn't coincide with this error.
> > >>
> > >> My users started complaining of an "error 13" about a week ago, which
> > >> was stopping them logging in. They almost exclusively use Winscp.
> > >>
> > >> I've upped the debug level to get more information, and the auth.log
> > >> shows the following:
> > >>
> > >> Jun 20 17:28:05 mephi-linux sshd[11987]: Connection from 192.168.0.254
> > >
> > > port
> > >
> > >> 1587
> > >> Jun 20 17:28:06 mephi-linux sshd[11987]: Accepted
> > >> keyboard-interactive/pam for matt123 from 192.168.0.254 port 1587 ssh2
> > >> Jun 20 17:28:06 mephi-linux sshd[11990]: (pam_unix) session opened for
> > >
> > > user
> > >
> > >> matt123 by (uid=0)
> > >> Jun 20 17:28:06 mephi-linux sshd[11990]: subsystem request for sftp
> > >> Jun 20 17:28:06 mephi-linux [11991]: chrooted binary in place, will
> > >
> > > chroot()
> > >
> > >> Jun 20 17:28:06 mephi-linux [11991]: 3 arguments in total.
> > >> Jun 20 17:28:06 mephi-linux [11991]: ^Iarg 0 is scponlyc
> > >> Jun 20 17:28:06 mephi-linux [11991]: ^Iarg 1 is -c
> > >> Jun 20 17:28:06 mephi-linux [11991]: ^Iarg 2 is /usr/lib/sftp-server
> > >> Jun 20 17:28:06 mephi-linux [11991]: opened log at LOG_AUTHPRIV, opts
> > >> 0x00000009
> > >> Jun 20 17:28:06 mephi-linux [11991]: retrieved home directory of
> > >> "/share/adellion" for user "matt123"
> > >> Jun 20 17:28:06 mephi-linux [11991]: chrooting to dir:
>
> "/share/adellion"
>
> > >> Jun 20 17:28:06 mephi-linux [11991]: chdiring to dir: "/"
> > >> Jun 20 17:28:06 mephi-linux [11991]: setting uid to 1003
> > >> Jun 20 17:28:06 mephi-linux [11991]: processing request:
> > >> "/usr/lib/sftp-server"
> > >> Jun 20 17:28:06 mephi-linux [11991]: set HOME environment variable to
> > >> HOME=/share/adellion (username: matt123(1003), IP/port: 192.168.0.254
> > >> 1587 22))
> > >> Jun 20 17:28:06 mephi-linux [11991]: running: /usr/lib/sftp-server
> > >> (username: matt123(1003), IP/port: 192.168.0.254 1587 22)
> > >> Jun 20 17:28:06 mephi-linux [11991]: failed: /usr/lib/sftp-server with
> > >
> > > error
> > >
> > >> Permission denied(13) (username: matt123(1003), IP/port: 192.168.0.254
> > >
> > > 1587
> > >
> > >> 22)
> > >> Jun 20 17:28:06 mephi-linux sshd[11990]: Connection closed by
> > >
> > > 192.168.0.254
> > >
> > >> Jun 20 17:28:06 mephi-linux sshd[11990]: (pam_unix) session closed for
> > >
> > > user
> > >
> > >> matt123
> > >> Jun 20 17:28:06 mephi-linux sshd[11990]: Closing connection to
> > >
> > > 192.168.0.254
> > >
> > >> And now I'm a bit stuck.
> > >>
> > >> Any ideas?
> > >>
> > >> Cheers,
> > >>
> > >> Matt
> > >>
> > >>
> > >> _______________________________________________
> > >> scponly mailing list
> > >> scponly at lists.ccs.neu.edu
> > >> https://lists.ccs.neu.edu/bin/listinfo/scponly
> > >
> > > _______________________________________________
> > > scponly mailing list
> > > scponly at lists.ccs.neu.edu
> > > https://lists.ccs.neu.edu/bin/listinfo/scponly
> >
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu
> > https://lists.ccs.neu.edu/bin/listinfo/scponly


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20070622/e5374c2f/attachment-0001.bin

More information about the scponly mailing list