[scponly] Relative listing outside scponlyc chroot jail allowed?

Sat Sep 22 11:44:46 EDT 2007

On Saturday 22 September 2007, you wrote:
> Both cases thought have respective users "homeDirectory" attribute
> set to "/Users/SomeUser/Sites//" including the double slash (as well
> as "NFSHomeDirectory" attribute). Also their login shell was changed
> from default /bin/bash to /opt/local/sbin/scponlyc and /opt/local/
> sbin/scponlyc (as well as /opt/local/bin/scponly) was added to the /
> etc/shells file — as recomended by the original article from my
> previous email. I believe this is correct setup. That would be in my
> opinion supported the by the fact that some chroot jailing is being
> done — inability to cd .. up from chroot jail for example. Of course
> I could be wrong..

Ok.  That sounds right.  If the user's home directory is set 
to /Users/SomeUser/Sites// (or /Users/SomeUser/Sites), it will chroot to that 
directory, and then the root directory of the chroot becomes the cwd of the 
user.

If this works on mac, what output does it give:

getent passwd 2swebadmin

Also, what do the permissions on scponly/scponlyc look like:

ls -l /opt/local/{bin,sbin}/scponly*

> Here is sample from my secure.log (ssh related info goes there
> instead to system.log on Mac OS X) with loglevel 2:
>
[snip]

That output looks great.  That's exactly what I would expect to see given a 
proper configuration.

Can you paste for us the clientside transcript of the details.  Eg;

$ sftp user at host
sftp> ls /
/bin   /dev   /etc   /home  /lib   /usr
sftp> ls
/bin   /dev   /etc   /home  /lib   /usr
sftp> ls ..
... some output here...

> Issuing out of chroot jail "ls .." command in sftp session does not
> generate any log entry.

That's correct.  It takes the sftp-logging patch to ssh (and an appropriately 
configured scponly) in order to see things like that.

> > If you manually chroot to your chroot directory, do you see the
> > same behavior with ls?
>
> I don't know exactly what I'm suppose to try. Issuing
> sudo chroot -u SomeUser /Users/SomeUser/Sites/ /usr/local/sbin/scponlyc
> does nothing as well as
> sudo chroot -u SomeUser /Users/SomeUser/Sites/ /usr/libexec/sftp-server
> but I'm not really familiar with chroot command use.

What I said isn't exactly useful if you configured scponly exactly as stated 
in that article because you won't have a program that can act as a shell nor 
the ls program installed.

In theory you can copy your shell to the chroot (with any necessary libraries) 
and copy the 'ls' command to the chroot and then do something like this:

$ sudo chroot -u SomeUser /Users/SomeUser/Sites/ /bin/bash
$ ls 
[blah]
$ ls /
[blah2]
$ ls ..
[blah3]

The above should pretty much have the same system calls as the sftp ls output, 
although perhaps not exactly the same.

Lastly, unless there is something surprising in the things I've asked you to 
provide, we still won't have any answers, so I would need you to go through 
the tracing process outlined here:

http://sublimation.org/scponly/wiki/index.php/FAQ#I_still_can.27t_find_my_problem.2C_what_else_can_I_try.3F

Note that the above would contain the password for the user you use... so you 
might want to  do a search on the password and replace it with something else 
if the machine you are on has a real ip address.

Thanks.

--Kaleb