Hi All,
first of all, thanks for the Feature to chroot sftp users. I've been
waiting for that one pretty long :)
Today I came back to that feature since I probably need it at work and
it'll be one more opportunity to not use a Linux system (Debian etch's
openssh is too old).
Anyway, back to the topic.
What I wanted to achieve is pretty much the following: Have some users, all
in the same group named sftp and if the log in via sftp they get chroot'ed
to their home directory.
However, I wind up after a login in /home not /home/$username
Now regarding my sshd_config:
Match Group sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home
and somewhere above:
Subsystem sftp internal-sftp
The user is named sftp1, is in group sftp, has home dir set to /home/sftp1
and has nologin as shell.
When I login via sftp, I wind up being in /home not /home/sftp1:
[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -l
drwxr-x--- 4 1002 1001 512 Sep 12 15:46 jobauer
drwxr-x--- 101 1001 1001 6656 Sep 30 16:05 mhettwer
drwxr-x--- 2 1003 1001 512 Sep 15 19:57 mt
drwx------ 3 1005 1003 512 Sep 30 16:06 sftp1
drwxr-xr-x 2 1006 1003 512 Sep 30 16:42 sftp2
sftp>
which really is:
[EMAIL PROTECTED] ~]# ls -l /home/
total 16
drwxrwxr-x 2 root operator 512 Sep 12 11:39 .snap
drwxr-x--- 4 jobauer shellme 512 Sep 12 15:46 jobauer
drwxr-x--- 101 mhettwer shellme 6656 Sep 30 16:05 mhettwer
drwxr-x--- 2 mt shellme 512 Sep 15 19:57 mt
drwx------ 3 sftp1 sftp 512 Sep 30 16:06 sftp1
drwx------ 2 sftp2 sftp 512 Sep 30 16:42 sftp2
[EMAIL PROTECTED] ~]#
Of course I changed permission so that the only option is a "cd sftp1" for
the user sftp1. But I really don't want sftp1 to see all home dirs.
I did try using /chroot as it was shown in examples on undeadly.org
However, thats the same situation. (sshd_config changed to /chroot instead
of /home)
[EMAIL PROTECTED] ~]# ls -l /chroot/
total 4
drwxr-xr-x 2 sftp1 sftp 512 Sep 30 11:30 sftp1
drwxr-xr-x 2 sftp2 sftp 512 Sep 30 16:09 sftp2
[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
tPassword:
Password:
sftp> ls -la
Couldn't get handle: Permission denied
sftp>
Woopsie. Thats probably due to:
[EMAIL PROTECTED] ~]# ls -ld /chroot/
drwx------ 4 root wheel 512 Sep 30 16:09 /chroot/
Permissions more open results in:
[EMAIL PROTECTED] ~]# ls -ld /chroot/
drwxr-xr-x 4 root wheel 512 Sep 30 16:09 /chroot/
and via sftp:
[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -la
drwxr-xr-x 4 0 0 512 Sep 30 16:09 .
drwxr-xr-x 4 0 0 512 Sep 30 16:09 ..
drwxr-xr-x 2 1005 1003 512 Sep 30 11:30 sftp1
drwxr-xr-x 2 1006 1003 512 Sep 30 16:09 sftp2
Again, I'm in /chroot not /chroot/sftp1 where I think I should be, right?
Okay... let's try "/chroot/%u" then in sshd_config...
No, I can't login, 'cause sshd is complaining about the permissions of
/chroot/sftp1:
Sep 30 16:47:12 motor sshd[23190]: fatal: bad ownership or modes for chroot
directory "/chroot/sftp1"
Fair enough... the manpage states, that it should belong root. Okay then:
[EMAIL PROTECTED] ~]# ls -l /chroot/
total 4
drwxr-xr-x 2 root wheel 512 Sep 30 11:30 sftp1
drwxr-xr-x 2 root wheel 512 Sep 30 16:09 sftp2
[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -la
drwxr-xr-x 2 0 0 512 Sep 30 11:30 .
drwxr-xr-x 2 0 0 512 Sep 30 11:30 ..
where am I now?
Am I in /chroot/sftp1 ?
Could be, but due to these permissions, I'm not able to do anything:
sftp> mkdir foo
Couldn't create directory: Permission denied
Okay, now it gets ugly. Maybe I can create a directoy named incoming in
/chroot/sftp1. Would look like that:
[EMAIL PROTECTED] ~]# ls -l /chroot/sftp1/
total 2
drwxr-xr-x 2 sftp1 sftp 512 Sep 30 16:49 incoming
And then via sftp...
[EMAIL PROTECTED] ~]# !sftp
sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -l
drwxr-xr-x 2 1005 1003 512 Sep 30 16:49 incoming
sftp> cd incoming
sftp> ls -l
sftp> mkdir foo
lsftp> ls -l
drwxr-xr-x 2 1005 1003 512 Sep 30 16:50 foo
sftp>
Okay, this works.
So back to my question... Is that really the way it's supposed to be?
No write access for the user when being chrooted in a directory, but
instead I have to create another sub directory where he has write
permissions?
Am I missing something obvious here or is this "works as designed"?
Last information bits: Yes, thats a FreeBSD box, but that shouldn't make
much of a difference for my testing purpose. The production box will be an
OpenBSD one :)
[EMAIL PROTECTED] ~]# ssh -V
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
[EMAIL PROTECTED] ~]# uname -a
FreeBSD motor.mobile.rz 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Wed Sep
10 18:39:19 CEST 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
i386
I'd be glad for any reply.
Keep up the good work guys!
regards,
Marian
PS.: please CC me, I'm not subscribed (I was, but without unsubscribing I
got lost somehow... strange thing).
