View previous topic :: View next topic |
Author |
Message |
colonel_dolphin n00b
Joined: 12 Jan 2004 Posts: 39
|
Posted: Mon Nov 15, 2004 5:32 pm Post subject: |
|
|
# emerge sys-apps/slocate
# man slocate
# slocate linux-gate
.. something ..
# qpkg -f <full path of file returned above> |
|
Back to top |
|
|
wjholden l33t
Joined: 01 Mar 2004 Posts: 826 Location: Augusta, GA
|
Posted: Fri Nov 19, 2004 3:50 am Post subject: |
|
|
slocate linux-gate doesn't return any output and I have the same problem as above:
Code: | bash-2.05b# ldd /usr/bin/scp
linux-gate.so.1 => (0xffffe000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40037000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x40048000)
libutil.so.1 => /lib/libutil.so.1 (0x40144000)
libz.so.1 => /lib/libz.so.1 (0x40148000)
libnsl.so.1 => /lib/libnsl.so.1 (0x40158000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4016d000)
libc.so.6 => /lib/libc.so.6 (0x4019a000)
libdl.so.2 => /lib/libdl.so.2 (0x402ad000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
|
|
Back to top |
|
|
Gavinv n00b
Joined: 05 Aug 2004 Posts: 10
|
Posted: Wed Dec 08, 2004 11:22 pm Post subject: rssh + chroot => root exploit |
|
|
If you are still using rssh with a chroot'ed install, then it might be possible for a user to gain root privileges on your system
http://security.gentoo.org/glsa/glsa-200412-01.xml
Gavinv wrote: | For all who have implemented the chroot, beware of a user hard linking a setuid program into the chroot.
The user can then create their own fake supporting files (e.g. /etc/passwd), and the setuid program would use these files thinking they are the real ones. Then, if the user can use this setuid system program to gain root privileges, they can create a new setuid root program that does not require a chroot jail to gain root privileges ..
There are other pitfalls to using chroot.
grsecurity.org provides more information. |
|
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Tue Jan 25, 2005 4:08 pm Post subject: |
|
|
I get a segmentation fault when i'm trying to connect to the sftp server. (the server segments)
Quote: | Jan 26 16:40:07 GentooBox useradd[5526]: new user: name=testuser, uid=1001, gid=100, home=/home/testuser, shell=/usr/bin/rssh
Jan 26 16:40:08 GentooBox chfn[5527]: changed user `testuser' information
Jan 26 16:40:16 GentooBox passwd[5528]: password for `testuser' changed by `root'
Jan 26 16:40:29 GentooBox sshd[2885]: Received signal 15; terminating.
Jan 26 16:40:30 GentooBox sshd[5592]: Server listening on 0.0.0.0 port 22.
Jan 26 16:40:45 GentooBox sshd[5602]: Accepted password for testuser from 127.0.0.1 port 32995 ssh2
Jan 26 16:40:45 GentooBox sshd[5607]: subsystem request for sftp
Jan 26 16:40:45 GentooBox rssh[5608]: setting log facility to LOG_USER
Jan 26 16:40:45 GentooBox rssh[5608]: allowing scp to all users
Jan 26 16:40:45 GentooBox rssh[5608]: allowing sftp to all users
Jan 26 16:40:45 GentooBox rssh[5608]: setting umask to 022
Jan 26 16:40:45 GentooBox rssh[5608]: chrooting all users to /home
Jan 26 16:40:45 GentooBox rssh[5608]: segfault at 0000000000000050 rip 0000002a956da130 rsp 0000007fbffff228 error |
thats from the logs
I have 64bit
note:
I cant copy the ld-linux file
Quote: |
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x0000002a9566c000)
libutil.so.1 => /lib/libutil.so.1 (0x0000002a958a6000)
libz.so.1 => /lib/libz.so.1 (0x0000002a959aa000)
libnsl.so.1 => /lib/libnsl.so.1 (0x0000002a95abd000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x0000002a95bd3000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0000002a95d08000)
libc.so.6 => /lib/libc.so.6 (0x0000002a95e1c000)
libdl.so.2 => /lib/libdl.so.2 (0x0000002a96042000)
/lib64/ld-linux-x86-64.so.2 (0x0000002a95556000) |
ld-linux-x86-64 points to nowhere, that means that i dont need to copy file file, right ?
EDIT:
Both the openssh and rssh package support the "static" use flag - can i use that so i dont need to copy all the files ldd finds ? _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
jiri.tyr n00b
Joined: 08 Feb 2005 Posts: 26 Location: Czech Republic
|
Posted: Tue Feb 08, 2005 2:17 pm Post subject: |
|
|
Here is my owen perl code for generate SSH dependencies for RSSH:
Code: |
#!/usr/bin/perl
use strict;
use warnings;
my $user = $ARGV[0] || 'user_name';
my $path = './rssh';
my @files = ('/usr/lib/misc/rssh_chroot_helper',
'/usr/lib/misc/sftp-server',
'/usr/bin/scp',
'/usr/bin/sftp');
my %struct;
# get library
foreach my $file (@files) {
if (not -e $file) {
warn 'File $file doesn\'t exists!';
}
my @lines = `ldd $file`;
foreach my $line (@lines) {
my @params = split /\s{1}/, $line;
if ((defined $params[3] and $params[3] =~ /(.+)\/(.+)/) or
(defined $params[1] and $params[1] =~ /(.*)\/(.+)/)) {
$struct{$2} = $1;
}
}
}
system 'mkdir -p '.$path;
# copy library
foreach my $key (sort keys %struct) {
system 'mkdir -p '.$path.'/'.$struct{$key};
system 'cp -f '.$struct{$key}.'/'.$key.' '.$path.'/'.$struct{$key}.'/';
}
# copy executable files
foreach my $file (@files) {
if ($file =~ /(.+)\/(.+)/) {
system 'mkdir -p '.$path.'/'.$1;
system 'cp -f '.$file.' '.$path.'/'.$file;
}
}
# authentication library
system 'cp -f /lib/libnss_* '.$path.'/lib/';
# etc diretory
system 'mkdir -p '.$path.'/etc';
system 'grep '.$user.' /etc/passwd > '.$path.'/etc/passwd';
system 'cp -f /etc/ld.so.c* '.$path.'/etc/';
# make package
system 'tar cvhf ./rssh_'.$user.'.tar '.$path.' && rm -fr '.$path;
exit 0;
|
|
|
Back to top |
|
|
Puca n00b
Joined: 05 Apr 2004 Posts: 14 Location: A Dubliner in Glasgow, Scotland
|
Posted: Fri Jun 10, 2005 12:11 pm Post subject: |
|
|
I've, unfortunatly, emerged world this morning, which has trashed my server. Keep getting Authentication failure problems. I've recopied any dependancies in case soemthing has changed, but I have a bad feeling it's some change in Baselayout that might have messed up rssh or something.. .as you can tell I'm sketchy on the details here... only brought to my attention 40mins ago |
|
Back to top |
|
|
Puca n00b
Joined: 05 Apr 2004 Posts: 14 Location: A Dubliner in Glasgow, Scotland
|
Posted: Fri Jun 10, 2005 12:17 pm Post subject: |
|
|
Ah got it... was /etc/shells missing
/usr/bin/rssh
phew ! |
|
Back to top |
|
|
gringo Advocate
Joined: 27 Apr 2003 Posts: 3793
|
Posted: Fri Jun 10, 2005 1:54 pm Post subject: |
|
|
gentoobox -> same segfaults here ! Did you solved this issue compiling static packages ?
TIA |
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Fri Jun 10, 2005 3:05 pm Post subject: |
|
|
gringo wrote: | gentoobox -> same segfaults here ! Did you solved this issue compiling static packages ?
TIA |
nope, still the same problem. _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
j-m Retired Dev
Joined: 31 Oct 2004 Posts: 975
|
Posted: Fri Jun 10, 2005 4:00 pm Post subject: |
|
|
I can´t resist:
Code: |
emerge net-misc/scponly && forget all this crap
|
|
|
Back to top |
|
|
gringo Advocate
Joined: 27 Apr 2003 Posts: 3793
|
Posted: Sat Jun 11, 2005 10:47 pm Post subject: |
|
|
thanks, didnt know about this one
but problem persists on amd64, segfauts too
cheers |
|
Back to top |
|
|
groonie n00b
Joined: 03 Jul 2004 Posts: 24
|
Posted: Mon Jul 18, 2005 7:45 am Post subject: |
|
|
I use 64bit, too.
Since I never managed to solve the segfault problem, I emerged a 32bit binary from my 32bit gentoo chroot
and it worked again. Not a beautiful solution, but a workin' one! |
|
Back to top |
|
|
Crisis l33t
Joined: 10 Feb 2003 Posts: 613 Location: Portland, OR
|
Posted: Thu Jul 21, 2005 8:54 pm Post subject: |
|
|
Anyone been able to get full file transfer logging with this solution? I compiled openssh with the sftplogging option, but I have only been able to get full logging to work with bash as the shell...
Supposedly rssh and scponly both have logging options of their own, but has anyone been able to get them to actually log file transfers? If so, can you post example configs/details? Thanks! |
|
Back to top |
|
|
GoofyHMG Tux's lil' helper
Joined: 24 Dec 2004 Posts: 77
|
Posted: Wed Aug 03, 2005 12:51 am Post subject: Im stuck at the point where users are created can you help? |
|
|
root # superadduser
Login name for new user []: testuser
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional groups (comma separated) []:
Home directory [ /home/testuser ]
Shell [ /bin/bash ] /usr/bin/rssh
Expiry date (YYYY-MM-DD) []:
New account will be created as follows:
---------------------------------------
Login name.......: testusertest
UID..............: [ Next available ]
Initial group....: users
Additional groups: [ None ]
Home directory...: /home/testusertest
Shell............: /usr/bin/rssh
Expiry date......: [ Never ]
This is it... if you want to bail out, hit Control-C. Otherwise, press
ENTER to go ahead and make the account.
Creating new account...
chfn: Unknown user testusertest
- Warning: an error occurred while setting finger information
passwd: Unknown user testusertest
* WARNING: An error occured while setting the password for
this account. Please manually investigate this * |
|
Back to top |
|
|
groovin Guru
Joined: 07 Feb 2004 Posts: 429 Location: California, USA
|
Posted: Mon Aug 22, 2005 7:12 pm Post subject: |
|
|
anyone actually try a security test of this? i was thinking about opening up my home server to some friends who are pretty geeky... they are pretty knowledgeable with this kinda stuff and a couple of them are capable of rooting a poorly configured box, and though they wont do any damage (i know where they live) to my box, i know they will try to so i figure might as well make it hard for them! |
|
Back to top |
|
|
heimatland n00b
Joined: 04 Jan 2006 Posts: 4 Location: Bydgoszcz, Poland
|
Posted: Thu Dec 14, 2006 12:06 pm Post subject: |
|
|
Steffen wrote: | I think I've found the solution for the "SCP does not work with RSSH" problem!
The file CHROOT that comes with RSSH states:
You may need to copy additional libraries, if your system depends upon them for authentication. For example, in my testing, I needed to copy /lib/libnss_files.so.? into the chroot jail. Without it, the scp command failed, complaining that my user ID was an unknown user. If you use LDAP authentication on the server, you will probably need to also copy libnss_ldap.so.? into your chroot jail.
So I tried it with all /lib/libnss_* files and finally found out that on my Gentoo system (and probably yours) you have to copy /lib/libnss_compat.so.2 into your chroot jail to make SCP work with RSSH!
Edit: I forgot to say that I had to copy my /etc/passwd file into the chroot, too. I don't know, but this makes SCP a bit less attractive for me than SFTP... |
anyone having unknown user problem with scp or Exit code 255 with sftp:
what Steffen gave above helped.
I needed /lib/libnss_compat.so.2 copied to lib/ inside chroot.
Works like a charm then.
Lost half a day to dig it up. _________________ --
my gentoo boxes:
notebook: athlon xp-m 3000, 768MB, HDD40GB/kernel 2.6/x86
desktop: celeron 500, 128MB, 40GB/kernel2.6/x86
server: Sun Fire V20z dual Opeteron, 4GB, 2x70GB SCSI/kernel2.6/amd64 |
|
Back to top |
|
|
pumpichank Tux's lil' helper
Joined: 28 Jul 2005 Posts: 81
|
Posted: Thu Jan 04, 2007 4:58 am Post subject: SOLVED mysterious connection closed problem |
|
|
I solved the problem of having the connection mysteriously close without any further indication in the log files. The first problem is that you need to configure things so rssh_chroot_helper can syslog in the jail. With syslog-ng this is easy by adding another source log pointing to /chroot/jail/dev/log
Then I got rssh_chroot_helper to log enough information to discover that I needed an /etc/passwd (and helpfully tho' apparently not required) /etc/group in the chroot. After adding these, everything worked beautifully.
I put more detail in the wiki HOWTO article. |
|
Back to top |
|
|
humbletech99 Veteran
Joined: 26 May 2005 Posts: 1229 Location: London
|
Posted: Mon Mar 26, 2007 5:59 pm Post subject: |
|
|
I followed the gentoo-wiki article and saw at the bottom a proposed better way without having to redo the libs and have libs in the user's home dirs.
I'm still trying to get this working, I compiled a static openssh with the chroot use flag as well, is the chroot use flag applying the patch from here http://www.minstrel.org.uk/papers/sftp/ ?
Also, does anyone know where to get more info/docs on the chroot use flag and how to make use of it, there is no point in having this patch added to portage if there is no doc on what it gives you and how to use it. _________________ The Human Equation:
value(geeks) > value(mundanes) |
|
Back to top |
|
|
UgolinoII Tux's lil' helper
Joined: 25 Apr 2004 Posts: 119
|
Posted: Mon Apr 23, 2007 3:12 pm Post subject: |
|
|
I too was following the Minstrel guide, and I had just got to creating a patch from his modified sftp-server.c file.
I copied the ebuild into the overlay directory, and was about to modify it when I came across this line
Code: | use chroot && epatch "${FILESDIR}"/openssh-4.3_p1-chroot.patch |
i checked the patches, whilst they aren;t identical they look to do the same thing.
Code: | diff -y /var/portage/net-misc/openssh/files/chroot-patch.patch /usr/portage/net-misc/openssh/files/openssh-4.3_p1-chroot.patch #
15a16,22 | http://chrootssh.sourceforge.net/
> * |
> ********************************************************** | --- openssh-4.3p1/session.c
> * This version modified 08/11/06 by Minstrel <Minstrel@min | +++ openssh-4.3p1/session.c
> * to provide chroot'd SFTP (see http://www.minstrel.org.uk | @@ -59,6 +59,8 @@
> * | #include "kex.h"
> * Search for 'Minstrel' in this file to find modifications | #include "monitor_wrap.h"
> ********************************************************** |
47a55,58 | +#define CHROOT
> /* Following single line added by Minstrel */ | +
> | #if defined(KRB5) && defined(USE_AFS)
> #define CHROOT | #include <kafs.h>
> | #endif
1206a1218,1250 | @@ -1251,6 +1253,11 @@
> /* Start additions by Minstrel */ | void
> | do_setusercontext(struct passwd *pw)
> #ifdef CHROOT | {
> void | +#ifdef CHROOT
> chroot_init(void) | + char *user_dir;
> { | + char *new_root;
> char *user_dir, *new_root; | +#endif /* CHROOT */
> | +
> user_dir = getenv("HOME"); | #ifndef HAVE_CYGWIN
> if (!user_dir) | if (getuid() == 0 || geteuid() == 0)
> fatal("HOME isn't in environment"); | #endif /* HAVE_CYGWIN */
> | @@ -1308,6 +1315,27 @@
> new_root = user_dir + 1; | restore_uid();
> | }
> while ((new_root = strchr(new_root, '.')) != NULL) { | #endif
> new_root--; | +
> if (strncmp(new_root, "/./", 3) == 0) { | +#ifdef CHROOT
> *new_root = '\0'; | + user_dir = xstrdup(pw->pw_dir);
> new_root += 2; | + new_root = user_dir + 1;
> | +
> if (chroot(user_dir) != 0) | + while ((new_root = strchr(new_root, '.')) != NULL) {
> fatal("Couldn't chroot to us | + new_root--;
> | + if (strncmp(new_root, "/./", 3) == 0) {
> setenv("HOME", new_root, 1); | + *new_root = '\0';
> break; | + new_root += 2;
> } | +
> new_root += 2; | + if(chroot(user_dir) != 0)
> } | + fatal("Couldn't chroot to use
> } | + pw->pw_dir = new_root;
> #endif /* CHROOT */ | + break;
> | + }
> /* End additions by Minstrel */ | +
> | + new_root += 2;
1272a1317,1326 | + }
> /* Start additions by Minstrel */ | +#endif /* CHROOT */
> | +
> #ifdef CHROOT | # ifdef USE_PAM
> chroot_init(); | /*
> #endif | * PAM credentials may take the form of suppl
> if (setuid(getuid()) != 0) |
> fatal("Couldn't drop privileges: %s", strerro <
> <
> /* End additions by Minstrel */ <
> <
|
so one can only assume that the chroot flag is for exactly the purpose described in the minstrel guide.
more to follow... |
|
Back to top |
|
|
humbletech99 Veteran
Joined: 26 May 2005 Posts: 1229 Location: London
|
Posted: Mon Apr 23, 2007 4:20 pm Post subject: |
|
|
I have my server working and chrooted, but didn't use the chroot flag in openssh, instead I'm using scponly as this will not give a shell. _________________ The Human Equation:
value(geeks) > value(mundanes) |
|
Back to top |
|
|
mycroes Tux's lil' helper
Joined: 26 May 2003 Posts: 110 Location: Netherlands
|
Posted: Mon May 21, 2007 1:21 pm Post subject: static binaries and paths |
|
|
I think all of this can be done a lot easier (but correc me if I'm wrong)... If you enable USE=static for openssh and rssh you shouldn't need any libraries at all in the chroot. I think the path for scp and sftp-server can be set in the sshd_config, see the example:
Code: | # override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server |
This is in sshd_config by default. So combining these thoughts I think you can make a dir bin in a user's home directory, put all the binaries you need in bin, chroot them in the home directory and you're done... If you're doing this it is also possible to have a /home/chrootbin to which the bin dirs are hardlinked, so you only need to update /home/chrootbin every time you update any of the binaries that you copied to the chroot...
Seems a lot easier too me, but perhaps I'm overlooking something.
Regards,
Michael _________________ In a world without walls or fences we don't need windows or gates |
|
Back to top |
|
|
mycroes Tux's lil' helper
Joined: 26 May 2003 Posts: 110 Location: Netherlands
|
Posted: Mon May 21, 2007 1:25 pm Post subject: |
|
|
humbletech99 wrote: | I have my server working and chrooted, but didn't use the chroot flag in openssh, instead I'm using scponly as this will not give a shell. |
rssh will not give a shell either, but could you explain how you chrooted your scponly? I'm still doubting which way to go, rssh or scponly...
Regards,
Michael _________________ In a world without walls or fences we don't need windows or gates |
|
Back to top |
|
|
humbletech99 Veteran
Joined: 26 May 2005 Posts: 1229 Location: London
|
Posted: Mon May 21, 2007 1:26 pm Post subject: |
|
|
thanks for the suggestions, using the static use flag was exactly what I did.
although I'm not sure about the symlinking thing, this may allow chroot breaking.... iirc you should not have any links leading outside of your chroot.
I have instead got a basic skel which i can copy over and will simply bashify updates on this.
EDIT: I tried rssh first, but scponly seems the better option. Someone told me rssh was lame so I checked out scponly and it seems to work well and easier. It uses a // in the home dir path to separate the jail and the home dir inside the jail. _________________ The Human Equation:
value(geeks) > value(mundanes) |
|
Back to top |
|
|
mycroes Tux's lil' helper
Joined: 26 May 2003 Posts: 110 Location: Netherlands
|
Posted: Mon May 21, 2007 2:12 pm Post subject: |
|
|
humbletech99 wrote: | thanks for the suggestions, using the static use flag was exactly what I did. |
What did you do with it, scponly doesn't have a static use flag, could you explain the contents and configuration of your chroot a bit more? Doesn't have to be a step by step howto, but an outline will be appreciated...
humbletech99 wrote: | although I'm not sure about the symlinking thing, this may allow chroot breaking.... iirc you should not have any links leading outside of your chroot. |
I only partially agree. I wasn't talking about symlinking to the system binaries, but to a copied version in /home. I can't even symlink to system binaries, because they're on a different volume. I'm running a hardened server, I don't think they'll be able to break a lot, and I'm willing to take the risk.
Also, I currently have noexec in /home, my clients are only member of a seperate group and I set umask to 077 so they shouldn't be able to create anything that someone else except root can read, so I doubt if I'm gonna chroot at all... Of course there's write access in /tmp, but /tmp is noexec too. If I were to chroot then I'd also have to add php and apache to the chroot, or else it would be quite useless (php and apache get forked to the user whose content is to be displayed)...
Anyway, I'm still interested in the ways a chroot can be set up, maybe in the future I will have a use for it...
Regards,
Michael _________________ In a world without walls or fences we don't need windows or gates |
|
Back to top |
|
|
humbletech99 Veteran
Joined: 26 May 2005 Posts: 1229 Location: London
|
Posted: Mon May 21, 2007 2:30 pm Post subject: |
|
|
where are your jails located?
if symlinking jailed bins/libs to /home then noexec may stop the whole thing from working.
where did apache and php come from? you are trying to use sftp to manage a web server?
I created a jail the standard way by recreating a minimal dir structure and then scp makes the chroot call and locks into the jail. This is done by scponly just by setting it to be your shell and then making the home directory of the user /path/to/jail//home/username.
Then you just have to test it to death to make libs work (statically compiling where you can helps) _________________ The Human Equation:
value(geeks) > value(mundanes) |
|
Back to top |
|
|
|