View previous topic :: View next topic |
Author |
Message |
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
|
Back to top |
|
|
DArtagnan l33t
Joined: 30 Apr 2002 Posts: 942 Location: Israel, Jerusalem
|
Posted: Tue Nov 11, 2003 9:05 am Post subject: Re: Creating a chrooted sftp server without giving shell |
|
|
OmniVector wrote: | I found little documentation on this subject, and I'm sure if would be of interest to many people trying to create a secure ftp solution, and this is what I came up with.
Firstly you'll need to emerge the restricted rssh shell
To configure it, you'll need add /usr/bin/rssh to the list of accepted shells:
Code: |
echo /usr/bin/rssh >> /etc/shells
|
and you'll want to modify the rssh config and make some minor changes to enable chrooting, scp, and sftp.
/etc/rssh.conf:
Code: |
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath="/home"
|
If you wish to disable scp, or sftp independently, just remove the line or comment it out with a #.
Next, we need to build a chroot environment for rssh to work.
This involves copying a few files to our chrooted folder (/home).
Code: |
cd /home
mkdir -p usr/bin
cp /usr/bin/scp usr/bin
cp /usr/bin/rssh usr/bin
mkdir -p usr/libexec
cp /usr/libexec/rssh_chroot_helper usr/libexec
mkdir -p usr/lib/misc
cp /usr/lib/misc/sftp-server usr/lib/misc
|
though we're not quite done copying files yet. now we need to copy the dependencies of those files. ldd will tell us what files are needed
Code: |
ldd /usr/bin/scp
libutil.so.1 => /lib/libutil.so.1 (0x4001c000)
libz.so.1 => /usr/lib/libz.so.1 (0x4001f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4002d000)
libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40042000)
libc.so.6 => /lib/libc.so.6 (0x40106000)
libdl.so.2 => /lib/libdl.so.2 (0x40235000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
|
so now we need to make the necessary folders, and copy the libs needed for scp
Code: |
cd /home
mkdir lib
cp /lib/libutil.so.1 lib
cp /lib/libnsl.so.1 lib
cp /lib/libc.so.6 lib
cp /lib/libdl.so.2 lib
cp /lib/ld-linux.so.2 lib
mkdir -p usr/lib
cp /usr/lib/libz.so.1 usr/lib
cp /usr/lib/libcrypto.so.0.9.6 usr/lib
|
now run ldd on the other files we copied into our chroot environment
Code: |
ldd /usr/bin/rssh
ldd /usr/libexec/rssh_chroot_helper
ldd /usr/lib/misc/sftp-server
|
copy the libraries associated with those files if there are any we didn't already get from scp. note: for me, there were no other dependencies. copying all the dependencies for scp was enough for me. this should be the case for you as well unless your configuration is very different.
the only thing left to do now is create a user and change their shell to /usr/bin/rssh. there are a couple of ways to do this. you could run superadduser
Code: |
emerge superadduser
superadduser
Login name for new user []: testuser
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional groups (comma separated) []:
Home directory [ /home/testuser ]
- Warning: '/home/testuser' already exists !
Do you wish to change the home directory path? (Y/n) n
Shell [ /bin/bash ] /usr/bin/rssh
Expiry date (YYYY-MM-DD) []:
|
or simply modify an existing user account
Code: |
usermod -s /usr/bin/rssh testuser
|
finally make sure sshd is running
Code: |
/etc/init.d/sshd status
* status: started
|
if not run /etc/init.d/sshd start
and try connecting:
Code: |
sftp testuser@yourip.com
Connecting to yourip.com...
testuser@yourip.com's password:
sftp> ls
.
..
.bash_profile
.bashrc
.qmail
sftp> pwd
Remote working directory: /testuser
sftp> exit
ssh testuser@yourip.com
testuser@yourip.com's password:
This account is restricted to scp or sftp.
If you believe this is in error, please contact your system administrator.
Connection to yourip.com closed.
|
Viola! sftp with chrooting, and no shell allowed! |
Also please add this line to your howto in order to make it perfect )
Code: |
# cp /lib/libcrypt.so.1 /home/lib/
|
I could not have the chroot working without this line! _________________ All for one and one for All
--
MACPRO machine... |
|
Back to top |
|
|
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
Posted: Tue Nov 11, 2003 4:35 pm Post subject: |
|
|
For those too lazy to click on the link without knowing what it is, I made a patch for rssh that added cvs support. |
|
Back to top |
|
|
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
Posted: Mon Nov 17, 2003 4:25 am Post subject: |
|
|
Eh, forget it. It's been brutally rejected. |
|
Back to top |
|
|
DArtagnan l33t
Joined: 30 Apr 2002 Posts: 942 Location: Israel, Jerusalem
|
Posted: Thu Nov 20, 2003 9:38 am Post subject: HELP!!! |
|
|
Any 1 can understand why I can this error: "user livius attempted to execute forbidden commands" ???
Thanks
My /etc/passw:
Code: |
livius:x:1003:501:Voicu Liviu,507,5881253,6310714,067424004:/liviu:/usr/local/bin/rssh
|
My rssh.conf:
Code: |
[root@ayelet liviu]# cat /usr/local/etc/rssh.conf
# This is the default rssh config file
# set the log facility. "LOG_USER" and "user" are equivalent.
logfacility = LOG_USER # you can use comments at end of line
# Leave these both uncommented to make the default action for rssh to lock
# users out completely...
allowscp
allowsftp
# set the default umask
umask = 022
# If you want to chroot users, use this to set the directory
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
# Quotes not required unless path contains a space...
#chrootpath="/usr/local/chroot dir"
##########################################
# EXAMPLES of configuring per-user options
user=livius:077:11:/liviu
|
From logfile:
Code: |
Nov 20 11:35:34 ayelet rssh[23060]: allowing sftp to all users
Nov 20 11:35:34 ayelet rssh[23060]: setting umask to 022
Nov 20 11:35:34 ayelet rssh[23060]: line 21: configuring user livius
Nov 20 11:35:34 ayelet rssh[23060]: setting livius's umask to 077
Nov 20 11:35:34 ayelet rssh[23060]: allowing scp to user livius
Nov 20 11:35:34 ayelet rssh[23060]: allowing sftp to user livius
Nov 20 11:35:34 ayelet rssh[23060]: chrooting livius to /liviu
Nov 20 11:35:34 ayelet rssh[23060]: user livius attempted to execute forbidden commands
Nov 20 11:35:34 ayelet rssh[23060]: command: /usr/libexec/openssh/sftp-server
Nov 20 11:35:34 ayelet sshd(pam_unix)[23059]: session closed for user livius
|
_________________ All for one and one for All
--
MACPRO machine... |
|
Back to top |
|
|
Zidge Tux's lil' helper
Joined: 20 Aug 2003 Posts: 86
|
Posted: Tue Jan 06, 2004 3:48 pm Post subject: |
|
|
I have the exact same problem
does anyone find the solution ? |
|
Back to top |
|
|
nulltype n00b
Joined: 13 Aug 2003 Posts: 36
|
Posted: Sat May 22, 2004 7:21 am Post subject: |
|
|
rssh 2.2 has been released, adding cvs, rdist and rsync support, not sure when it will be added to portage though. |
|
Back to top |
|
|
nulltype n00b
Joined: 13 Aug 2003 Posts: 36
|
Posted: Sun May 23, 2004 6:04 am Post subject: |
|
|
It appears to have a minor bug, I have submitted a patch to the author. If anyone uses it, just don't use user= lines in your rssh.conf |
|
Back to top |
|
|
cbock Tux's lil' helper
Joined: 16 Apr 2004 Posts: 149 Location: san diego
|
Posted: Thu Jun 17, 2004 6:18 pm Post subject: |
|
|
followed the directions in the op and it's working nicely.
thanks. |
|
Back to top |
|
|
BoBoeBoe n00b
Joined: 17 Feb 2004 Posts: 69
|
Posted: Sat Jul 17, 2004 9:26 pm Post subject: Cannot follow symlinks |
|
|
I've setup rssh as explained above and this works fine with a regular directory structure. However I have a directory structure like
/data/symlink1
/data/symlink2
.......
Now I want my rssh-user to be able to access all symlinked subdirectories under /data however the rssh-user cannot access the symlinked subdirectories. |
|
Back to top |
|
|
danpixley n00b
Joined: 14 Jun 2004 Posts: 66
|
Posted: Wed Jul 21, 2004 2:15 am Post subject: You can edit the chrooted passwd file |
|
|
Steffen wrote: |
Edit: I forgot to say that I had to copy my /etc/passwd file into the chroot, too. I don't know, but this makes SCP a bit less attractive for me than SFTP... |
You only need an entry in passwd for the user. Everything else from your original passwd file can be removed.
Dan _________________ Unanswered Post Initiative:
https://forums.gentoo.org/viewtopic.php?t=119906
My site:
http://danpixley.wordpress.com |
|
Back to top |
|
|
Alapan n00b
Joined: 21 Jul 2004 Posts: 43
|
Posted: Sun Aug 22, 2004 12:22 pm Post subject: |
|
|
Has anyone tried using this method for an AMD64 system? The rssh package is not available for amd64 and I am wondering what the possible problems are. |
|
Back to top |
|
|
Alapan n00b
Joined: 21 Jul 2004 Posts: 43
|
Posted: Sun Aug 22, 2004 1:47 pm Post subject: |
|
|
Ok I tried to see if I could make it work on my system anyway ...
I could compile and install fine; no problems there. For my test user; the rssh shell does provide me with restricted shell usage. However sftp does not seem to work at all - it is almost as if rssh is refusing sftp itself. Sftp itself works for unresticted users.
From another linux machine; the command
Code: | sftp testuser@mymachine |
asks for my password and then gives me a "connection closed" message. If I try using winscp for example, I get the following message.
Code: |
Connection has been unexpectedly closed. Server sent command exit status 0.
|
Any ideas on how I could make this work? |
|
Back to top |
|
|
Gavinv n00b
Joined: 05 Aug 2004 Posts: 10
|
Posted: Wed Aug 25, 2004 12:28 am Post subject: vulnerable? |
|
|
For all who have implemented the chroot, beware of a user hard linking a setuid program into the chroot.
The user can then create their own fake supporting files (e.g. /etc/passwd), and the setuid program would use these files thinking they are the real ones. Then, if the user can use this setuid system program to gain root privileges, they can create a new setuid root program that does not require a chroot jail to gain root privileges ..
There are other pitfalls to using chroot.
grsecurity.org provides more information. |
|
Back to top |
|
|
milkypostman n00b
Joined: 10 Oct 2002 Posts: 45
|
Posted: Tue Oct 05, 2004 7:21 am Post subject: |
|
|
when i setup my chroot jail i made all the files root.root owned. meaning... they have no way of overwritting their /etc/passwd file. i think that fixes the problem above. just make sure that every file except for what you want them to be able to manage has your information.
if that were the case anyways, then why couldn't i goto any computer, set a chroot then develop a setuid program thats'd faked out? I don't know a lot about chroot but after you chroot aren't you kinda stuck anyways? _________________ cupid packs the pistol |
|
Back to top |
|
|
colonel_dolphin n00b
Joined: 12 Jan 2004 Posts: 39
|
Posted: Tue Oct 12, 2004 7:35 pm Post subject: |
|
|
"On many systems, only the super-user can do this." (for good reasons!)
Try logging in as an ordinary user and hard linking a setuid program somewhere under your control. If you own the parent directory containing the files owned by root, then you can replace those files with your own. If you can also create a fake /etc/passwd in the chroot directory ..
grsecurity addresses some vulnerabilities associated with using chroot. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Sat Oct 30, 2004 2:29 pm Post subject: |
|
|
I cannot get this working.
I have users like thing-001, thing-002 etc.
I want to chroot users into /var/www/thing-00X os they can upload thier webpage via SCP/SFTP, how should I do that.
By the way, the helper binary is placed another place in new versions of rssh. _________________ Queen Rocks. |
|
Back to top |
|
|
colonel_dolphin n00b
Joined: 12 Jan 2004 Posts: 39
|
Posted: Sat Oct 30, 2004 4:48 pm Post subject: |
|
|
Try emerging this one .. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Sun Oct 31, 2004 1:51 pm Post subject: |
|
|
emerged scponly, but how do I configure it? _________________ Queen Rocks. |
|
Back to top |
|
|
j-m Retired Dev
Joined: 31 Oct 2004 Posts: 975
|
Posted: Sun Oct 31, 2004 4:02 pm Post subject: |
|
|
GurliGebis wrote: | emerged scponly, but how do I configure it? |
First of all, you need scponly-3.11-r2 (unstable but should be stable in one day or so). Previous version do NOT support chrooted SFTP.
Basically everything is configured. There is a directory /home/scponly which includes all files needed for successful chrooted SFTP. If you want your users to only be able to SFTP via SSH and you don´t want to allow them work interactively in shell, then add them with /sbin/scponlyc as their shell, copy all subdirectories (except incoming) from /home/scponly to their home directory and create a writeable subdirectory for them in their home.
That´s it. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Sun Oct 31, 2004 4:45 pm Post subject: |
|
|
Okay, that works, is there a way to place the folders somewhere so the user only sees the folder I create for him to upload in? _________________ Queen Rocks. |
|
Back to top |
|
|
j-m Retired Dev
Joined: 31 Oct 2004 Posts: 975
|
Posted: Sun Oct 31, 2004 4:49 pm Post subject: |
|
|
GurliGebis wrote: | Okay, that works, is there a way to place the folders somewhere so the user only sees the folder I create for him to upload in? |
No, this is not possible. The dirs make up the filesystem hierarchy needed for chroot to work and MUST be placed in the chrooted home directory. I don´t see the point why you need this anyway. They are NOT user writeable anyway. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Sun Oct 31, 2004 5:59 pm Post subject: |
|
|
to avoid confusing the users that does not know about unix _________________ Queen Rocks. |
|
Back to top |
|
|
j-m Retired Dev
Joined: 31 Oct 2004 Posts: 975
|
Posted: Sun Oct 31, 2004 6:30 pm Post subject: |
|
|
GurliGebis wrote: | to avoid confusing the users that does not know about unix |
Ok, you can´t do that. Period. |
|
Back to top |
|
|
johanseg n00b
Joined: 27 Nov 2003 Posts: 18 Location: Sweden
|
Posted: Mon Nov 15, 2004 4:41 pm Post subject: linux-gate.so.1 |
|
|
When I run ldd /usr/bin/scp it shows a dependency for linux-gate.so.1 but it doesn't state where it is.
Code: | # ldd /usr/bin/scp
linux-gate.so.1 => (0xffffe000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7fcf000)
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7ed3000)
libutil.so.1 => /lib/libutil.so.1 (0xb7ed0000)
libz.so.1 => /lib/libz.so.1 (0xb7ebf000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7eaa000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e7d000)
libc.so.6 => /lib/libc.so.6 (0xb7d6b000)
libdl.so.2 => /lib/libdl.so.2 (0xb7d68000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0xb7fea000)
|
What is linux-gate.so.1 and where is it? _________________ /Johan
Quis custodiet ipsos custodes?
Blog | screenshots |
|
Back to top |
|
|
|