Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Creating a chrooted sftp server without giving shell
 View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
mycroes
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2003
Posts: 110
Location: Netherlands
PostPosted: Mon May 21, 2007 2:46 pm    Post subject: Reply with quote
My jails would've been located in /home/username. I know that noexec would break them, so if I'm going without jails is perhaps more secure because I don't have to worry about any users being able to write anywhere with execute privileges. I use sftp to have clients upload their website...
Regards,

Michael
_________________
In a world without walls or fences we don't need windows or gates
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London
PostPosted: Mon May 21, 2007 5:05 pm    Post subject: Reply with quote
err, there is a very good reason to chroot sftp, otherwise they can enumerate all users, look around in your system, steal files etc.

You'd have to do a lot of work to stop them and not all of this is stoppable without breaking your server, hence the chroot requirement.
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
mycroes
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2003
Posts: 110
Location: Netherlands
PostPosted: Mon May 21, 2007 5:52 pm    Post subject: What if... Reply with quote
I don't mind them enumerating users, users will need a private key to log in anyway, so no matter how much users they enumerate, it doesn't make a difference... As for 'stealing files', I don't mind if they steal libraries and binaries, they're compiled form gpl source (at least most of them) so I wouldn't call that stealing... And they're clients. As soon as I notice anything fishy is going on they can say godbye to their account... And last but not least, chrooting sftp won't prevent them from using php to snoop around in the system...
Regards,

Michael
_________________
In a world without walls or fences we don't need windows or gates
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London
PostPosted: Mon May 21, 2007 7:02 pm    Post subject: Reply with quote
you underestimate the potential.

but I guess it might end up being too much work for you especially if you have to apache and php as well.

anyway, do what you want, that's fine.
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
chrisk2305
Tux's lil' helper
Tux's lil' helper


Joined: 05 Sep 2007
Posts: 110
PostPosted: Wed Sep 05, 2007 11:22 am    Post subject: Reply with quote
Hi Guys!

I'm kinda new to (gentoo)linux and i'm running into problems with the tutorial. Im running Gentoo AMD64.

I also got the connection closed error when i tried to log in from the shell (or winscp)

Then i started logging and here's the error:

Code:
Sep  5 12:49:29 fileserver sshd(pam_unix)[9352]: session opened for user oneuser by (uid=0)
Sep  5 12:49:29 fileserver sshd[9352]: subsystem request for sftp
Sep  5 12:49:29 fileserver rssh[9353]: setting log facility to LOG_USER
Sep  5 12:49:29 fileserver rssh[9353]: allowing scp to all users
Sep  5 12:49:29 fileserver rssh[9353]: allowing sftp to all users
Sep  5 12:49:29 fileserver rssh[9353]: setting umask to 022
Sep  5 12:49:29 fileserver rssh[9353]: chrooting all users to /home
Sep  5 12:49:29 fileserver rssh[9353]: chroot cmd line: /usr/lib64/misc/rssh_chroot_helper 2 "/usr/lib64/misc/sftp-server"
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: new session for oneuser, UID=1002
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: user's home dir is /home/oneuser
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: chrooted to /home
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: changing working directory to /oneuser (inside jail)
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: execv() failed, /usr/lib64/misc/sftp-server: No such file or directory
Sep  5 12:49:29 fileserver sshd(pam_unix)[9352]: session closed for user oneuser


Don't quite get, because the /usr/lib64/misc/sftp-server file/folder exists?!

Plz help me, thx!
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London
PostPosted: Wed Sep 05, 2007 3:58 pm    Post subject: Reply with quote
am I right in reading you have chrooted to just /home?

noob, get a clue, go read some docs on how chroots work. You should not be chrooting to /home.

Hint: Does /home/usr/lib64/misc/sftp-server exist?

:roll:
_________________
The Human Equation:

value(geeks) > value(mundanes)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4
Page 4 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy