Creating a chrooted sftp server without giving shell

[Cicero]

After much research and hard work on this:

http://bugs.gentoo.org/show_bug.cgi?id=33118

Please try it out!

[DArtagnan]

I found little documentation on this subject, and I'm sure if would be of interest to many people trying to create a secure ftp solution, and this is what I came up with.


Firstly you'll need to emerge the restricted rssh shell

Code: Select all

emerge rssh

To configure it, you'll need add /usr/bin/rssh to the list of accepted shells:

Code: Select all

echo /usr/bin/rssh >> /etc/shells

and you'll want to modify the rssh config and make some minor changes to enable chrooting, scp, and sftp.

/etc/rssh.conf:

Code: Select all

logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath="/home"

If you wish to disable scp, or sftp independently, just remove the line or comment it out with a #.

Next, we need to build a chroot environment for rssh to work.
This involves copying a few files to our chrooted folder (/home).

Code: Select all

cd /home

mkdir -p usr/bin
cp /usr/bin/scp usr/bin
cp /usr/bin/rssh usr/bin

mkdir -p usr/libexec
cp /usr/libexec/rssh_chroot_helper usr/libexec

mkdir -p usr/lib/misc
cp /usr/lib/misc/sftp-server usr/lib/misc

though we're not quite done copying files yet. now we need to copy the dependencies of those files. ldd will tell us what files are needed

Code: Select all

ldd /usr/bin/scp
        libutil.so.1 => /lib/libutil.so.1 (0x4001c000)
        libz.so.1 => /usr/lib/libz.so.1 (0x4001f000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x4002d000)
        libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40042000)
        libc.so.6 => /lib/libc.so.6 (0x40106000)
        libdl.so.2 => /lib/libdl.so.2 (0x40235000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

so now we need to make the necessary folders, and copy the libs needed for scp

Code: Select all

cd /home

mkdir lib
cp /lib/libutil.so.1 lib
cp /lib/libnsl.so.1 lib
cp /lib/libc.so.6 lib
cp /lib/libdl.so.2 lib
cp /lib/ld-linux.so.2 lib

mkdir -p usr/lib
cp /usr/lib/libz.so.1 usr/lib
cp /usr/lib/libcrypto.so.0.9.6 usr/lib

now run ldd on the other files we copied into our chroot environment

Code: Select all

ldd /usr/bin/rssh
ldd /usr/libexec/rssh_chroot_helper
ldd /usr/lib/misc/sftp-server

copy the libraries associated with those files if there are any we didn't already get from scp. note: for me, there were no other dependencies. copying all the dependencies for scp was enough for me. this should be the case for you as well unless your configuration is very different.

the only thing left to do now is create a user and change their shell to /usr/bin/rssh. there are a couple of ways to do this. you could run superadduser

Code: Select all

emerge superadduser
superadduser

Login name for new user []: testuser

User ID ('UID') [ defaults to next available ]:

Initial group [ users ]:

Additional groups (comma separated) []:

Home directory [ /home/testuser ]
- Warning: '/home/testuser' already exists !
  Do you wish to change the home directory path? (Y/n)  n

Shell [ /bin/bash ] /usr/bin/rssh

Expiry date (YYYY-MM-DD) []:

or simply modify an existing user account

Code: Select all

usermod -s /usr/bin/rssh testuser

finally make sure sshd is running

Code: Select all

/etc/init.d/sshd status
 * status:  started

if not run /etc/init.d/sshd start
and try connecting:

Code: Select all

sftp testuser@yourip.com
Connecting to yourip.com...
testuser@yourip.com's password:
sftp> ls
.
..
.bash_profile
.bashrc
.qmail
sftp> pwd
Remote working directory: /testuser
sftp> exit
ssh testuser@yourip.com
testuser@yourip.com's password:

This account is restricted to scp or sftp.

If you believe this is in error, please contact your system administrator.

Connection to yourip.com closed.

Viola! sftp with chrooting, and no shell allowed!

Also please add this line to your howto in order to make it perfect )

Code: Select all

# cp /lib/libcrypt.so.1 /home/lib/

I could not have the chroot working without this line!

[Cicero]

After much research and hard work on this:

http://bugs.gentoo.org/show_bug.cgi?id=33118

Please try it out!

For those too lazy to click on the link without knowing what it is, I made a patch for rssh that added cvs support.

[Cicero]

Eh, forget it. It's been brutally rejected.

[DArtagnan]

Any 1 can understand why I can this error: "user livius attempted to execute forbidden commands" ???
Thanks

My /etc/passw:

Code: Select all

livius:x:1003:501:Voicu Liviu,507,5881253,6310714,067424004:/liviu:/usr/local/bin/rssh

My rssh.conf:

Code: Select all

[root@ayelet liviu]# cat /usr/local/etc/rssh.conf
# This is the default rssh config file

# set the log facility.  "LOG_USER" and "user" are equivalent.
logfacility = LOG_USER # you can use comments at end of line

# Leave these both uncommented to make the default action for rssh to lock
# users out completely...
allowscp
allowsftp

# set the default umask
umask = 022

# If you want to chroot users, use this to set the directory
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
# Quotes not required unless path contains a space...
#chrootpath="/usr/local/chroot dir"

##########################################
# EXAMPLES of configuring per-user options
user=livius:077:11:/liviu

From logfile:

Code: Select all

Nov 20 11:35:34 ayelet rssh[23060]: allowing sftp to all users
Nov 20 11:35:34 ayelet rssh[23060]: setting umask to 022
Nov 20 11:35:34 ayelet rssh[23060]: line 21: configuring user livius
Nov 20 11:35:34 ayelet rssh[23060]: setting livius's umask to 077
Nov 20 11:35:34 ayelet rssh[23060]: allowing scp to user livius
Nov 20 11:35:34 ayelet rssh[23060]: allowing sftp to user livius
Nov 20 11:35:34 ayelet rssh[23060]: chrooting livius to /liviu
Nov 20 11:35:34 ayelet rssh[23060]: user livius attempted to execute forbidden commands
Nov 20 11:35:34 ayelet rssh[23060]: command: /usr/libexec/openssh/sftp-server
Nov 20 11:35:34 ayelet sshd(pam_unix)[23059]: session closed for user livius

[Zidge]

I have the exact same problem
does anyone find the solution ?

[nulltype]

rssh 2.2 has been released, adding cvs, rdist and rsync support, not sure when it will be added to portage though.

[nulltype]

It appears to have a minor bug, I have submitted a patch to the author. If anyone uses it, just don't use user= lines in your rssh.conf

[cbock]

followed the directions in the op and it's working nicely.

thanks.

[BoBoeBoe]

I've setup rssh as explained above and this works fine with a regular directory structure. However I have a directory structure like

• /data/symlink1
  /data/symlink2
  .......

Now I want my rssh-user to be able to access all symlinked subdirectories under /data however the rssh-user cannot access the symlinked subdirectories.

[danpixley]

Edit: I forgot to say that I had to copy my /etc/passwd file into the chroot, too. I don't know, but this makes SCP a bit less attractive for me than SFTP...

You only need an entry in passwd for the user. Everything else from your original passwd file can be removed.

Dan

[Alapan]

Has anyone tried using this method for an AMD64 system? The rssh package is not available for amd64 and I am wondering what the possible problems are.

[Alapan]

Ok I tried to see if I could make it work on my system anyway ...

I could compile and install fine; no problems there. For my test user; the rssh shell does provide me with restricted shell usage. However sftp does not seem to work at all - it is almost as if rssh is refusing sftp itself. Sftp itself works for unresticted users.

From another linux machine; the command

Code: Select all

sftp testuser@mymachine

asks for my password and then gives me a "connection closed" message. If I try using winscp for example, I get the following message.

Code: Select all

Connection has been unexpectedly closed. Server sent command exit status 0.

Any ideas on how I could make this work?

[Gavinv]

For all who have implemented the chroot, beware of a user hard linking a setuid program into the chroot.

The user can then create their own fake supporting files (e.g. /etc/passwd), and the setuid program would use these files thinking they are the real ones. Then, if the user can use this setuid system program to gain root privileges, they can create a new setuid root program that does not require a chroot jail to gain root privileges ..

There are other pitfalls to using chroot.
grsecurity.org provides more information.

[milkypostman]

when i setup my chroot jail i made all the files root.root owned. meaning... they have no way of overwritting their /etc/passwd file. i think that fixes the problem above. just make sure that every file except for what you want them to be able to manage has your information.

if that were the case anyways, then why couldn't i goto any computer, set a chroot then develop a setuid program thats'd faked out? I don't know a lot about chroot but after you chroot aren't you kinda stuck anyways?

[colonel_dolphin]

Code: Select all

info chroot

"On many systems, only the super-user can do this." (for good reasons!)

Try logging in as an ordinary user and hard linking a setuid program somewhere under your control. If you own the parent directory containing the files owned by root, then you can replace those files with your own. If you can also create a fake /etc/passwd in the chroot directory ..

grsecurity addresses some vulnerabilities associated with using chroot.

[GurliGebis]

I cannot get this working.
I have users like thing-001, thing-002 etc.

I want to chroot users into /var/www/thing-00X os they can upload thier webpage via SCP/SFTP, how should I do that.

By the way, the helper binary is placed another place in new versions of rssh.

[colonel_dolphin]

Try emerging this one ..

.. scponly ..

[GurliGebis]

emerged scponly, but how do I configure it?

[j-m]

emerged scponly, but how do I configure it?

First of all, you need scponly-3.11-r2 (unstable but should be stable in one day or so). Previous version do NOT support chrooted SFTP.

Basically everything is configured. There is a directory /home/scponly which includes all files needed for successful chrooted SFTP. If you want your users to only be able to SFTP via SSH and you don´t want to allow them work interactively in shell, then add them with /sbin/scponlyc as their shell, copy all subdirectories (except incoming) from /home/scponly to their home directory and create a writeable subdirectory for them in their home.

That´s it.

[GurliGebis]

Okay, that works, is there a way to place the folders somewhere so the user only sees the folder I create for him to upload in?

[j-m]

Okay, that works, is there a way to place the folders somewhere so the user only sees the folder I create for him to upload in?

No, this is not possible. The dirs make up the filesystem hierarchy needed for chroot to work and MUST be placed in the chrooted home directory. I don´t see the point why you need this anyway. They are NOT user writeable anyway.

[GurliGebis]

to avoid confusing the users that does not know about unix

[j-m]

to avoid confusing the users that does not know about unix

Ok, you can´t do that. Period.

[johanseg]

When I run ldd /usr/bin/scp it shows a dependency for linux-gate.so.1 but it doesn't state where it is.

Code: Select all

# ldd /usr/bin/scp
        linux-gate.so.1 =>  (0xffffe000)
        libresolv.so.2 => /lib/libresolv.so.2 (0xb7fcf000)
        libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7ed3000)
        libutil.so.1 => /lib/libutil.so.1 (0xb7ed0000)
        libz.so.1 => /lib/libz.so.1 (0xb7ebf000)
        libnsl.so.1 => /lib/libnsl.so.1 (0xb7eaa000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e7d000)
        libc.so.6 => /lib/libc.so.6 (0xb7d6b000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7d68000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0xb7fea000)

What is linux-gate.so.1 and where is it?