Creating a chrooted sftp server without giving shell

[mycroes]

My jails would've been located in /home/username. I know that noexec would break them, so if I'm going without jails is perhaps more secure because I don't have to worry about any users being able to write anywhere with execute privileges. I use sftp to have clients upload their website...
Regards,

Michael

[humbletech99]

err, there is a very good reason to chroot sftp, otherwise they can enumerate all users, look around in your system, steal files etc.

You'd have to do a lot of work to stop them and not all of this is stoppable without breaking your server, hence the chroot requirement.

[mycroes]

I don't mind them enumerating users, users will need a private key to log in anyway, so no matter how much users they enumerate, it doesn't make a difference... As for 'stealing files', I don't mind if they steal libraries and binaries, they're compiled form gpl source (at least most of them) so I wouldn't call that stealing... And they're clients. As soon as I notice anything fishy is going on they can say godbye to their account... And last but not least, chrooting sftp won't prevent them from using php to snoop around in the system...
Regards,

Michael

[humbletech99]

you underestimate the potential.

but I guess it might end up being too much work for you especially if you have to apache and php as well.

anyway, do what you want, that's fine.

[chrisk2305]

Hi Guys!

I'm kinda new to (gentoo)linux and i'm running into problems with the tutorial. Im running Gentoo AMD64.

I also got the connection closed error when i tried to log in from the shell (or winscp)

Then i started logging and here's the error:

Code: Select all

Sep  5 12:49:29 fileserver sshd(pam_unix)[9352]: session opened for user oneuser by (uid=0)
Sep  5 12:49:29 fileserver sshd[9352]: subsystem request for sftp
Sep  5 12:49:29 fileserver rssh[9353]: setting log facility to LOG_USER
Sep  5 12:49:29 fileserver rssh[9353]: allowing scp to all users
Sep  5 12:49:29 fileserver rssh[9353]: allowing sftp to all users
Sep  5 12:49:29 fileserver rssh[9353]: setting umask to 022
Sep  5 12:49:29 fileserver rssh[9353]: chrooting all users to /home
Sep  5 12:49:29 fileserver rssh[9353]: chroot cmd line: /usr/lib64/misc/rssh_chroot_helper 2 "/usr/lib64/misc/sftp-server"
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: new session for oneuser, UID=1002
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: user's home dir is /home/oneuser
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: chrooted to /home
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: changing working directory to /oneuser (inside jail)
Sep  5 10:49:29 fileserver rssh_chroot_helper[9353]: execv() failed, /usr/lib64/misc/sftp-server: No such file or directory
Sep  5 12:49:29 fileserver sshd(pam_unix)[9352]: session closed for user oneuser

Don't quite get, because the /usr/lib64/misc/sftp-server file/folder exists?!

Plz help me, thx!

[humbletech99]

am I right in reading you have chrooted to just /home?

noob, get a clue, go read some docs on how chroots work. You should not be chrooting to /home.

Hint: Does /home/usr/lib64/misc/sftp-server exist?