DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th May 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Default scponly not working with chroot

Hi

I'm having trouble setting up scponly. I can get it working when the shell is set to /usr/local/bin/scponly but not to /usr/local/sbin/scponlyc

I followed all the steps
Code:
cd /usr/local/share/examples/scponly/ && /bin/sh setup_chroot.sh
and follow the instructions

But when it comes time to test the account I'm getting this message from winscp
Code:
Cannot initialize SFTP protocol. Is the host running a SFTP server?
and from a shell account
Code:
me@host1> sftp user@host2
Connecting to host2...
Password:
Connection closed
here is what I see in my logs
Code:
May 15 14:54:00 host2 sshd[75239]: Accepted keyboard-interactive/pam for user from 192.168.xx.xxx port 55072 ssh2
May 15 14:54:00 host2 sshd[75242]: subsystem request for sftp
May 15 13:54:00 host2 scponly[75243]: running: /usr/libexec/sftp-server (username: user(1003), IP/port: 192.168.xx.xxx 55072 22)
Does anyone have an idea why this is happening and how I can fix this?
Or is there another, even better way of allowing users to only use sft that is chrooted?

Thanks
hamba
Reply With Quote
  #2   (View Single Post)  
Old 15th May 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Default

Explain in more detail your setup, otherwise my possible response will not be usefull at all.
Reply With Quote
  #3   (View Single Post)  
Old 15th May 2008
hamba hamba is offline
Fdisk Soldier
 
Join Date: Apr 2008
Posts: 71
Default

Got it working but its not perfect

I had to mount mount devfs to /home/user/dev
Code:
mount -t devfs dev /home/user/dev
There is a small rc script but its not creating the devfs properly
here are the step that should work but doesn't
Code:
make_devfs() {
    # $1 is the user name whose home directory needs a minimal
    # devfs created. If ~/dev exists, it will be deleted.

    eval DEV="~$1/dev"
    while /sbin/umount "${DEV}" 2>/dev/null; do :; done
    /bin/rm -rf "${DEV}"
    /bin/mkdir -p "${DEV}"
    if /sbin/mount -t devfs dev "${DEV}"; then
        /sbin/devfs -m "${DEV}" rule -s 1 applyset && \
        /sbin/devfs -m "${DEV}" rule -s 2 applyset || \
        /sbin/umount "${DEV}" 2>/dev/null
    fi
}
I'm getting these errors
Code:
devfs -m dev rule -s 1 applyset
devfs rule: ioctl DEVFSIO_SAPPLY: No such process
I'll contact the port maintainer and see if he can hep
Reply With Quote
  #4   (View Single Post)  
Old 15th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by hamba
I'll contact the port maintainer and see if he can hep
IMO, that's not something you should be bothering the port maintainer with. Please google for that error message; there are many hits.

Just a comment from me, FWIW: using the scponly chroot capabilities introduces something of a security risk, in that you're requiring it to run with the suid bit set. To me it would be much safer to build a FBSD jail and keep your users contained within. Or, just use the regular scponly shell if you can live with the idea that they'll have access to files on the system that their permissions allow.
__________________
Kill your t.v.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot web-browsing Oko OpenBSD Security 1 29th December 2008 01:37 PM
read & modify files out side chroot jail Dr_Death_UAE FreeBSD Security 5 6th November 2008 09:20 PM
apache 2.2.8 , is it on chroot by default? superslot OpenBSD Security 9 30th June 2008 11:56 AM
Can't use bash on chroot'd openssh environment jploh FreeBSD General 2 18th June 2008 02:12 AM
chroot/jailing users Weaseal FreeBSD Security 6 18th May 2008 07:44 AM


All times are GMT. The time now is 03:21 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick