http://bugzilla.opensuse.org/show_bug.cgi?id=965192 Bug ID: 965192 Summary: openssh: chroot jail for restricted access with SFTP clients fails Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: bjoernv@arcor.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I tried to create a restricted user "steve". Steve should only have access to his home folder /home/steve. I followed the following guides: Restrict SFTP users to home folder https://bensmann.no/restrict-sftp-users-to-home-folder/ Trying to use jail users to home directories http://www.linuxquestions.org/questions/linux-security-4/trying-to-use-jail-... With some openSUSE specifics this was: 1) Modification of /etc/ssh/sshd_config: LogLevel DEBUG3 [...] Match Group sftponly ChrootDirectory %h ForceCommand /usr/lib/ssh/sftp-server AllowTcpForwarding no 2) User setup for "steve" $ useradd -m steve $ passwd steve $ groupadd sftponly $ usermod steve -g sftponly $ usermod steve -s /bin/false $ usermod steve -d /mnt/steve 3) Bind mount for /home/steve $ mount --rbind /home/steve /mnt/steve $ mount -o remount,nodev,nosuid /mnt/steve/ Steve can not access SFTP anyway (error "Write failed: Broken pipe"). Systemd journal shows: Feb 04 17:46:03 cecilia sshd[14357]: debug1: SELinux support disabled Feb 04 17:46:03 cecilia sshd[14357]: debug1: PAM: establishing credentials Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/' Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/mnt/' Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/mnt/steve' Feb 04 17:46:03 cecilia sshd[14357]: fatal: chroot into directory without nodev and either noexec or nosuid But "nodev" and "nosuid" is set for mount /mnt/steve: $ mount [...] /dev/sda3 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) [...] /dev/sda3 on /mnt/steve type ext4 (rw,nosuid,nodev,relatime,errors=remount-ro,data=ordered) [...] Debugging shows, that function "test_nosuid" will probably only check "/"-mount (without nosuid, nodev), but not "/mnt/steve". Unfortunately there is no debuginfo package for openssh-6.6p1-5.3.1.x86_64 so that debugging is not comfortable. -- You are receiving this mail because: You are on the CC list for the bug.