Bug ID | 965192 |
---|---|
Summary | openssh: chroot jail for restricted access with SFTP clients fails |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | 13.2 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Other |
Assignee | bnc-team-screening@forge.provo.novell.com |
Reporter | bjoernv@arcor.de |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
I tried to create a restricted user "steve". Steve should only have access to his home folder /home/steve. I followed the following guides: Restrict SFTP users to home folder https://bensmann.no/restrict-sftp-users-to-home-folder/ Trying to use jail users to home directories http://www.linuxquestions.org/questions/linux-security-4/trying-to-use-jail-users-to-home-directories-913610/ With some openSUSE specifics this was: 1) Modification of /etc/ssh/sshd_config: LogLevel DEBUG3 [...] Match Group sftponly ChrootDirectory %h ForceCommand /usr/lib/ssh/sftp-server AllowTcpForwarding no 2) User setup for "steve" $ useradd -m steve $ passwd steve $ groupadd sftponly $ usermod steve -g sftponly $ usermod steve -s /bin/false $ usermod steve -d /mnt/steve 3) Bind mount for /home/steve $ mount --rbind /home/steve /mnt/steve $ mount -o remount,nodev,nosuid /mnt/steve/ Steve can not access SFTP anyway (error "Write failed: Broken pipe"). Systemd journal shows: Feb 04 17:46:03 cecilia sshd[14357]: debug1: SELinux support disabled Feb 04 17:46:03 cecilia sshd[14357]: debug1: PAM: establishing credentials Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/' Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/mnt/' Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/mnt/steve' Feb 04 17:46:03 cecilia sshd[14357]: fatal: chroot into directory without nodev and either noexec or nosuid But "nodev" and "nosuid" is set for mount /mnt/steve: $ mount [...] /dev/sda3 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) [...] /dev/sda3 on /mnt/steve type ext4 (rw,nosuid,nodev,relatime,errors=remount-ro,data=ordered) [...] Debugging shows, that function "test_nosuid" will probably only check "/"-mount (without nosuid, nodev), but not "/mnt/steve". Unfortunately there is no debuginfo package for openssh-6.6p1-5.3.1.x86_64 so that debugging is not comfortable.