[Bug 518238] New: openSSH chroot security settings faulty
http://bugzilla.novell.com/show_bug.cgi?id=518238 Summary: openSSH chroot security settings faulty Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: x86 OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: marcus@swedcore.net QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060200 SUSE/3.0.11-0.1.1 Firefox/3.0.11 Whenever i tried to setup a chroot environment with OpenSSH the security settings for the user folder must be root or OpenSSH doesn't work, the only solution for now is to either create subfolders in the users chroot folder where the user can have write permissions or land them one step up in the hierarchy and thus making them see other chroot folder which is not good. I followed this Wiki page to the letter: http://en.opensuse.org/Openssh#SFTP_chroot_with_ChrootDirectory I have Swedish community users trying to set this up to with same result as me. This thread takes up the same issue: http://marc.info/?l=openssh-unix-dev&m=122640731518850&w=2 But the solution mentioned there is not acceptable because as it stats on the Wiki you make one folder the chroot folder and then mapping the users home folder relative to the chroot folder, in this scenario the users should get write permissions to his own folder, but that is not possible, thus breaking the functionality intended. So the question is, is this a bug or is it designed to act like this? Reproducible: Always Steps to Reproduce: Done accordingly to this wiki entry: http://en.opensuse.org/OpenSSH Actual Results: Gets a read only home folder root Expected Results: Getting a writable home folder, where they can create on folder and upload files directly to the root of their home folder. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=518238 Marcus Uddenhed <marcus@swedcore.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |soulskater -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=518238 Dirk Mueller <dmueller@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|bnc-team-screening@forge.pr |anicka@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=518238 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=518238 User anicka@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=518238#c1 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |INVALID --- Comment #1 from Anna Bernathova <anicka@novell.com> 2009-08-17 11:10:48 MDT --- I believe that our wiki is wrong: The chroot directory IMHO does not have to be owned by root. Just skip the "chown root.root /home/$USERNAME;" and all goes fine. (You should also use ie. ChrootDirectory /home/%u instead of %h because the string substituted for %h is got from by getpwnam() and this function gets it from /etc/passwd, so you will end up in "/" instead of home.) I cannot find any security reason for making root owner of the chroot directory - while "/" is written in passwd and so you have no way to force system daemons to run your binaries, all should be OK. I will consult it with other people to make sure I am not wrong and if not, I will fix the wiki entry. But I think you can safely follow my advice. As this is a matter of permission settings, not an openssh bug, I am closing this as invalid. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=518238 http://bugzilla.novell.com/show_bug.cgi?id=518238#c3 --- Comment #3 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (518238) was mentioned in https://build.opensuse.org/request/show/17814 Factory / pciutils -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=518238 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com