http://bugzilla.novell.com/show_bug.cgi?id=518238
Summary: openSSH chroot security settings faulty Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: x86 OS/Version: openSUSE 11.1 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: marcus@swedcore.net QAContact: qa@suse.de Found By: ---
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060200 SUSE/3.0.11-0.1.1 Firefox/3.0.11
Whenever i tried to setup a chroot environment with OpenSSH the security settings for the user folder must be root or OpenSSH doesn't work, the only solution for now is to either create subfolders in the users chroot folder where the user can have write permissions or land them one step up in the hierarchy and thus making them see other chroot folder which is not good.
I followed this Wiki page to the letter: http://en.opensuse.org/Openssh#SFTP_chroot_with_ChrootDirectory
I have Swedish community users trying to set this up to with same result as me.
This thread takes up the same issue: http://marc.info/?l=openssh-unix-dev&m=122640731518850&w=2
But the solution mentioned there is not acceptable because as it stats on the Wiki you make one folder the chroot folder and then mapping the users home folder relative to the chroot folder, in this scenario the users should get write permissions to his own folder, but that is not possible, thus breaking the functionality intended.
So the question is, is this a bug or is it designed to act like this?
Reproducible: Always
Steps to Reproduce: Done accordingly to this wiki entry: http://en.opensuse.org/OpenSSH Actual Results: Gets a read only home folder root
Expected Results: Getting a writable home folder, where they can create on folder and upload files directly to the root of their home folder.
http://bugzilla.novell.com/show_bug.cgi?id=518238
Marcus Uddenhed marcus@swedcore.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |soulskater
http://bugzilla.novell.com/show_bug.cgi?id=518238
Dirk Mueller dmueller@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|bnc-team-screening@forge.pr |anicka@novell.com |ovo.novell.com |
http://bugzilla.novell.com/show_bug.cgi?id=518238
Anna Bernathova anicka@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED
http://bugzilla.novell.com/show_bug.cgi?id=518238
User anicka@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=518238#c1
Anna Bernathova anicka@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |INVALID
--- Comment #1 from Anna Bernathova anicka@novell.com 2009-08-17 11:10:48 MDT --- I believe that our wiki is wrong: The chroot directory IMHO does not have to be owned by root. Just skip the "chown root.root /home/$USERNAME;" and all goes fine. (You should also use ie. ChrootDirectory /home/%u instead of %h because the string substituted for %h is got from by getpwnam() and this function gets it from /etc/passwd, so you will end up in "/" instead of home.)
I cannot find any security reason for making root owner of the chroot directory - while "/" is written in passwd and so you have no way to force system daemons to run your binaries, all should be OK.
I will consult it with other people to make sure I am not wrong and if not, I will fix the wiki entry. But I think you can safely follow my advice.
As this is a matter of permission settings, not an openssh bug, I am closing this as invalid.
http://bugzilla.novell.com/show_bug.cgi?id=518238 http://bugzilla.novell.com/show_bug.cgi?id=518238#c3
--- Comment #3 from Bernhard Wiedemann bwiedemann@suse.com --- This is an autogenerated message for OBS integration: This bug (518238) was mentioned in https://build.opensuse.org/request/show/17814 Factory / pciutils
http://bugzilla.novell.com/show_bug.cgi?id=518238
SMASH SMASH smash_bz@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |
-
bugzilla_noreply@novell.com