[Bug 965192] New: openssh: chroot jail for restricted access with SFTP clients fails
http://bugzilla.opensuse.org/show_bug.cgi?id=965192 Bug ID: 965192 Summary: openssh: chroot jail for restricted access with SFTP clients fails Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: bjoernv@arcor.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I tried to create a restricted user "steve". Steve should only have access to his home folder /home/steve. I followed the following guides: Restrict SFTP users to home folder https://bensmann.no/restrict-sftp-users-to-home-folder/ Trying to use jail users to home directories http://www.linuxquestions.org/questions/linux-security-4/trying-to-use-jail-... With some openSUSE specifics this was: 1) Modification of /etc/ssh/sshd_config: LogLevel DEBUG3 [...] Match Group sftponly ChrootDirectory %h ForceCommand /usr/lib/ssh/sftp-server AllowTcpForwarding no 2) User setup for "steve" $ useradd -m steve $ passwd steve $ groupadd sftponly $ usermod steve -g sftponly $ usermod steve -s /bin/false $ usermod steve -d /mnt/steve 3) Bind mount for /home/steve $ mount --rbind /home/steve /mnt/steve $ mount -o remount,nodev,nosuid /mnt/steve/ Steve can not access SFTP anyway (error "Write failed: Broken pipe"). Systemd journal shows: Feb 04 17:46:03 cecilia sshd[14357]: debug1: SELinux support disabled Feb 04 17:46:03 cecilia sshd[14357]: debug1: PAM: establishing credentials Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/' Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/mnt/' Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/mnt/steve' Feb 04 17:46:03 cecilia sshd[14357]: fatal: chroot into directory without nodev and either noexec or nosuid But "nodev" and "nosuid" is set for mount /mnt/steve: $ mount [...] /dev/sda3 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered) [...] /dev/sda3 on /mnt/steve type ext4 (rw,nosuid,nodev,relatime,errors=remount-ro,data=ordered) [...] Debugging shows, that function "test_nosuid" will probably only check "/"-mount (without nosuid, nodev), but not "/mnt/steve". Unfortunately there is no debuginfo package for openssh-6.6p1-5.3.1.x86_64 so that debugging is not comfortable. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=965192 http://bugzilla.opensuse.org/show_bug.cgi?id=965192#c1 --- Comment #1 from Björn Voigt <bjoernv@arcor.de> --- The problem is caused by the function test_nosuid(char * path, dev_t fs). The function is part of patch "openssh-6.6p1-sftp_homechroot.patch". The function is unable to find the bind mount entries in output of /bin/mount, because only the "/" mount is processed. Finding bind mounts is not so easy, because "stat" returns the same filesystem number (st.st_dev) for the bind mount compared with the bind mount origin (see source code of the patch). Mount options like nodev, noexec and nosuid are evaluated in bind mounts. From this perspective openSSH should not block access to directories configured like in this bug description. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com