Mailinglist Archive: opensuse-bugs (4504 mails)

< Previous Next >
[Bug 965192] New: openssh: chroot jail for restricted access with SFTP clients fails
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 04 Feb 2016 16:58:55 +0000
  • Message-id: <bug-965192-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=965192


Bug ID: 965192
Summary: openssh: chroot jail for restricted access with SFTP
clients fails
Classification: openSUSE
Product: openSUSE Distribution
Version: 13.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Other
Assignee: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
Reporter: bjoernv@xxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

I tried to create a restricted user "steve". Steve should only have access to
his home folder /home/steve. I followed the following guides:

Restrict SFTP users to home folder
https://bensmann.no/restrict-sftp-users-to-home-folder/

Trying to use jail users to home directories
http://www.linuxquestions.org/questions/linux-security-4/trying-to-use-jail-users-to-home-directories-913610/

With some openSUSE specifics this was:

1) Modification of /etc/ssh/sshd_config:
LogLevel DEBUG3

[...]
Match Group sftponly
ChrootDirectory %h
ForceCommand /usr/lib/ssh/sftp-server
AllowTcpForwarding no

2) User setup for "steve"
$ useradd -m steve
$ passwd steve
$ groupadd sftponly
$ usermod steve -g sftponly
$ usermod steve -s /bin/false
$ usermod steve -d /mnt/steve

3) Bind mount for /home/steve

$ mount --rbind /home/steve /mnt/steve
$ mount -o remount,nodev,nosuid /mnt/steve/

Steve can not access SFTP anyway (error "Write failed: Broken pipe").

Systemd journal shows:
Feb 04 17:46:03 cecilia sshd[14357]: debug1: SELinux support disabled
Feb 04 17:46:03 cecilia sshd[14357]: debug1: PAM: establishing credentials
Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/'
Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking '/mnt/'
Feb 04 17:46:03 cecilia sshd[14357]: debug3: safely_chroot: checking
'/mnt/steve'
Feb 04 17:46:03 cecilia sshd[14357]: fatal: chroot into directory without nodev
and either noexec or nosuid

But "nodev" and "nosuid" is set for mount /mnt/steve:
$ mount
[...]
/dev/sda3 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
[...]
/dev/sda3 on /mnt/steve type ext4
(rw,nosuid,nodev,relatime,errors=remount-ro,data=ordered)
[...]

Debugging shows, that function "test_nosuid" will probably only check "/"-mount
(without nosuid, nodev), but not "/mnt/steve". Unfortunately there is no
debuginfo package for openssh-6.6p1-5.3.1.x86_64 so that debugging is not
comfortable.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups