OpenSSH ChrootDirectory oddities

2008-09-30 Thread Marian Hettwer 
Hi All,

first of all, thanks for the Feature to chroot sftp users. I've been
waiting for that one pretty long :)
Today I came back to that feature since I probably need it at work and
it'll be one more opportunity to not use a Linux system (Debian etch's
openssh is too old).

Anyway, back to the topic.

What I wanted to achieve is pretty much the following: Have some users, all
in the same group named sftp and if the log in via sftp they get chroot'ed
to their home directory.
However, I wind up after a login in /home not /home/$username

Now regarding my sshd_config:
Match Group sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home

and somewhere above:
Subsystem   sftpinternal-sftp

The user is named sftp1, is in group sftp, has home dir set to /home/sftp1
and has nologin as shell.
When I login via sftp, I wind up being in /home not /home/sftp1:

[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp ls -l
drwxr-x---4 1002 1001  512 Sep 12 15:46 jobauer
drwxr-x---  101 1001 1001 6656 Sep 30 16:05 mhettwer
drwxr-x---2 1003 1001  512 Sep 15 19:57 mt
drwx--3 1005 1003  512 Sep 30 16:06 sftp1
drwxr-xr-x2 1006 1003  512 Sep 30 16:42 sftp2
sftp 

which really is:
[EMAIL PROTECTED] ~]# ls -l /home/
total 16
drwxrwxr-x2 root  operator   512 Sep 12 11:39 .snap
drwxr-x---4 jobauer   shellme512 Sep 12 15:46 jobauer
drwxr-x---  101 mhettwer  shellme   6656 Sep 30 16:05 mhettwer
drwxr-x---2 mtshellme512 Sep 15 19:57 mt
drwx--3 sftp1 sftp   512 Sep 30 16:06 sftp1
drwx--2 sftp2 sftp   512 Sep 30 16:42 sftp2
[EMAIL PROTECTED] ~]# 

Of course I changed permission so that the only option is a cd sftp1 for
the user sftp1. But I really don't want sftp1 to see all home dirs.

I did try using /chroot as it was shown in examples on undeadly.org
However, thats the same situation. (sshd_config changed to /chroot instead
of /home)

[EMAIL PROTECTED] ~]# ls -l /chroot/
total 4
drwxr-xr-x  2 sftp1  sftp  512 Sep 30 11:30 sftp1
drwxr-xr-x  2 sftp2  sftp  512 Sep 30 16:09 sftp2

[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
tPassword:
Password:
sftp ls -la
Couldn't get handle: Permission denied
sftp 

Woopsie. Thats probably due to:
[EMAIL PROTECTED] ~]# ls -ld /chroot/
drwx--  4 root  wheel  512 Sep 30 16:09 /chroot/

Permissions more open results in:
[EMAIL PROTECTED] ~]# ls -ld /chroot/
drwxr-xr-x  4 root  wheel  512 Sep 30 16:09 /chroot/

and via sftp:
[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp ls -la
drwxr-xr-x4 00 512 Sep 30 16:09 .
drwxr-xr-x4 00 512 Sep 30 16:09 ..
drwxr-xr-x2 1005 1003  512 Sep 30 11:30 sftp1
drwxr-xr-x2 1006 1003  512 Sep 30 16:09 sftp2


Again, I'm in /chroot not /chroot/sftp1 where I think I should be, right?

Okay... let's try /chroot/%u then in sshd_config...
No, I can't login, 'cause sshd is complaining about the permissions of
/chroot/sftp1:
Sep 30 16:47:12 motor sshd[23190]: fatal: bad ownership or modes for chroot
directory /chroot/sftp1

Fair enough... the manpage states, that it should belong root. Okay then:
[EMAIL PROTECTED] ~]# ls -l /chroot/
total 4
drwxr-xr-x  2 root  wheel  512 Sep 30 11:30 sftp1
drwxr-xr-x  2 root  wheel  512 Sep 30 16:09 sftp2

[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp ls -la
drwxr-xr-x2 00 512 Sep 30 11:30 .
drwxr-xr-x2 00 512 Sep 30 11:30 ..

where am I now?
Am I in /chroot/sftp1 ?
Could be, but due to these permissions, I'm not able to do anything:
sftp mkdir foo
Couldn't create directory: Permission denied

Okay, now it gets ugly. Maybe I can create a directoy named incoming in
/chroot/sftp1. Would look like that:
[EMAIL PROTECTED] ~]# ls -l /chroot/sftp1/
total 2
drwxr-xr-x  2 sftp1  sftp  512 Sep 30 16:49 incoming

And then via sftp...
[EMAIL PROTECTED] ~]# !sftp
sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp ls -l
drwxr-xr-x2 1005 1003  512 Sep 30 16:49 incoming
sftp cd incoming
sftp ls -l
sftp mkdir foo
lsftp ls -l
drwxr-xr-x2 1005 1003  512 Sep 30 16:50 foo
sftp 


Okay, this works.
So back to my question... Is that really the way it's supposed to be?
No write access for the user when being chrooted in a directory, but
instead I have to create another sub directory where he has write
permissions?
Am I missing something obvious here or is this works as designed?

Last information bits: Yes, thats a FreeBSD box, but that shouldn't make
much of a difference for my testing purpose. The production box will be an
OpenBSD one :)

[EMAIL PROTECTED] ~]# ssh -V
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
[EMAIL

Re: OpenSSH ChrootDirectory oddities

2008-09-30 Thread Cezary Morga 
Dnia wtorek, 30 wrzeEnia 2008, Marian Hettwer napisaE:
 What I wanted to achieve is pretty much the following: Have some
 users, all in the same group named sftp and if the log in via sftp
 they get chroot'ed to their home directory.
 However, I wind up after a login in /home not /home/$username

From the manpage:
 Specifies a path to chroot(2) to after authentication.  This
 path, and all its components, must be root-owned directories that
 are not writable by any other user or group.

So if you wan't to chroot user sftp1 in /home/sftp1 use:
 ChrootDirectory /home/%u

Still, /home/sftp1 MUST be root owned, thus user sftp1 won't be allowed
to write there anything.  You can create a directory under /home/sftp1
(like upload) owned by sftp1, where the chrooted user will be able to
write, delete and do whatever else he wishes.
--
Cezary Morga
A fellow who is always declaring he's no fool usually has his
suspicions. (Wilson Mizner)