Perhaps I did it wrong, but when i did setup lshell, I was still able to path outside of my home directory. While I couldn't VIEW the files in other directories I was still able to path the directory structure...
That's why I didn't like it and haven't implemented it yet, but I'll have to as I want to use sftp. I'll redo it again I guess and see what happens. On Fri, Mar 5, 2010 at 7:20 PM, Michael Mansour <[email protected]> wrote: > Hi Victor, > > > Well, could you (or someone else) point me in the direction of a > > clear and well defined guide for centos 5.4 and setting up jailing > > of chroot users that won't allow them to path outside of their > > jailed directories at all? > > I know how to do it but it's been some years since I had to. In the past > I've > done it on RHEL4 and HP-UX 10/11. > > From memory (and someone can correct me if I'm wrong here), the general > process is: > > 1. decide on scp or sftp > > 2. depending on 1, use "ldd" to find the shared libraries required for the > binary. Newer openssh versions don't need this step for chroot sftp, only > for > chroot scp. > > 3. enabled the "chrootdirectory" option in sshd_config and set your > directory > to chroot > > 4. assign a subdirectory of that directory as the users home directory > (forgot > whether that's something like /chroot/./home/ or similar) > > > I know of rssh part of things to restrict commands etc. But I need > > the chroot side of things too. So far in those that DO have chroot > > running, they've had to build later versions of openssh and I'd > > rather have a packaged install from rpm/epel or centos. > > I actually don't like the way the developers do the chroot, since they > required that you have a new home directory structure. > > When I need this, I personally chroot people using this tool: > > # rpm -qi lshell > Name : lshell Relocations: /usr > Version : 0.9.8 Vendor: Ignace Mouzannar > (ghantoos) <[email protected]> > Release : 1 Build Date: Tue 01 Dec 2009 > 09:50:54 AM EST > Install Date: Mon 14 Dec 2009 12:16:55 PM EST Build Host: g-centos5 > Group : System Environment/Shells Source RPM: > lshell-0.9.8-1.src.rpm > Size : 127720 License: GPL > Signature : (none) > URL : http://lshell.ghantoos.org > Summary : Limited Shell > Description : > lshell is a shell coded in Python that lets you restrict a user's > environment > to limited sets of commands, choose to enable/disable any command over SSH > (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing > restrictions, and more. > > It allows me to set the commands, their home_path (which is the chroot), > whether they can use scp, sftp, etc. > > I've used it for years and it works fine and doesn't require any special > chroot directories trees or libraries like openssh does. > > Regards, > > Michael. > > > On Fri, Mar 5, 2010 at 4:32 PM, Michael Mansour <[email protected]> wrote: > > > > > Hi, > > > > > > > I'd like to see rpmforge look to update OpenSSH to 4.8p1 or later. > > > > Reason is this version (from what I can determine) has the built-in > > > ability > > > > to Jail users to their home directory if you enabled SSH (IE: SFTP). > > > > > > > > But in the versions available in centos / rpm / epel they are all at > > > > 4.3 something. > > > > > > The last openssh version I have: > > > > > > openssh-4.3p2-36.el5_4.2.i386 > > > > > > Supports it (from the man page): > > > > > > ChrootDirectory > > > Specifies a path to chroot(2) to after authentication. > This > > > path, and all its components, must be root-owned > directories > > > that > > > are not writable by any other user or group. > > > > > > The path may contain the following tokens that are expanded > at > > > runtime once the connecting user has been authenticated: %% > is > > > replaced by a literal \u2019%\u2019, %h is replaced by the > home > > > directory > > > of the user being authenticated, and %u is replaced by the > > > user- > > > name of that user. > > > > > > The ChrootDirectory must contain the necessary files and > > > directo- > > > ries to support the users\u2019 session. For an > interactive > > > session > > > this requires at least a shell, typically sh(1), and basic > /dev > > > nodes such as null(4), zero(4), stdin(4), stdout(4), > stderr(4), > > > arandom(4) and tty(4) devices. For file transfer sessions > > > using > > > \u201csftp\u201d, no additional configuration of the > > > environment > > > is neces- > > > sary if the in-process sftp server is used (see > > > \u201cinternal-sftp\u201d > > > will force the use of an in-process sftp server that > requires > > > no > > > support files when used with ChrootDirectory. Subsystem > for > > > details). > > > > > > The default is not to chroot(2). > > > > > > Regards, > > > > > > Michael. > > > > > > > Thanks in advance! > > > > > > > > -- > > > > Victor ('Daworm') > > > > * Melbourne Wireless Node: KDJ & KDT > > > > * Natural Selection 2 Wiki Sysop > > > > (http://www.unknownworlds.com/ns2/wiki/) * AoCWiki Sysop > > > > (http://aoc.wikia.com/) * Twitter: @dawormie > > > ------- End of Original Message ------- > > > > > > > > > > -- > > Victor ('Daworm') > > * Melbourne Wireless Node: KDJ & KDT > > * Natural Selection 2 Wiki Sysop > > (http://www.unknownworlds.com/ns2/wiki/) * AoCWiki Sysop > > (http://aoc.wikia.com/) * Twitter: @dawormie > ------- End of Original Message ------- > > -- Victor ('Daworm') * Melbourne Wireless Node: KDJ & KDT * Natural Selection 2 Wiki Sysop (http://www.unknownworlds.com/ns2/wiki/) * AoCWiki Sysop (http://aoc.wikia.com/) * Twitter: @dawormie
_______________________________________________ suggest mailing list [email protected] http://lists.rpmforge.net/mailman/listinfo/suggest
