Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: openssh and chroot.
Operating Systems Solaris openssh and chroot. Post 302367828 by vettec3 on Tuesday 3rd of November 2009 02:54:21 PM
Old 11-03-2009
openssh and chroot.
Hi all. I have installed openssh 5.3 and set up jailed root.

It works almost as I want it to I cant cd to any directory above my ch root.

my config :
entry in passwd:
Code:
test2:x:103:113::/users2/test2:/bin/false

sshd_conf:
Code:
Match User test2
ChrootDirectory /users2/%u
#       X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

directories:
/users2 owner root:root 755
/users2/test2 owner root:root 755
/users/test2/ftpfiles owner test2:mygroup 755

When I do sftp test2@testhost I enter in /users2/test2 but there I cant write so I have to cd into ftpfiles
Is this the expected behavior? ? I expected to enter directly to a directory where I could write preferably, /users2/test2.

Should I use other options to ChrootDirectory?

Thanks in advance.

/Jan
Last edited by pludi; 11-03-2009 at 05:22 PM.. Reason: code tags, please...
 

10 More Discussions You Might Find Interesting

1. Linux

chroot?

If i were to create a new user for my ftp would chroot be the proper command to set there root directory as the file i've put all my FTP stuff in? Also would that jail them, or would they beable to get out of the set directory? (0 Replies)
Discussion started by: byblyk
0 Replies

2. AIX

chroot environment

Hi!! I'm currently running AIX 4.3.3 and i'm trying to setup a chroot environment for the users who use SFTP, i spend a lot time SFTW but i can't make it work. I got openssh3.9p1 whit the chroot patch. Any help is greatly appreciated. (0 Replies)
Discussion started by: samurai79
0 Replies

3. UNIX for Advanced & Expert Users

CHRoot Problem

HI , I am trying to setup chrooted environment on RHEL4, for squid proxy. I have copied the required libraries and stuff for chroot. Used the below for chroot-shell . user is squid # grep squid /etc/passwd squid:x:500:501::/opt/squid:/bin/chroot-shell directory trying to jail is... (2 Replies)
Discussion started by: Crazy_murli
2 Replies

4. UNIX for Dummies Questions & Answers

How to start a chroot jail?

I was reading an article on how it is very important to setup a chroot jail to run bind. I can follow what the article says but one thing I am unclear about is now on system boot the BIND process in the chroot jail will start since it the owner will no longer be root but some other user. Can... (1 Reply)
Discussion started by: mojoman
1 Replies

5. UNIX for Advanced & Expert Users

chroot openssh access www folder

here is the setup<br/> sshd_config: <pre> Match User sftp ChrootDirectory /chroot/sftp </pre> I connect just fine to the folder <pre>/chroot/sftp</pre> However I cannot access the website developer folder due to it being outside the scope of the defined chrootdirectory... (2 Replies)
Discussion started by: dunpealslyr
2 Replies

6. AIX

OpenSSH built in chroot facility

Hi all, I'm trying to set up a chroot sftp using OpenSSH. But I'm still having problems. I'm using AIX 5.3 My system and OpenSSH version as follows host1:/>oslevel 5.3.0.0 host1:/>oslevel -r 5300-10 host1:/>ssh -V OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008 host1:/>lslpp -l | grep open... (2 Replies)
Discussion started by: h@foorsa.biz
2 Replies

7. AIX

openssh chroot facility and directory access

Good day. I currently have a request to have sftp access to a specific directory for a user(s). They can have access to that folder only, and nothing below it. Now here is the gotcha that seems to be catching me. The folder they need access to is NOT owned by root, and most of the parent... (0 Replies)
Discussion started by: smurphy_it
0 Replies

8. Solaris

chroot Issues on Solaris

Hello Friends, I am trying the chroot command on a Solaris box (SunOS sx07 5.10 Generic_144489-12 i86pc i386 i86pc) but i am getting an error message chroot: exec failed: Exec format error Did any of you folks got this error before .. and how did you guys fix it .. please help me... (2 Replies)
Discussion started by: sudharma
2 Replies

9. Solaris

BIND in chroot

Hi all, I'm trying to start named in chroot environment manually but i'm getting the following error bash-3.00# cat /etc/release Solaris 10 6/06 s10s_u2wos_09a SPARC Copyright 2006 Sun Microsystems, Inc. All Rights Reserved. Use is... (1 Reply)
Discussion started by: h@foorsa.biz
1 Replies

10. UNIX for Dummies Questions & Answers

[Solved] Not able to do a chroot.

Hi all, I have two doms on my machine. I boot my machine from an rfs in one dom1 and mount the other rfs in the other dom2 at /media. Now I wanted to restrict access of users on dom2 to only their home directories. I do not want them to access any other directories on dom1 or dom2. So I mounted... (2 Replies)
Discussion started by: sai2krishna
2 Replies

LEARN ABOUT DEBIAN

safe::hole

Safe::Hole(3pm) 					User Contributed Perl Documentation					   Safe::Hole(3pm)

NAME

       Safe::Hole - make a hole to the original main compartment in the Safe compartment

SYNOPSIS

	 use Safe;
	 use Safe::Hole;
	 $cpt = new Safe;
	 $hole = new Safe::Hole {};
	 sub test { Test->test; }
	 $Testobj = new Test;
	 # $cpt->share('&test');  # alternate as next line
	 $hole->wrap(&test, $cpt, '&test');
	 # ${$cpt->varglob('Testobj')} = $Testobj;  # alternate as next line
	 $hole->wrap($Testobj, $cpt, '$Testobj');
	 $cpt->reval('test; $Testobj->test;');
	 print $@ if $@;
	 package Test;
	 sub new { bless {},shift(); }
	 sub test { my $self = shift; $self->test2; }
	 sub test2 { print "Test->test2 called
"; }

DESCRIPTION

	 We can call outside defined subroutines from the Safe compartment
       using share(), or can call methods through the object that is copied
       into the Safe compartment using varglob(). But that subroutines or
       methods are executed in the Safe compartment too, so they cannot call
       another subroutines that are dinamically qualified with the package
       name such as class methods nor can they compile code that uses opcodes
       that are forbidden within the compartment.

	 Through Safe::Hole, we can execute outside defined subroutines in the
       original main compartment from the Safe compartment.

	 Note that if a subroutine called through Safe::Hole::call does a
       Carp::croak() it will report the error as having occured within
       Safe::Hole.  This can be avoided by including Safe::Hole::User in the
       @ISA for the package containing the subroutine.

   Methods
       new [NAMESPACE]
	   Class method. Backward compatible constructor.
	     NAMESPACE is the alternate root namespace that makes the compartment in which call() method execute the subroutine.  Default of
	   NAMESPACE means the current 'main'. This emulates the behaviour of Safe-Hole-0.08 and earlier.

       new \%arguments
	   Class method. Constructor.
	     The constructor is called with a hash reference providing the constructor arguments.  The argument ROOT specifies the alternate root
	   namespace for the object.  If the ROOT argument is not specified then Safe::Hole object will attempt restore as much as it can of the
	   environment in which it was constrtucted.  This includes the opcode mask, %INC and @INC.  If a root namespace is specified then it
	   would not make sense to restore the %INC and @INC from main:: so this is not done.  Also if a root namespace is given the opcode mask
	   is not restored either.

       call $coderef [,@args]
	   Object method.
	     Call the subroutine refered by $coderef in the compartment that is specified with constructor new. @args are passed as the arguments
	   to the called $coderef.  Note that the arguments are not currently passed by reference although this may change in a future version.

       wrap $ref [,$cpt ,$name]
	   Object method.
	     If $ref is a code reference, this method returns the anonymous subroutine reference that calls $ref using call() method of Safe::Hole
	   (see above).
	     If $ref is a class object, this method makes a wrapper class of that object and returns a new object of the wrapper class. Through
	   the wrapper class, all original class methods called using call() method of Safe::Hole.
	     If $cpt as Safe object and $name as subroutine or scalar name specified, this method works like share() method of Safe. When $ref is
	   a code reference $name must like '&subroutine'. When $ref is a object $name must like '$var'.
	     Name $name may not be same as referent of $ref. For example:
	     $hole->wrap(&foo, $cpt, '&bar');
	     $hole->wrap(sub{...}, $cpt, '&foo');
	     $hole->wrap($objfoo, $cpt, '$objbar');

       root
	   Object method.  Return the namespace that is specified with constructor new().  If no namespace was then root() returns 'main'.

   Warning
       You MUST NOT share the Safe::Hole object with the Safe compartment. If you do it the Safe compartment is NOT safe.

       This module provides a means to go from a state where an opcode is denied back to a state where it is not.  Reasonable care has been taken
       to ensure that programs cannot simply manipulate the internals to the Safe::Hole object to reduce the opmask in effect.	However there may
       still be a way that the authors have not considered.  In particular it relies on the fact that a Perl program cannot change stuff inside
       the magic on a Perl variable.  If you install a module that allows a Perl program to fiddle inside the magic then this assuption breaks
       down.  One would hope that any system that was running un-trusted code would not have such a module installed.

AUTHORS

       Sey Nakajima <nakajima@netstock.co.jp> (Initial version)

       Brian McCauley <nobull@cpan.org> (Maintenance)

       Todd Rinaldo <toddr@cpan.org> (Maintenance)

SEE ALSO

       Safe(3).

perl v5.14.2							    2011-11-15							   Safe::Hole(3pm)
All times are GMT -4. The time now is 05:54 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy