-----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Rainer Duffner Sent: Samstag, 21. Oktober 2017 00:41 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7> Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jenzer at herzogdemeuron.com>: > > Dear all > > I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. > Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... > Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server. > > Does anybody have a link or list valid for Centos7 >Can?t you use SFTP? AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp). Hi Rainer I would if I could but external offers only FTP and SCP... Regards Adrian _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
rainer at ultra-secure.de
2017-Oct-24 13:24 UTC
[CentOS] scp setup jailed chroot on Centos7
Am 2017-10-24 12:19, schrieb Adrian Jenzer:> Hi Rainer > I would if I could but external offers only FTP and SCP... > > Regards AdrianAFAIK, for scp you need a proper shell. I've done that exactly once (chrooted ssh) and it was such a pain that I vowed to never do it again. The problem is that inside the chroot, you need: - nameresolution - a minimal passwd/shadow/group file (or ldap) - maybe for scp, you can get away with a rather minimal device-tree - but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys ...). - that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak) Somebody sent me the link to these scripts: https://github.com/codelibre-net/schroot Maybe you can use those scripts - I've never tried them. Also, there's scp-only: https://github.com/scponly/scponly/wiki Haven't used that in years, either. Concern over that one seemed to be that it's "another" shell and nobody had apparently done a thorough audit of it.
That's correct, forgot to mention it. We ended up using SFTP (or at least offering it to external). -----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of rainer at ultra-secure.de Sent: Dienstag, 24. Oktober 2017 15:24 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7 Am 2017-10-24 12:19, schrieb Adrian Jenzer:> Hi Rainer > I would if I could but external offers only FTP and SCP... > > Regards AdrianAFAIK, for scp you need a proper shell. I've done that exactly once (chrooted ssh) and it was such a pain that I vowed to never do it again. The problem is that inside the chroot, you need: - nameresolution - a minimal passwd/shadow/group file (or ldap) - maybe for scp, you can get away with a rather minimal device-tree - but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys ...). - that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak) Somebody sent me the link to these scripts: https://github.com/codelibre-net/schroot Maybe you can use those scripts - I've never tried them. Also, there's scp-only: https://github.com/scponly/scponly/wiki Haven't used that in years, either. Concern over that one seemed to be that it's "another" shell and nobody had apparently done a thorough audit of it. _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
[Sorry about "top posting": my OT question arises from the subject..] Could someone elaborate on the "jail" under CentOS. I'm used to FreeBSD jails, and as I run CentOS and some other Linuxes for quite some time I was under impression that there is no such thing as jail under Linux [at least those flavors I run]. Under Linux I did use in variety of places chrooted environment, but that only separates stuff on the filesystem level (and other things such as devices and others accessed via filesystem). There is no other resource separation (which I'm used to have control over in case of FreeBSD jail). Am I wrong, and what am I wrong about? Valeri On Tue, October 24, 2017 8:24 am, rainer at ultra-secure.de wrote:> Am 2017-10-24 12:19, schrieb Adrian Jenzer: > >> Hi Rainer >> I would if I could but external offers only FTP and SCP... >> >> Regards Adrian > > > AFAIK, for scp you need a proper shell. > > I've done that exactly once (chrooted ssh) and it was such a pain that I > vowed to never do it again. > > The problem is that inside the chroot, you need: > > - nameresolution > - a minimal passwd/shadow/group file (or ldap) > - maybe for scp, you can get away with a rather minimal device-tree - > but for actual SSH access, I needed a fairly complete device tree inside > the chroot (ttys ...). > - that was with FreeBSD 10, I never tried it with anything else (due to > its history with jails, creating functional, limited chroot-environments > is somewhat in its genes, so to speak) > > Somebody sent me the link to these scripts: > > https://github.com/codelibre-net/schroot > > Maybe you can use those scripts - I've never tried them. > > > Also, there's scp-only: > https://github.com/scponly/scponly/wiki > > Haven't used that in years, either. > Concern over that one seemed to be that it's "another" shell and nobody > had apparently done a thorough audit of it. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++