bugzilla-daemon at bugzilla.mindrot.org
2011-Nov-18 17:40 UTC
[Bug 1951] New: Add home directory facility for chrooted environments
https://bugzilla.mindrot.org/show_bug.cgi?id=1951
Bug #: 1951
Summary: Add home directory facility for chrooted environments
Classification: Unclassified
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: darcy at druid.net
Created attachment 2107
--> https://bugzilla.mindrot.org/attachment.cgi?id=2107
Diffs agains NetBSD 5.1
I find that the internal-sftp mostly does what I want except that it
leaves the user in the root of the chroot area. I can't make the
user's directory the chroot since that is not owned by root. So I
added code to allow me to specify the home directory. So, for example,
I have the following Match stanza in sshd_config:
Match Group sftponly
ChrootDirectory /u/
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
HomeDirectory /%u/
Now the user is dropped into his own home directory under the chroot
area.
I'm not sure if the name is correct - we don't have to actually specify
his home directory - but I have tested this on NetBSD 5.1 and it works.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Dec-01 23:56 UTC
[Bug 1951] Add home directory facility for chrooted environments
https://bugzilla.mindrot.org/show_bug.cgi?id=1951
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-12-02 10:56:13
EST ---
Actually, when ChrootDirectory is in use sshd will try to change to the
user's home directory as obtained from the password database.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Dec-02 12:00 UTC
[Bug 1951] Add home directory facility for chrooted environments
https://bugzilla.mindrot.org/show_bug.cgi?id=1951 --- Comment #2 from D'Arcy Cain <darcy at druid.net> 2011-12-02 23:00:39 EST --- That's not what I saw in my case. If you mean the system passwd file then that does not help. That might be a different structure than the chrooted area. I tried creating a passwd file in the chroot are but that didn't work. Maybe it is internal-sftp that is different. Try it yourself. Create a test user and group and add a Match stanza similar to the one in my report except for the HomeDirectory. See if you can make a passwd file that will drop that user into their home directory. I tried all sorts of things and none of them worked. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Dec-02 20:57 UTC
[Bug 1951] Add home directory facility for chrooted environments
https://bugzilla.mindrot.org/show_bug.cgi?id=1951 --- Comment #3 from Damien Miller <djm at mindrot.org> 2011-12-03 07:57:54 EST --- No, it uses the system password file and not one inside the chroot. You can recreate the home directory structure from the password file inside the chroot and it will work. E.g. create /u/home/sftponly (if that's what the password home directory is) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Dec-02 22:27 UTC
[Bug 1951] Add home directory facility for chrooted environments
https://bugzilla.mindrot.org/show_bug.cgi?id=1951 --- Comment #4 from D'Arcy Cain <darcy at druid.net> 2011-12-03 09:27:52 EST --- Again, not that useful. Here is the issue. My user is "joe" so his home directory, where his public_html lives, is /u/joe. In the chroot directory he is /joe. I want him to wind up in /joe. After chroot /u/joe doesn't even exist. But I need it to exist in the top level in order to display his web site so I can't modify /etc/passwd. Yes, I could probably do all sorts of funky links/null mounts but a simple sshd_config directive would be so much simpler and cleaner. I do create a passwd and group file under /u so that directory listings show ownership. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.