openssh bugs - Nov 2012 - [Bug 2048] New: Make chrooted sftp more user friendly using bind mount (solution suggested)

https://bugzilla.mindrot.org/show_bug.cgi?id=2048

          Priority: P5
            Bug ID: 2048
          Assignee: unassigned-bugs at mindrot.org
           Summary: Make chrooted sftp more user friendly using bind mount
                    (solution suggested)
          Severity: enhancement
    Classification: Unclassified
                OS: Linux
          Reporter: harviecz at gmail.com
          Hardware: All
            Status: NEW
           Version: 6.1p1
         Component: sftp-server
           Product: Portable OpenSSH

I'll be bit verbose, sorry.

There are lots of people running own shared hosting machines and they
are in need to suply some kind of remote acess to their clients. Most
of them are using FTP/FTPS, but i think that SFTP/SCP is much better,
more secure and less problematic. We all know that we can't make normal
Windows BFU see all system files and let him to search own home
directory in directory structure because this will often leave him
confused and he'll often call helpdesk and complain about it. That's
one of reasons why we have chroot support in OpenSSH. Other reason is
obvious: better security.

So this is typical configuration:

Subsystem       sftp    internal-sftp

Match Group sftpusers
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no


It has one big problem. For security reasons we cannot chroot into
directory that is not owned by root (or writable by user). There's
probably nothing we can do about this right now, but let's take a
deeper look and see if there are some workarounds which will prevent us
from modifying directory structure, chowning all homes to root (such
home is no longer "sweet home"), etc...

And guess what. I've came up with solution that enables OpenSSH to
securely isolate user without disabling writing to home directory!

I've implemented it as PoC pam_module (not very secure at this moment),
but i hope it can make it's way directly into OpenSSH. I'll tell you
more, but here is the source if you wish anyway:
https://github.com/Harvie/pam-ftpfuck/blob/master/src/mypam.c


So how it works?
It bind-mounts home directory of user into subdirectory of root-owned
directory created especially for this user...

so we're no longer chrooting into /home/user/ (which can be now owned
by root)
we'll rather chroot into /var/ssh-chroot/user/ (which is created on
demand and owned by root)
and it contains user owned directory /var/ssh-chroot/user/user/ which
is bind mount pointig to /home/user/

So after loging into SFTP server our client will only see root
containing single directory /user which seems to me quite user friendly
:-)

Of course we can create these bind-mounts by some cron-script, but it's
not nearly as elegant as when done directly on-demand by OpenSSH.


Other thoughts?
- Read-only bind mounts! (don't forget to check if RO option
successfully aplied)
- I am not sure if bind mounts are available on BSDs (never been using
BSD), maybe mount_null or some kind of symlinks can be used???

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2048

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |MOVED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
There is now an option to specify the starting directory in sftp-server
that might help you. E.g.

Match group sftpusers
  ChrootDirectory /chroot/%u
  ForceCommand internal-sftp -d /%h

We have no desire to build bind-mounting into OpenSSH itself though.

Otherwise, discussion of your module is better suited to our
openssh-unix-dev at mindrot.org mailing list rather than out bug tracker.
I'll close this bug and people more knowledgeable about PAM might be
able to assist you there.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2048

bugmenot at mailinator.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugmenot at mailinator.com
             Status|RESOLVED                    |REOPENED
         Resolution|MOVED                       |---

--- Comment #2 from bugmenot at mailinator.com ---
Hi Damien, thanks for answer... It seems reasonable, but i'd like to
see at least some more generic way to get the job done. Eg. way to
specify some pre-login command:

Match group sftpusers

  PreLoginCommand sh -c 'mkdir /chroot/%u; mount -t bind %h /chroot/%u'

  ChrootDirectory /chroot/%u
  ForceCommand internal-sftp -d /%h



Well. i can do this using my pam module, however it's bit annoying to
build it, install and configure manually on multiple servers, when it
can be done simply by altering OpenSSH configuration (if openssh gets
patched a little).

And i can imagine that there's much more use for such feature... (like
mounting home directory for LDAP users, etc...). I personally like
OpenSSH because it is very versatile and i think this would make it
even more versatile.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2048

bugmenot at mailinator.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |PreLoginCommand
            Summary|Make chrooted sftp more     |PreLoginCommand: Make
                   |user friendly using bind    |chrooted sftp more user
                   |mount (solution suggested)  |friendly using bind mount
                   |                            |(solution suggested)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2048

bugmenot at mailinator.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|PreLoginCommand: Make       |Make chrooted sftp more
                   |chrooted sftp more user     |user friendly using bind
                   |friendly using bind mount   |mount (solution suggested)
                   |(solution suggested)        |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2048

jason.nader at protonmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jason.nader at protonmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.