Hi, On CentOS 7 I?m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I?d like to disable some commands, so the users can only do ?cd?, ?ls?, ?get? and ?put? (and disabling ?chgrp?, ?chmod?, ?chown?, ?df? etc ?). Is there a way to achieve it, natively or with using a third-party software ? Alexandre MALDEME Analyste d'exploitation [cid:image025b45.PNG at eb29890d.49b3fa4c]<http://> +33 (0)9 74 74 88 05 [www.olkypay.com]<http://www.olkypay.com> www.olkypay.com<http://www.olkypay.com> [cid:image47a4b4.GIF at a587ac6d.4190a711] Please consider the environment before printing this email message. Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, merci d'en avertir A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. Il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. This message contains confidential information and is intended only for the individuals named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
On Fri, Feb 10, 2017 at 3:20 AM, Alexandre MALDEME <A.MALDEME at olky.eu> wrote:> Hi, > > On CentOS 7 I?m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I?d like to disable some commands, so the users can only do ?cd?, ?ls?, ?get? and ?put? (and disabling ?chgrp?, ?chmod?, ?chown?, ?df? etc ?). Is there a way to achieve it, natively or with using a third-party software ?There were some published OpenSSH chroot patches years ago, but they've been repeatedly rejected for various security reasons. The underlying reasoning seems to be that a chroot cage is not a completely reliable security measure, since enough of the operating system is necessarily exposed inside the chroot cage to create a risk of possible exploitation and access to the hosting system. I've personally disagreed with this approach for a long time, because the lack of such tools leaves many casual adminstrators simply exposing their systems with full shell access and much less limited otols.. There is an old add-on tool called "rssh" that pretty effectively limits access to rsync, sftp, or scp on a selectable and configurable basis for specific users. It does badly need an update to its chroot cage building tool, which I've submitted as a patch and the maintainer of rssh has elected not to manage or maintain that tool. Rssh is available at http://www.pizzashack.org/rssh/.. My chroot cage building tools to go with it are at https://github.com/nkadel/rssh-chroot-tools. Another fast and dirty tool is to use the "validate-rsync.sh" tool locked to SSH key "command" settings, to fairly effectively allow only rsync access. Another approach is to give up on sftp, which does have some longstanding limitations, and use more cage-manageable tools like WebDAV over HTTPS, which is more easily published as a pure user-space without any other chroot cage components in it and is Apache supported, or even plain old FTPS, which also works well and is built into vsftpd.> Alexandre MALDEME > Analyste d'exploitation > [cid:image025b45.PNG at eb29890d.49b3fa4c]<http://> +33 (0)9 74 74 88 05 > [www.olkypay.com]<http://www.olkypay.com> > www.olkypay.com<http://www.olkypay.com> > > [cid:image47a4b4.GIF at a587ac6d.4190a711] > Please consider the environment before printing this email message. > > Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, merci d'en avertir A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. Il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme > > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. This message contains confidential information and is intended only for the individuals named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Alexandre MALDEME wrote:> On CentOS 7 I?m trying to set up a chrooted SFTP server on which > specific users can only read and write on specific folder.I don't know if your CentOS 7 constraint is helpful for you, but sshd has a ChrootDirectory configuration option and if you use internal-sftp for the sftp subsystem you do not need any special files in the chroot.> And I?d like to disable some commands, so the users can only do > ?cd?, ?ls?, ?get? and ?put? (and disabling ?chgrp?, ?chmod?, > ?chown?, ?df? etc ?).As for arbitrarily disabling commands, that may well need patching, because the OpenSSH sftp server does not really have any (policy) configuration. I for one like that. //Peter
I think for this I might try running sftp in a container instead of chroot. I might then add some feature flags around the commands I don't like and compile a custom version of it. Of course, auditors hate me, but so it goes.> On Feb 11, 2017, at 10:12 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote: > >> On Fri, Feb 10, 2017 at 3:20 AM, Alexandre MALDEME <A.MALDEME at olky.eu> wrote: >> Hi, >> >> On CentOS 7 I?m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I?d like to disable some commands, so the users can only do ?cd?, ?ls?, ?get? and ?put? (and disabling ?chgrp?, ?chmod?, ?chown?, ?df? etc ?). Is there a way to achieve it, natively or with using a third-party software ? > > There were some published OpenSSH chroot patches years ago, but > they've been repeatedly rejected for various security reasons. The > underlying reasoning seems to be that a chroot cage is not a > completely reliable security measure, since enough of the operating > system is necessarily exposed inside the chroot cage to create a risk > of possible exploitation and access to the hosting system. I've > personally disagreed with this approach for a long time, because the > lack of such tools leaves many casual adminstrators simply exposing > their systems with full shell access and much less limited otols.. > > There is an old add-on tool called "rssh" that pretty effectively > limits access to rsync, sftp, or scp on a selectable and configurable > basis for specific users. It does badly need an update to its chroot > cage building tool, which I've submitted as a patch and the maintainer > of rssh has elected not to manage or maintain that tool. Rssh is > available at http://www.pizzashack.org/rssh/.. My chroot cage building > tools to go with it are at > https://github.com/nkadel/rssh-chroot-tools. > > Another fast and dirty tool is to use the "validate-rsync.sh" tool > locked to SSH key "command" settings, to fairly effectively allow only > rsync access. > > Another approach is to give up on sftp, which does have some > longstanding limitations, and use more cage-manageable tools like > WebDAV over HTTPS, which is more easily published as a pure user-space > without any other chroot cage components in it and is Apache > supported, or even plain old FTPS, which also works well and is built > into vsftpd. > > >> Alexandre MALDEME >> Analyste d'exploitation >> [cid:image025b45.PNG at eb29890d.49b3fa4c]<http://> +33 (0)9 74 74 88 05 >> [www.olkypay.com]<http://www.olkypay.com> >> www.olkypay.com<http://www.olkypay.com> >> >> [cid:image47a4b4.GIF at a587ac6d.4190a711] >> Please consider the environment before printing this email message. >> >> Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, merci d'en avertir A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. Il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme >> >> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. This message contains confidential information and is intended only for the individuals named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On Sun, Feb 12, 2017 at 5:12 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:> On Fri, Feb 10, 2017 at 3:20 AM, Alexandre MALDEME <A.MALDEME at olky.eu> wrote: >> Hi, >> >> On CentOS 7 I?m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I?d like to disable some commands, so the users can only do ?cd?, ?ls?, ?get? and ?put? (and disabling ?chgrp?, ?chmod?, ?chown?, ?df? etc ?). Is there a way to achieve it, natively or with using a third-party software ? > > There were some published OpenSSH chroot patches years ago, but > they've been repeatedly rejected for various security reasons.Err, sshd has ChrootDirectory which was added in the version 4.8 (released in 2008): https://www.openssh.com/releasenotes.html#4.8 sftp-server has flags -P and -p which blacklist and whitelist requests respectively which were added in 6.5: https://www.openssh.com/releasenotes.html#6.5. ChrootDirectory can be used inside a Match User block, but right now Subsystem can't. If Alexandre can get away with setting -P or -p globally for sftp-internal for all users then it should be possible, and Subsystem could be made to work inside a Match block with a bit of work. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.