search for: safely_chroot

...d with SELinux support, OpenSSH 4.8 current cvs fails for accounts where the new ChrootDirectory option is active : debug1: PAM: establishing credentials debug3: PAM: opening session debug2: User child is on pid 1695 debug3: mm_request_receive entering debug1: PAM: establishing credentials debug3: safely_chroot: checking '/' debug3: safely_chroot: checking '/home/' debug3: safely_chroot: checking '/home/user' Changed root directory to "/home/user" debug1: permanently_set_uid: 1002/1005 debug1: SELinux support enabled debug3: ssh_selinux_setup_exec_context: setting executi...

Currently, sshd requires the chroot directory to be owned by root. This makes it impossible to chroot users into their own home directory, which would be convenient for sftp-only users. Is there a particular reason why, in safely_chroot() in session.c, if (st.st_uid != 0 || (st.st_mode & 022) != 0) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "compo...

...n, chroot() is called after the setpcred() (only AIX is concerned by the setpcred() call), so privileges are already dropped when chroot() is called. When not calling setpcred(), the chroot() does not fail and the privileges are dropped anyway within the permanently_set_uid() call, just after the safely_chroot() call. Is the setpcred() really usefull ? If so, is it called at the right time ? Best Regards. -- Xavier

Hi, A question regarding chroot, internal-sftp, and time zones: Is it possible to get the time stamps presented by the chrooted internal-sftp to always be aligned with the system global time zone setting? What is the reason this not done by default, that is couldn't the chrooted internal-sftp inherit the time zone information from the SSH daemon? /John -- John Olsson Ericsson AB

Hello, I've tried many places, finally ending up here to ask my question: why is it so vital that the directory used with the ChrootDirectory directive is root-owned? Like many people I'm trying to use this in a webhosting environment where several users get sftp-only access to some directory, usually something like /home/user/web/part-of-website. I can be sure that there are no setuid

...de for OpenSSH 5.3p1 , I found this snippet of code, starting at line 1399 of session.c and ending at line 1452: /* > * Chroot into a directory after checking it for safety: all path > components > * must be root-owned directories with strict permissions. > */ > static void > safely_chroot(const char *path, uid_t uid) > { > const char *cp; > char component[MAXPATHLEN]; > struct stat st; > > if (*path != '/') > fatal("chroot path does not begin at root"); > if (strlen(path) >= sizeof(component)) > fata...

...n, chroot() is called after the setpcred() (only AIX is concerned by the setpcred() call), so privileges are already dropped when chroot() is called. When not calling setpcred(), the chroot() does not fail and the privileges are dropped anyway within the permanently_set_uid() call, just after the safely_chroot() call. Is the setpcred() really usefull ? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.

...ech.ro Created an attachment (id=1735) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1735) truss log on AIX 6.1 I tested openssh-5.3p1 on 3 machines: AIX ... 1 5 004036AA4C00 AIX ... 3 5 0040D7CB4C00 AIX ... 1 6 0003EADAD300 on each of them I got the same result: ... debug3: safely_chroot: checking '/home/test' Changed root directory to "/home/test" Failed to set process credentials .. then it quits. I attached the truss log from AIX 6.1 (truss_log.txt) I also attached the fix that worked for me (this code was posted already in https://bugzilla.mindrot.org/atta...

...presented with error "Could not chdir to home directory /home/vhosts/user: No such file or directory" which doesn't make sense with this setup and leaks information about paths above chroot. i expect that user should be left in chroot's root (from chdir() and chroot() sequence in safely_chroot()) or chdir to $HOME setup by pam_env. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.

...rver "chroots" into the directory specified by the ChrootDirectory directive above, you must also disable the privilege separation using the config directive UsePrivilegeSeparation no into the sshd_config file. At least I think so; I checked that the sshd server will skip calling the safely_chroot function if I keep the privilege separation enabled and login using a no-root user. I worked on the portable branch of OpenSSH because this feature must be installed on a SLES (SuSE linux Enterprise Server) distribution. For the code changes I started from the openssh-6.0p1 released on April 22,...

...quest_send entering: type 26 [preauth] debug3: mm_send_keystate: Finished sending state [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug3: ssh_sandbox_parent_finish: finished debug3: AIX/UsrInfo: set len 23 debug3: safely_chroot: checking '/' debug3: safely_chroot: checking '/cpdp' Changed root directory to "/cpdp" debug1: permanently_set_uid: 212/1 debug2: set_newkeys: mode 0 debug2: set_newkeys: mode 1 debug1: Entering interactive session for SSH2. debug2: fd 5 setting O_NONBLOCK debug2: fd 6 se...