Displaying 20 results from an estimated 10000 matches similar to: "ChrootDirectory %h"
2009 Mar 28
3
ChrootDirectory security
Hello,
I've tried many places, finally ending up here to ask my question: why
is it so vital that the directory used with the ChrootDirectory
directive is root-owned?
Like many people I'm trying to use this in a webhosting environment
where several users get sftp-only access to some directory, usually
something like /home/user/web/part-of-website.
I can be sure that there are no setuid
2023 Nov 12
2
restrict file transfer in rsync, scp, sftp?
On Sat, 11 Nov 2023, Bob Proulx wrote:
> I am supporting a site that allows members to upload release files. I
> have inherited this site which was previously existing. The goal is
> to allow members to file transfer to and from their project area for
> release distribution but not to allow general shell access and not to
> allow access to other parts of the system.
>
>
2013 Feb 02
2
Relaxing strict chroot checks on recent Linux kernels?
At the risk of beating a dead horse, I'd like to see the chroot
security checks relaxed a bit. On newer Linux kernels, there's a
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) that prevents privilege
elevation (via setuid binaries, etc) for the caller and all of its
descendants. That means that chroot(untrusted directory),
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0), setreuid(uid, uid), execve(a
2023 Nov 12
1
restrict file transfer in rsync, scp, sftp?
On 12.11.23 03:52, Damien Miller wrote:
> On Sat, 11 Nov 2023, Bob Proulx wrote:
>
>> I am supporting a site that allows members to upload release files. I
>> have inherited this site which was previously existing. The goal is
>> to allow members to file transfer to and from their project area for
>> release distribution but not to allow general shell access and not
2008 May 25
1
OpenSSH + chroot + SELinux = broke
Hello,
First, a big thank you to the OpenSSH devs.
_ /Problem Summary:/
_ Chroot and SELinux don't get along. This affects both the new
(official) ChrootDirectory feature, as well as the older (3rd party)
patch at http://chrootssh.sourceforge.net/.
_ /History and repro:/
_ On March 21, 2008, Alexandre Rossi posted to this list with the
subject: "*ChrootDirectory
2014 Mar 17
1
internal-sftp stuck on 'ls' with chrootdirectory
Hi all,
I am using Match directive and internal-sftp to chroot sftp users into their
directory. Connection and login works. I can change directories and put/get
files. Also logging of the internal sftp-process works (created a /dev/log
socket inside the chroot). As soon as I use the 'ls' command, nothing
happens and the the process gets stuck. Listing files does work as soon as I
remove
2008 Mar 21
1
ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)
Hi,
(please CC me as I'm not subscribed to the list)
If compiled with SELinux support, OpenSSH 4.8 current cvs fails for
accounts where the new ChrootDirectory option is active :
debug1: PAM: establishing credentials
debug3: PAM: opening session
debug2: User child is on pid 1695
debug3: mm_request_receive entering
debug1: PAM: establishing credentials
debug3: safely_chroot: checking
2023 Nov 12
3
restrict file transfer in rsync, scp, sftp?
I am supporting a site that allows members to upload release files. I
have inherited this site which was previously existing. The goal is
to allow members to file transfer to and from their project area for
release distribution but not to allow general shell access and not to
allow access to other parts of the system.
Currently rsync and old scp has been restricted using a restricted
shell
2001 May 24
1
chroot sftp-server [PATCH]
I'm working on setting up a semi-trusted sftp service, and to get it
working, I need chroot capability.
I've taken the /./ wuftpd magic token code from contrib/chroot.diff and
put it into the sftp server. The main problem is that privileges have
been dropped by the time the subsystem is exec'ed, so my patch requires
that sftp-server be setuid root. Not ideal, I know, but I drop all
2012 Jan 19
2
ChrootDirectory per SSH Subsystem?
Hi,
According to the sshd_config manual page the option ChrootDirectory can be used to force a chroot:ed environment for the SSHD server. But as I understand the manual page this is a global setting and it is not possible to specify this per SSH subsystem.
We are building a system where we need users to be able to log on from remote machines via SSH, but with the tweaks that we (for security
2008 Oct 23
6
ChrootDirectory on a per key basis
Hello,
I'm trying to set up an sftp (sshfs) service accessible to users with
a normal account on a server, but which would be restricted to a
subset of the directory hierarchy normally accessible to the users in
question, in practice a single directory. The idea would be to allow
file access to this directory with a passwordless public key, but keep
rest of the users file accessible only with
2008 Jun 09
1
Problem in RSA Key authentication
Hello Damien,
I am using OpenSSH-5.0 on my ARM board. I want to perform RSA
authentication, but server is not accepting the key generated by the
client. I have copied the authorized_keys in the "$HOME/.ssh/" folder
and provided permission (755) to that folder. Please help me how to
solve this problem.
Following is the log from the client
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
2009 Mar 18
4
[Bug 1574] New: trailing white space on Forced Command within ChrootDirectory causes failure
https://bugzilla.mindrot.org/show_bug.cgi?id=1574
Summary: trailing white space on Forced Command within
ChrootDirectory causes failure
Product: Portable OpenSSH
Version: 5.1p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo:
2003 Apr 13
2
chroot() as non-root user?
I suspect this has been asked before but I'll ask anyway.
Q1: Is it possible for a non-root process to perform a chroot?
My interest is this: I have a typical ISP hosting account (verio; on a
FreeBSD 4.4 server.) I'd like to install and run various CGI packages, yet
protect myself (and my email, and my .ssh keys) from bugs being exploited
in those CGI packages. Chroot at the start
2012 Aug 18
0
[Bug 2036] New: Add %g user group name parameter for ChrootDirectory
https://bugzilla.mindrot.org/show_bug.cgi?id=2036
Priority: P5
Bug ID: 2036
Assignee: unassigned-bugs at mindrot.org
Summary: Add %g user group name parameter for ChrootDirectory
Severity: enhancement
Classification: Unclassified
OS: Linux
Reporter: sue at pennine.com
Hardware: ix86
Status:
2009 Feb 26
2
[Bug 1564] New: non-accessible user's home directory not reported when ChrootDirectory=none
https://bugzilla.mindrot.org/show_bug.cgi?id=1564
Summary: non-accessible user's home directory not reported when
ChrootDirectory=none
Product: Portable OpenSSH
Version: 5.2p1
Platform: All
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P3
Component: sshd
1998 Mar 11
4
Re: Re: Towards a solution of tmp-file problems
Forwarding a message from Rogier Wolff:
>
> Nick Andrew wrote:
> > Theo De Raadt pointed out (possibly not in this thread) that basing
> > protection on euid is not workable. Although I like the concept of
> > variable expansion in pathnames, I don''t see it as a security mechanism.
>
> Why not?
Because programs that _were_ privileged but have set euid ==
2009 Nov 05
3
sshd_config ChrootDirectory ambiguity...
Under "ChrootDirectory" there is a line that says,
"This path, and all its components, must be root-owned directories
that are not writable by any other user or group."
When I first read this "all its components" seemed to mean that
all directories and files within this directory must be root owned
and root only writable. This seemed odd as I would not be able
to
2008 Dec 29
0
Proposal: Different handling of ChrootDirectory
Hey guys,
I have read all the messages regarding this issue on the mailing list
and I did notice that quite a few people are not exactly happy with the
new easiness of the chroot support introduced to openssh.
I'm one of them and I think to support my special configuration, the
implementation would need to be changed.
I'm right now setting up a small web hosting company an every
2012 Jun 07
1
While using internal sftp server, need to access files outside chroot
Hi,
I need to make a custom code change in sftp-server module to copy the received file outside the chroot-setup. I am trying to chroot repeatedly to get physical root directory and the copy received file to a directory outside chrooted directory.
The children processes are owned by the sftp-user and so, sftp child process does not have permission to escape out of chroot.
Is there a simple way