chroot SFTP ONLY

07/11/2006, 19h39

I saw this problem posted on many places with no solution so far.

How can we chroot SFTP but NOT SSH sessions for the same user ?
I know it doesn't make sense but humor me, this is a requirement in
some enterprise environments with many generic apps IDs.

The session.c evaluates the type of connection in the function
session_input_channel_req which is called from serverloop.c by
server_input_channel_req.
However, this is all done way after chroot happens in the
do_setusercontext function.

so I'm trying to find a way to get the same at that level. I just need
a hint which is the first function to differentiate between sftp and
ssh in the openssh code and how to use it in session.c

Any will be much appreciated.

MJ

09/11/2006, 10h16

mohamed.zubaidi@gmail.com wrote:
> How can we chroot SFTP but NOT SSH sessions for the same user ?
> I know it doesn't make sense but humor me, this is a requirement in
> some enterprise environments with many generic apps IDs.

More people have encountered this situation and wrote scponly (google
the term). Use the scponlyc binary if you want to chroot it.

09/11/2006, 14h51

Steven Mocking wrote:
> mohamed.zubaidi@gmail.com wrote:
> > How can we chroot SFTP but NOT SSH sessions for the same user ?
> > I know it doesn't make sense but humor me, this is a requirement in
> > some enterprise environments with many generic apps IDs.
>
> More people have encountered this situation and wrote scponly (google
> the term). Use the scponlyc binary if you want to chroot it.

to my understanding the scponly is a shell-like binrary you specify in
the passwd file so users will be able to SFTP and SCP but NOT SSH to
the machine and can chroot the sftp/scp session as well.

However, I want the user to be able to login with ssh wihtout being
chrooted while when he uses sftp, gets chrooted. I'm using a config
file for this and it's working fine for both now I just need to
seperate them. I'm looking for a way for identify the connection as an
sftp session prior to the do_setusercontext function in session.c

MJ

09/11/2006, 19h44

mohamed.zubaidi@gmail.com wrote:
> However, I want the user to be able to login with ssh wihtout being
> chrooted while when he uses sftp, gets chrooted. I'm using a config
> file for this and it's working fine for both now I just need to
> seperate them. I'm looking for a way for identify the connection as an
> sftp session prior to the do_setusercontext function in session.c

Ouch, should've read your first post more literally. If I recall
correctly the chroot system call can only be made as root and the
sftp-server is run as a subsystem request by a user inside the ssh
session. That's why it's FTP *over* SSH. Before that, there is not
really something specific which tells you if a session is sftp or shell.

Perhaps you could patch/modify the sftp-server sourcecode to do
something like

uid_t uid = getuid(); chroot("/path/to/chroot"); seteuid(uid);

very early on in the code. Then make the compiled binary setuid root. Be
careful though, because there is always the danger of holes with setuid
root binaries, like users setting LD_LIBRARY_PATH and LD_PRELOAD.

10/11/2006, 02h46

Steven Mocking wrote:
> If I recall
> correctly the chroot system call can only be made as root and the
> sftp-server is run as a subsystem request by a user inside the ssh
> session. That's why it's FTP *over* SSH. Before that, there is not
> really something specific which tells you if a session is sftp or shell.
>
> Perhaps you could patch/modify the sftp-server sourcecode to do
> something like
>
> uid_t uid = getuid(); chroot("/path/to/chroot"); seteuid(uid);
>
> very early on in the code. Then make the compiled binary setuid root. Be
> careful though, because there is always the danger of holes with setuid
> root binaries, like users setting LD_LIBRARY_PATH and LD_PRELOAD.

I wanted to patch the session.c only to make it easier to port (on
hundreds of hybrid UNIX systems) but after reading most of the SSH code
with no clues, I guess your right the only way to go would be to patch
the sftp-server.c as well.

The best way to go is to seperate sftp users from login ones and chroot
normally (both) as required. but it's worth investigating

Thanks anyway Steve,
MJ

12/11/2006, 02h45

I got this working. My findings are at:

http://www.securitybulletins.com/med...ot_environment

Doug

On 7 Nov 2006 11:39:49 -0800
mohamed.zubaidi@gmail.com wrote:

> I saw this problem posted on many places with no solution so far.
>
> How can we chroot SFTP but NOT SSH sessions for the same user ?
> I know it doesn't make sense but humor me, this is a requirement in
> some enterprise environments with many generic apps IDs.

--
For UNIX, Linux and security articles
visit http://SecurityBulletins.com/

07/11/2006, 19h39	#1
mohamed.zubaidi@gmail.com Messages: n/a Hébergeur:	chroot SFTP ONLY I saw this problem posted on many places with no solution so far. How can we chroot SFTP but NOT SSH sessions for the same user ? I know it doesn't make sense but humor me, this is a requirement in some enterprise environments with many generic apps IDs. The session.c evaluates the type of connection in the function session_input_channel_req which is called from serverloop.c by server_input_channel_req. However, this is all done way after chroot happens in the do_setusercontext function. so I'm trying to find a way to get the same at that level. I just need a hint which is the first function to differentiate between sftp and ssh in the openssh code and how to use it in session.c Any will be much appreciated. MJ

09/11/2006, 10h16	#2
Steven Mocking Messages: n/a Hébergeur:	Re: chroot SFTP ONLY mohamed.zubaidi@gmail.com wrote: > How can we chroot SFTP but NOT SSH sessions for the same user ? > I know it doesn't make sense but humor me, this is a requirement in > some enterprise environments with many generic apps IDs. More people have encountered this situation and wrote scponly (google the term). Use the scponlyc binary if you want to chroot it.

09/11/2006, 14h51	#3
mohamed.zubaidi@gmail.com Messages: n/a Hébergeur:	Re: chroot SFTP ONLY Steven Mocking wrote: > mohamed.zubaidi@gmail.com wrote: > > How can we chroot SFTP but NOT SSH sessions for the same user ? > > I know it doesn't make sense but humor me, this is a requirement in > > some enterprise environments with many generic apps IDs. > > More people have encountered this situation and wrote scponly (google > the term). Use the scponlyc binary if you want to chroot it. to my understanding the scponly is a shell-like binrary you specify in the passwd file so users will be able to SFTP and SCP but NOT SSH to the machine and can chroot the sftp/scp session as well. However, I want the user to be able to login with ssh wihtout being chrooted while when he uses sftp, gets chrooted. I'm using a config file for this and it's working fine for both now I just need to seperate them. I'm looking for a way for identify the connection as an sftp session prior to the do_setusercontext function in session.c MJ

09/11/2006, 19h44	#4
Steven Mocking Messages: n/a Hébergeur:	Re: chroot SFTP ONLY mohamed.zubaidi@gmail.com wrote: > However, I want the user to be able to login with ssh wihtout being > chrooted while when he uses sftp, gets chrooted. I'm using a config > file for this and it's working fine for both now I just need to > seperate them. I'm looking for a way for identify the connection as an > sftp session prior to the do_setusercontext function in session.c Ouch, should've read your first post more literally. If I recall correctly the chroot system call can only be made as root and the sftp-server is run as a subsystem request by a user inside the ssh session. That's why it's FTP over SSH. Before that, there is not really something specific which tells you if a session is sftp or shell. Perhaps you could patch/modify the sftp-server sourcecode to do something like uid_t uid = getuid(); chroot("/path/to/chroot"); seteuid(uid); very early on in the code. Then make the compiled binary setuid root. Be careful though, because there is always the danger of holes with setuid root binaries, like users setting LD_LIBRARY_PATH and LD_PRELOAD.

10/11/2006, 02h46	#5
mohamed.zubaidi@gmail.com Messages: n/a Hébergeur:	Re: chroot SFTP ONLY Steven Mocking wrote: > If I recall > correctly the chroot system call can only be made as root and the > sftp-server is run as a subsystem request by a user inside the ssh > session. That's why it's FTP over SSH. Before that, there is not > really something specific which tells you if a session is sftp or shell. > > Perhaps you could patch/modify the sftp-server sourcecode to do > something like > > uid_t uid = getuid(); chroot("/path/to/chroot"); seteuid(uid); > > very early on in the code. Then make the compiled binary setuid root. Be > careful though, because there is always the danger of holes with setuid > root binaries, like users setting LD_LIBRARY_PATH and LD_PRELOAD. I wanted to patch the session.c only to make it easier to port (on hundreds of hybrid UNIX systems) but after reading most of the SSH code with no clues, I guess your right the only way to go would be to patch the sftp-server.c as well. The best way to go is to seperate sftp users from login ones and chroot normally (both) as required. but it's worth investigating Thanks anyway Steve, MJ

12/11/2006, 02h45	#6
Doug Spencer Messages: n/a Hébergeur:	Re: chroot SFTP ONLY I got this working. My findings are at: http://www.securitybulletins.com/med...ot_environment Doug On 7 Nov 2006 11:39:49 -0800 mohamed.zubaidi@gmail.com wrote: > I saw this problem posted on many places with no solution so far. > > How can we chroot SFTP but NOT SSH sessions for the same user ? > I know it doesn't make sense but humor me, this is a requirement in > some enterprise environments with many generic apps IDs. -- For UNIX, Linux and security articles visit http://SecurityBulletins.com/

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email