Operating System - HP-UX
1748069 Members
5618 Online
108758 Solutions
New Discussion юеВ

how to prevent chroot sftp user from seeing out their one homedir

 
SOLVED
Go to solution
Steve Post
Trusted Contributor

how to prevent chroot sftp user from seeing out their one homedir

I setup sftp user u001 chooted to: /ftphome/u001/./home/u001
/ftphome/u001 is the newroot
/home/u001 is the user u001 home directory.
This is fine.

But user u001 can see /ftphome/u001/usr, /ftphome/u001/var, /ftphome/u001/bin
and anything else that gets dropped into the newroot /ftphome/u001.

I realize everything u001 can see is in a chrooted environment. I would rather have it where user u001 can see its own home and nothing else.

Is this possible?
7 REPLIES 7
Ivan Krastev
Honored Contributor

Re: how to prevent chroot sftp user from seeing out their one homedir

I don't think that will be possible. These are lib, bin, etc. directories, required from ssh (sftp) to operate in chroot environment.

regards,
ivan
Court Campbell
Honored Contributor

Re: how to prevent chroot sftp user from seeing out their one homedir

I don't think so. You can't chroot a chroot.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Steve Post
Trusted Contributor

Re: how to prevent chroot sftp user from seeing out their one homedir

But if this is the case, what prevents the guy from immediately this:
cd ../../etc
get passwd

or this:
cd ../../
rm -r *

or this:
cd ../../bin
mv sh sh.normal
put sh_my_evil_thing sh?
Court Campbell
Honored Contributor
Solution

Re: how to prevent chroot sftp user from seeing out their one homedir

>get passwd

If you are using shadow passwords or trusted systems, or smse. then they just have a file with usernames, etc.

>cd ../../
>rm -r *

The permisions on the directory won;t let the user do that.

>cd ../../bin
>mv sh sh.normal

there is no mv command in sftp

>put sh_my_evil_thing sh?

user wouldn't have permission to write to the bin directory.

You know you could have just sftp'ed as the user to the box and tested this.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Steve Post
Trusted Contributor

Re: how to prevent chroot sftp user from seeing out their one homedir

yeah I know I could have. I was looking for a reason why I should be concerned about these fake system directories.

I don't like the idea letting the sftp user know who might be able to get into the system. I already cleaned up my newroot/etc/passwd of any non-standard id's (besides u001 of course).

I can get pam libraries. This doesn't seem like a good thing to have.
cd /
cd usr/lib/security
get libpam_authz.1
But then again, I wouldn't know what good it is for Mr. Evil anyway.

Rita C Workman
Honored Contributor

Re: how to prevent chroot sftp user from seeing out their one homedir

hmmmm....I always get sftp and ftps turned around. For ssh have you come across this little utility called ssh_chroot_setup.sh for doing this ?

I attached the file...hope it didn't corrupt coming across to my email account.


Rgrds,
Rita
Steve Post
Trusted Contributor

Re: how to prevent chroot sftp user from seeing out their one homedir

That's what I ran. It dropped a lot of libraries in. I just don't like the idea that any sftp user can see this stuff.

After it dropped the password file in, I started to clear it out.

It also needed to drop in a /newroot/opt/ssh/etc/sftponly.sh file. This is per doc emr_na-c00926492-2 "How to configure a user for SFTP access only, in a chroot'ed environment."