- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- how to prevent chroot sftp user from seeing out th...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 05:26 AM
тАО06-29-2007 05:26 AM
/ftphome/u001 is the newroot
/home/u001 is the user u001 home directory.
This is fine.
But user u001 can see /ftphome/u001/usr, /ftphome/u001/var, /ftphome/u001/bin
and anything else that gets dropped into the newroot /ftphome/u001.
I realize everything u001 can see is in a chrooted environment. I would rather have it where user u001 can see its own home and nothing else.
Is this possible?
Solved! Go to Solution.
- Tags:
- ftp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 05:33 AM
тАО06-29-2007 05:33 AM
Re: how to prevent chroot sftp user from seeing out their one homedir
regards,
ivan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 05:37 AM
тАО06-29-2007 05:37 AM
Re: how to prevent chroot sftp user from seeing out their one homedir
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 05:48 AM
тАО06-29-2007 05:48 AM
Re: how to prevent chroot sftp user from seeing out their one homedir
cd ../../etc
get passwd
or this:
cd ../../
rm -r *
or this:
cd ../../bin
mv sh sh.normal
put sh_my_evil_thing sh?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 06:29 AM
тАО06-29-2007 06:29 AM
SolutionIf you are using shadow passwords or trusted systems, or smse. then they just have a file with usernames, etc.
>cd ../../
>rm -r *
The permisions on the directory won;t let the user do that.
>cd ../../bin
>mv sh sh.normal
there is no mv command in sftp
>put sh_my_evil_thing sh?
user wouldn't have permission to write to the bin directory.
You know you could have just sftp'ed as the user to the box and tested this.
- Tags:
- SMSE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 06:55 AM
тАО06-29-2007 06:55 AM
Re: how to prevent chroot sftp user from seeing out their one homedir
I don't like the idea letting the sftp user know who might be able to get into the system. I already cleaned up my newroot/etc/passwd of any non-standard id's (besides u001 of course).
I can get pam libraries. This doesn't seem like a good thing to have.
cd /
cd usr/lib/security
get libpam_authz.1
But then again, I wouldn't know what good it is for Mr. Evil anyway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 08:25 AM
тАО06-29-2007 08:25 AM
Re: how to prevent chroot sftp user from seeing out their one homedir
I attached the file...hope it didn't corrupt coming across to my email account.
Rgrds,
Rita
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2007 08:33 AM
тАО06-29-2007 08:33 AM
Re: how to prevent chroot sftp user from seeing out their one homedir
After it dropped the password file in, I started to clear it out.
It also needed to drop in a /newroot/opt/ssh/etc/sftponly.sh file. This is per doc emr_na-c00926492-2 "How to configure a user for SFTP access only, in a chroot'ed environment."