HPE Community
Operating System - HP-UX
1752679 Members
5544 Online
108789 Solutions
New Discussion юеВ

Re: restirct sftp user "cd' to other directories

 
Trng
Super Advisor

тАО04-11-2011 08:42 PM

тАО04-11-2011 08:42 PM

restirct sftp user "cd' to other directories

Hi ,
i hv configured a user "test" with /home/test and enabled chroot and disabled ssh login,allowed only sftp.when this user do an sftp from otyher machine ,it is able to 'cd" to system directoires and able to pick sensitive passwd files etc ..

how to prevent an sftp user to do "cd" except his home folder

OS HPUX 11.11

rgds,trng
administrator
0 Kudos
Reply
4 REPLIES 4
Steven Schweda
Honored Contributor

тАО04-11-2011 08:53 PM

тАО04-11-2011 08:53 PM

Re: restirct sftp user "cd' to other directories

> i hv configured a user "test" with
> /home/test and enabled chroot [...]
> able to 'cd" to system directoires [...]

If the user can "cd" to places outside his
chroot directory, then my guess would be that
you have not really "enabled chroot" for this
user. Of course, with my weak psychic
powers, and your vague description of how you
"configured a user", I have no idea what you
actually did, so it's not easy for me to
guess what is actually happening.

As usual, showing actual commands with their
actual output can be more helpful than vague
descriptions or interpretations.
0 Kudos
Reply
Trng
Super Advisor

тАО04-13-2011 01:39 AM

тАО04-13-2011 01:39 AM

Re: restirct sftp user "cd' to other directories

HI Steven,

i hv enabled chroot and /etc/passwd it is shwoing a chrroted user..my problem is the sftp user can access /etc/passwd and other few system sensitive files ...how to prevent a chroot user to do cd to system filesystems

rgds,trngg
administrator
0 Kudos
Reply
Abid Iqbal
Regular Advisor

тАО04-13-2011 03:37 AM

тАО04-13-2011 03:37 AM

Re: restirct sftp user "cd' to other directories

Hi,
In other words, you required a chroot ftponly user.
So for this create a folder "pub" in home folder /home/test with ownership of user test.
And in /etc/passwd file this home filder should look like... "/home/test/./pub"
Create two folders "usr/bin" and "etc" inside /home/test with ownership of root:other.
Copy /etc/passwd file to this etc folder and edit so it contain only "root" and "test" user entry. remove all other users.
Copy /etc/group file to this etc folder and edit so it contain "ftponly" and "other" group. Remove all other groups.
Copy /sbin/ls to usr/bin folder.
Shell of this user should be /usr/bin/false,
group should be ftponly.
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО04-13-2011 05:44 AM

тАО04-13-2011 05:44 AM

Re: restirct sftp user "cd' to other directories

> i hv enabled chroot

What, exactly, does that mean? What,
exactly, did you do?

> and /etc/passwd it is shwoing a chrroted
> user.

What, exactly, does that mean? What,
exactly, do you see?

> [...] ...how to prevent a chroot user to do
> cd to system filesystems

> If the user can "cd" to places outside his
> chroot directory, then my guess would be that
> you have not really "enabled chroot" for this
> user.

Still true.

> As usual, showing actual commands with their
> actual output can be more helpful than vague
> descriptions or interpretations.

Still true. (Was some part of that unclear?)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.