Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Directory permissions in chroot SFTP

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


carlopradissitto at gmail

Nov 11, 2008, 3:45 AM

Post #1 of 5 (63847 views)
Permalink
Directory permissions in chroot SFTP

Hi,
I configured openssh 5.1p1 for sftp server.

Here the specifications in sshd_config file:

Subsystem sftp internal-sftp
Match Group sftp
ForceCommand internal-sftp
ChrootDirectory /home/%u
AllowTcpForwarding no

When a user is logged in, he can't upload his document and he receives
this message:

carlo [at] Musi:~$ sftp user [at] 213
Connecting to 213.217.147.123...
user [at] 213's password:
sftp> put prova
Uploading prova to /prova
Couldn't get handle: Permission denied
sftp>

Here the directory permissions:

[root [at] sftp-serve ~]# ls -la /home/user/
total 24
drwxr-xr-x 6 root sftp 4096 Nov 10 18:05 .
drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..

OK, my user is a sftp group member, and the sftp group hasn't
sufficient permissions to write in user's home directory.

I add the write permission for the sftp group:

[root [at] sftp-serve ~]# chmod 770 /home/user/
[root [at] sftp-serve ~]# ls -la /home/user/
total 24
drwxrwx--- 6 root sftp 4096 Nov 10 18:05 .
drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..


But now the user can't access:

carlo [at] Musi:~$ sftp user [at] 213
Connecting to 213.217.147.123...
user [at] 213's password:
Read from remote host 213.217.145.321: Connection reset by peer
Couldn't read packet: Connection reset by peer

Here the error message in /var/log/messages of sftp-server:

Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user
from 213.217.145.329 port 38685 ssh2
Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes
for chroot directory "/home/user"

I get the same result if I change the ownership of user directory:

[root [at] sftp-serve ~]# chown user.sftp /home/user/
[root [at] sftp-serve ~]# ls -la /home/user/
total 24
drwxrwx--- 6 user sftp 4096 Nov 10 18:05 .
drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..

carlo [at] Musi:~$ sftp user [at] 213
Connecting to 213.217.147.123...
user [at] 213's password:
Read from remote host 213.217.145.321: Connection reset by peer
Couldn't read packet: Connection reset by peer

Nov 11 11:38:11 sftp-server sshd[10267]: Accepted password for user
from 213.217.145.329 port 39285 ssh2
Nov 11 11:38:11 sftp-server sshd[10269]: fatal: bad ownership or modes
for chroot directory "/home/user"

I get the same result if I change the ownership of user directory this way:

[root [at] sftp-serve ~]# chown user.root /home/user/

What can I do in order to grant user access and allow write
permissions in his home directory?

Thanks


--
Carlo Pradissitto

Servizi e Supporto IT

I-WAY S.r.l.
Piazza Caduti di via Fani, 2
03100 Frosinone

Mobile: +393939318571

Tel/Fax: 07751880765

E-mail: c.pradissitto [at] i-way
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Nov 12, 2008, 5:17 AM

Post #2 of 5 (63573 views)
Permalink
Re: Directory permissions in chroot SFTP [In reply to]

On Tue, 11 Nov 2008, Carlo Pradissitto wrote:

> Hi,
> I configured openssh 5.1p1 for sftp server.
>
> Here the specifications in sshd_config file:
>
> Subsystem sftp internal-sftp
> Match Group sftp
> ForceCommand internal-sftp
> ChrootDirectory /home/%u
> AllowTcpForwarding no
>
> When a user is logged in, he can't upload his document and he receives
> this message:
>
> carlo [at] Musi:~$ sftp user [at] 213
> Connecting to 213.217.147.123...
> user [at] 213's password:
> sftp> put prova
> Uploading prova to /prova
> Couldn't get handle: Permission denied
> sftp>

>From the sshd_config manual page:

> ChrootDirectory
> Specifies a path to chroot(2) to after authentication. This path,
> and all its components, must be root-owned directories that are
> not writable by any other user or group.


> Here the directory permissions:
>
> [root [at] sftp-serve ~]# ls -la /home/user/
> total 24
> drwxr-xr-x 6 root sftp 4096 Nov 10 18:05 .
> drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
>
> OK, my user is a sftp group member, and the sftp group hasn't
> sufficient permissions to write in user's home directory.

Your permissions are correct.

> I add the write permission for the sftp group:
>
> [root [at] sftp-serve ~]# chmod 770 /home/user/
> [root [at] sftp-serve ~]# ls -la /home/user/
> total 24
> drwxrwx--- 6 root sftp 4096 Nov 10 18:05 .
> drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
>
>
> But now the user can't access:
>
> carlo [at] Musi:~$ sftp user [at] 213
> Connecting to 213.217.147.123...
> user [at] 213's password:
> Read from remote host 213.217.145.321: Connection reset by peer
> Couldn't read packet: Connection reset by peer
>
> Here the error message in /var/log/messages of sftp-server:
>
> Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user
> from 213.217.145.329 port 38685 ssh2
> Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes
> for chroot directory "/home/user"

Right, this is on purpose. We ban this because allowing a user write
access to a chroot target is dangerously similar to equivalence with
allowing write access to the root of a filesystem.

If you want the default directory that users start in to be writable
then you must create their home directory under the chroot. After
sshd(8) has chrooted to the ChrootDirectory, it will chdir to the
home directory as normal. So, for a passwd line like:

djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh

Create a home directory "/chroot/djm/home/djm". Make the terminal "djm"
directory user-owned and writable (everything else must be root-owned).
Set "ChrootDirectory /chroot" in /etc/config.

A variant of this that yields less deep directory trees would be to set
the passwd file up as:

djm:*:1000:1000:Damien Miller:/upload:/bin/ksh

Create "/chroot/djm/upload", with "upload" the only user-owned and writable
component.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


carlopradissitto at gmail

Nov 12, 2008, 5:34 AM

Post #3 of 5 (63577 views)
Permalink
Re: Directory permissions in chroot SFTP [In reply to]

Hi Damien,
Thanks a lot!

Carlo

2008/11/12 Damien Miller <djm [at] mindrot>

>
>
> On Tue, 11 Nov 2008, Carlo Pradissitto wrote:
>
> > Hi,
> > I configured openssh 5.1p1 for sftp server.
> >
> > Here the specifications in sshd_config file:
> >
> > Subsystem sftp internal-sftp
> > Match Group sftp
> > ForceCommand internal-sftp
> > ChrootDirectory /home/%u
> > AllowTcpForwarding no
> >
> > When a user is logged in, he can't upload his document and he receives
> > this message:
> >
> > carlo [at] Musi:~$ sftp user [at] 213
> > Connecting to 213.217.147.123...
> > user [at] 213's password:
> > sftp> put prova
> > Uploading prova to /prova
> > Couldn't get handle: Permission denied
> > sftp>
>
> From the sshd_config manual page:
>
> > ChrootDirectory
> > Specifies a path to chroot(2) to after authentication. This path,
> > and all its components, must be root-owned directories that are
> > not writable by any other user or group.
>
>
> > Here the directory permissions:
> >
> > [root [at] sftp-serve ~]# ls -la /home/user/
> > total 24
> > drwxr-xr-x 6 root sftp 4096 Nov 10 18:05 .
> > drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
> >
> > OK, my user is a sftp group member, and the sftp group hasn't
> > sufficient permissions to write in user's home directory.
>
> Your permissions are correct.
>
> > I add the write permission for the sftp group:
> >
> > [root [at] sftp-serve ~]# chmod 770 /home/user/
> > [root [at] sftp-serve ~]# ls -la /home/user/
> > total 24
> > drwxrwx--- 6 root sftp 4096 Nov 10 18:05 .
> > drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
> >
> >
> > But now the user can't access:
> >
> > carlo [at] Musi:~$ sftp user [at] 213
> > Connecting to 213.217.147.123...
> > user [at] 213's password:
> > Read from remote host 213.217.145.321: Connection reset by peer
> > Couldn't read packet: Connection reset by peer
> >
> > Here the error message in /var/log/messages of sftp-server:
> >
> > Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user
> > from 213.217.145.329 port 38685 ssh2
> > Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes
> > for chroot directory "/home/user"
>
> Right, this is on purpose. We ban this because allowing a user write
> access to a chroot target is dangerously similar to equivalence with
> allowing write access to the root of a filesystem.
>
> If you want the default directory that users start in to be writable
> then you must create their home directory under the chroot. After
> sshd(8) has chrooted to the ChrootDirectory, it will chdir to the
> home directory as normal. So, for a passwd line like:
>
> djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh
>
> Create a home directory "/chroot/djm/home/djm". Make the terminal "djm"
> directory user-owned and writable (everything else must be root-owned).
> Set "ChrootDirectory /chroot" in /etc/config.
>
> A variant of this that yields less deep directory trees would be to set
> the passwd file up as:
>
> djm:*:1000:1000:Damien Miller:/upload:/bin/ksh
>
> Create "/chroot/djm/upload", with "upload" the only user-owned and writable
> component.
>
> -d
>



--
Carlo Pradissitto

Servizi e Supporto IT

I-WAY S.r.l.
Piazza Caduti di via Fani, 2
03100 Frosinone

Mobile: +393939318571

Tel/Fax: 07751880765

E-mail: c.pradissitto [at] i-way
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


cmadams at hiwaay

Jan 14, 2010, 3:48 PM

Post #4 of 5 (59207 views)
Permalink
Re: Directory permissions in chroot SFTP [In reply to]

Once upon a time, Damien Miller <djm [at] mindrot> said:
> On Wed, 13 Jan 2010, Michael Masterson wrote:
> > > Right, this is on purpose. We ban this because allowing a user write
> > > access to a chroot target is dangerously similar to equivalence with
> > > allowing write access to the root of a filesystem.
> >
> > Could you tell me what the *real* dangers of allowing SFTP only users to write
> > to their directories?
>
> https://bugzilla.redhat.com/show_bug.cgi?id=522141

I guess I'm missing something - how does an SFTP-only user run
something?

Is there another way to restrict SFTP to a user's home directory?
--
Chris Adams <cmadams [at] hiwaay>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Jan 14, 2010, 7:50 PM

Post #5 of 5 (59176 views)
Permalink
Re: Directory permissions in chroot SFTP [In reply to]

On Thu, 14 Jan 2010, Chris Adams wrote:

> Once upon a time, Damien Miller <djm [at] mindrot> said:
> > On Wed, 13 Jan 2010, Michael Masterson wrote:
> > > > Right, this is on purpose. We ban this because allowing a user write
> > > > access to a chroot target is dangerously similar to equivalence with
> > > > allowing write access to the root of a filesystem.
> > >
> > > Could you tell me what the *real* dangers of allowing SFTP only users to write
> > > to their directories?
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=522141
>
> I guess I'm missing something - how does an SFTP-only user run
> something?

Server misconfiguration, bugs in sshd's unprivileged code, bugs in
sftp-server.

> Is there another way to restrict SFTP to a user's home directory?

No, and I don't think one is necessary. If having to create a
subdirectory (which users can automatically be cd'd to on sftp login) is
so onerous then feel free to reintroduce CVE-2009-2904 by removing the
checks in session.c:safely_chroot().

-d


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.