Mailing List Archive: OpenSSH: Dev

Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login?

Index | Next | Previous | View Threaded

whit at transpect

May 10, 2012, 4:10 PM

Post #1 of 9 (790 views)
Permalink

Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login?

Hi,

This is either a query or a feature request. I have a system where sftp
users are chrooted using scponly, which while requiring much more setup than
OpenSSH's internal-sftp method, has the useful feature of allowing an
initial chroot to a subdirectory, typically the one used for file exchange.
I've searched for a way to do the same thing with OpenSSH. So far haven't
found it.

If there is a way, then I can transparently substitute it. Otherwise users
would have to do the cd themselves. That's not trivial in my case since a
number of the users run scripts which assume that they'll simply drop in
their correct directory on login.

Thanks for any advice, or consideration of this as a future feature if
there's no present method to achieve it.

Whit

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

May 10, 2012, 4:34 PM

Post #2 of 9 (778 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

Whit Blauvelt wrote:
> Thanks for any advice

Quoting sshd_config(8):

ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. All components of the pathname must be root-
owned directories that are not writable by any other user or
group. After the chroot, sshd(8) changes the working directory
to the user's home directory.

So set the home directory to what you want them to land in, relative
the ChrootDirectory root.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

whit at transpect

May 16, 2012, 11:25 AM

Post #3 of 9 (761 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

Peter,

Thanks, but as I understand it that's not an applicable answer in my
circumstance. I need each user to have a unique root directory rather than
have users share one.

If the ChrootDirectory were /home and the users were /home/user1 and
/home/user2 what you suggest would work. But in my case the ChrootDirectory
is %h and the place the users need to end up is %h/files.

This is trivial to do with scponly. Just set the home directory in
/etc/passwd to be /home/user1//files so the chroot is /home/user1 and the cd
is to /home/user1/files. What I'd like is that same functionality using
OpenSSH's internal sftp server.

I need to chroot my users separately rather than to a common chroot because
the users and their files need to be totally invisible to each other, no
matter what.

Best,
Whit

On Fri, May 11, 2012 at 01:34:40AM +0200, Peter Stuge wrote:
> Whit Blauvelt wrote:
> > Thanks for any advice
>
> Quoting sshd_config(8):
>
> ChrootDirectory
> Specifies the pathname of a directory to chroot(2) to after
> authentication. All components of the pathname must be root-
> owned directories that are not writable by any other user or
> group. After the chroot, sshd(8) changes the working directory
> to the user's home directory.
>
> So set the home directory to what you want them to land in, relative
> the ChrootDirectory root.
>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev [at] mindrot
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

May 16, 2012, 12:43 PM

Post #4 of 9 (758 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

Whit Blauvelt wrote:
> as I understand it that's not an applicable answer in my
> circumstance. I need each user to have a unique root directory

You can chroot into whatever directory you want, and as the man page
I quoted clearly says there will be a chdir performed after that
chroot, to the directory that has been configured as the home
directory for the user, and naturally that configuration must take
into account the chroot.

> in my case the ChrootDirectory is %h and the place the users need
> to end up is %h/files.

You can obviously not use the home directory to identify the chroot
if you want to use it for chdiring. You can probably quite easily
configure the correct path for chrooting without using the home
directory, and instead set the home directory to /files for the
relevant users to get exactly what you want.

> This is trivial to do with scponly. Just set the home directory in
> /etc/passwd to be /home/user1//files

Sorry, but that is a mindbogglingly bad idea. It is overloading a
case where there is already absolutely well-defined behavior. Of
course it may work, but it may also fail completely in the face of
less typical circumstances. It's neither smart nor elegant to try to
create some conflicting standard where there is already one.

> What I'd like is that same functionality using OpenSSH's internal
> sftp server.

It's documented how you can get the same result and I not only quoted
you the docs but even wrote a quick summary of how it would work.

Try it out! I think it will work fine.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

keisial at gmail

May 16, 2012, 2:13 PM

Post #5 of 9 (759 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

Peter Stuge wrote:
> Whit Blauvelt wrote:
>> in my case the ChrootDirectory is %h and the place the users need
>> to end up is %h/files.
> You can obviously not use the home directory to identify the chroot
> if you want to use it for chdiring. You can probably quite easily
> configure the correct path for chrooting without using the home
> directory, and instead set the home directory to /files for the
> relevant users to get exactly what you want.
>
>
>> This is trivial to do with scponly. Just set the home directory in
>> /etc/passwd to be /home/user1//files
> Sorry, but that is a mindbogglingly bad idea. It is overloading a
> case where there is already absolutely well-defined behavior. Of
> course it may work, but it may also fail completely in the face of
> less typical circumstances. It's neither smart nor elegant to try to
> create some conflicting standard where there is already one.
If the user folder is /home/username, just change the

ChrootDirectory to /home/%u, and then make their home /home/user1/files

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

May 16, 2012, 2:27 PM

Post #6 of 9 (755 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

Ángel González wrote:
> Peter Stuge wrote:
> > set the home directory to /files for the relevant users
>
> If the user folder is /home/username, just change the
> ChrootDirectory to /home/%u, and then make their home
> /home/user1/files

As I wrote, the home directory should be /files in that case.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

keisial at gmail

May 16, 2012, 3:29 PM

Post #7 of 9 (760 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

On 16/05/12 23:27, Peter Stuge wrote:
> Ángel González wrote:
>> Peter Stuge wrote:
>>> set the home directory to /files for the relevant users
>> If the user folder is /home/username, just change the
>> ChrootDirectory to /home/%u, and then make their home
>> /home/user1/files
> As I wrote, the home directory should be /files in that case.
>
>
> //Peter
Right. Sorry for the confusion. Their home directory should be /files,
which would map to /home/user1/files, but you set it to /files

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

whit at transpect

May 17, 2012, 10:08 AM

Post #8 of 9 (751 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

On Thu, May 17, 2012 at 12:29:26AM +0200, �ngel Gonz�lez wrote:
> On 16/05/12 23:27, Peter Stuge wrote:
> > �ngel Gonz�lez wrote:
> >> Peter Stuge wrote:
> >>> set the home directory to /files for the relevant users
> >> If the user folder is /home/username, just change the
> >> ChrootDirectory to /home/%u, and then make their home
> >> /home/user1/files
> > As I wrote, the home directory should be /files in that case.
...
> Right. Sorry for the confusion. Their home directory should be /files,
> which would map to /home/user1/files, but you set it to /files

Thanks for the clarifying advice. I hadn't realized that the home directory
cd'd to is relative to the chroot.

I still can't see how to get this to suffice in my setup though. For one
thing it's not a single directory branch. There are users at

/path/one/userXdir and
/path/two/userYdir

Also

userXdir != userid

so /home/%u does not capture the layout. I need some way to work from the
home dir as given in /etc/passwd, so that it would chroot to that and then
cd to

/path/one/userXdir/files

The problem with the OpenSSH approach described so far is that there's no
apparent way to specify the chrootdir for systems with more complicated
layouts than can be expressed in a formula like /home/%u. Or can it?

Whatever the weakness of scponly's design, the specification of a home dir
takes the form of

/path/one/userXdir//files

resulting in a chroot to /path/one/userXdir/ and a cd to /files. So it
handles a situation where there's both a /path/one and a /path/two fine, and
where the userXdir != uid. It would still be good to find a way to get
equivalent functionality using the OpenSSH internal sftp without scponly,
but from my clearer understanding now, it looks like there's no way.

Thanks again,
Whit
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

May 17, 2012, 10:26 AM

Post #9 of 9 (750 views)
Permalink

Re: Is there any method, with ChrootDirectory and internal-sftp, to automatically cd to a subdir on login? [In reply to]

Whit Blauvelt wrote:
> It would still be good to find a way to get equivalent
> functionality using the OpenSSH internal sftp without scponly,
> but from my clearer understanding now, it looks like there's no
> way.

Suggest something with a patch?

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads