Mailing List Archive: OpenSSH: Dev

While using internal sftp server, need to access files outside chroot

Index | Next | Previous | View Threaded

rudupa at easylink

Jun 7, 2012, 9:40 AM

Post #1 of 16 (857 views)
Permalink

While using internal sftp server, need to access files outside chroot

Hi,

I need to make a custom code change in sftp-server module to copy the received file outside the chroot-setup. I am trying to chroot repeatedly to get physical root directory and the copy received file to a directory outside chrooted directory.

The children processes are owned by the sftp-user and so, sftp child process does not have permission to escape out of chroot.

Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root.

I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and becoming root to chroot is not an option.

Thanks,
Raghu
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

keisial at gmail

Jun 7, 2012, 9:58 AM

Post #2 of 16 (820 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

On 07/06/12 18:40, Raghu Udupa wrote:
> Hi,
>
> I need to make a custom code change in sftp-server module to copy the received file outside the chroot-setup. I am trying to chroot repeatedly to get physical root directory and the copy received file to a directory outside chrooted directory.
>
> The children processes are owned by the sftp-user and so, sftp child process does not have permission to escape out of chroot.
Heh, that's precisely the point of placing it in a chroot.

> Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root.
>
> I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and becoming root to chroot is not an option.
>
> Thanks,
> Raghu
It doesn't matter. You can make a binary setuid from outside the chroot.
When you run it from the inside, it will become root, even if there's no
"user named root" inside. You can then use the classical technique to
exit a chroot(), and copy the file you wanted, *being very careful*, as
that script will be a weak point in your security (you don't want to
allow it to copy files anywhere, or to overwrite configuration files,
for instance).

Some reasons this might not work include that the mount doesn't allow
setuid, and that your kernel is security-enhanced to avoid chroot-escaping.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

rudupa at easylink

Jun 7, 2012, 1:47 PM

Post #3 of 16 (826 views)
Permalink

RE: While using internal sftp server, need to access files outside chroot [In reply to]

Angel,

When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with patches required for sftp) to have setuid flag set?

If I turn on setuid bit, sshd does not run properly.
Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment?

Thanks,
Raghu

-----Original Message-----
From: Ángel González [mailto:keisial [at] gmail]
Sent: Thursday, June 07, 2012 12:58 PM
To: Raghu Udupa
Cc: 'openssh-unix-dev [at] mindrot'
Subject: Re: While using internal sftp server, need to access files outside chroot

On 07/06/12 18:40, Raghu Udupa wrote:
> Hi,
>
> I need to make a custom code change in sftp-server module to copy the received file outside the chroot-setup. I am trying to chroot repeatedly to get physical root directory and the copy received file to a directory outside chrooted directory.
>
> The children processes are owned by the sftp-user and so, sftp child process does not have permission to escape out of chroot.
Heh, that's precisely the point of placing it in a chroot.

> Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root.
>
> I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and becoming root to chroot is not an option.
>
> Thanks,
> Raghu
It doesn't matter. You can make a binary setuid from outside the chroot.
When you run it from the inside, it will become root, even if there's no
"user named root" inside. You can then use the classical technique to
exit a chroot(), and copy the file you wanted, *being very careful*, as
that script will be a weak point in your security (you don't want to
allow it to copy files anywhere, or to overwrite configuration files,
for instance).

Some reasons this might not work include that the mount doesn't allow
setuid, and that your kernel is security-enhanced to avoid chroot-escaping.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

keisial at gmail

Jun 7, 2012, 2:02 PM

Post #4 of 16 (817 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

On 07/06/12 22:47, Raghu Udupa wrote:
> Angel,
>
> When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with patches required for sftp) to have setuid flag set?
>
> If I turn on setuid bit, sshd does not run properly.
> Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment?
>
> Thanks,
> Raghu
No. I was thinking on another program which lived inside the chroot and
was called to copy files outside.

I begin to wonder why you need to do so, though. Why do you chroot to a
folder if you then need to move the files anywhere else? What's your use
case?
If it's a simple drop box, you could use a unchrooted process watching
the folder and moving out new files.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

rudupa at easylink

Jun 7, 2012, 2:14 PM

Post #5 of 16 (827 views)
Permalink

RE: While using internal sftp server, need to access files outside chroot [In reply to]

Angel,

I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory.

Your first solution of having a custom script to copy the file to generic queue dir would work.

Can you think of a better way to move files given my requirements?

Thanks,
Raghu

-----Original Message-----
From: Ángel González [mailto:keisial [at] gmail]
Sent: Thursday, June 07, 2012 5:03 PM
To: Raghu Udupa
Cc: 'openssh-unix-dev [at] mindrot'
Subject: Re: While using internal sftp server, need to access files outside chroot

On 07/06/12 22:47, Raghu Udupa wrote:
> Angel,
>
> When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with patches required for sftp) to have setuid flag set?
>
> If I turn on setuid bit, sshd does not run properly.
> Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment?
>
> Thanks,
> Raghu
No. I was thinking on another program which lived inside the chroot and
was called to copy files outside.

I begin to wonder why you need to do so, though. Why do you chroot to a
folder if you then need to move the files anywhere else? What's your use
case?
If it's a simple drop box, you could use a unchrooted process watching
the folder and moving out new files.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

keisial at gmail

Jun 7, 2012, 2:56 PM

Post #6 of 16 (823 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

On 07/06/12 23:14, Raghu Udupa wrote:
> Angel,
>
> I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory.
Why? Can they be chrooted to that queue directory?

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

rudupa at easylink

Jun 7, 2012, 3:06 PM

Post #7 of 16 (826 views)
Permalink

RE: While using internal sftp server, need to access files outside chroot [In reply to]

Angel,

I do not think I can chroot to that dir( basically it is a queue directory that contains all incoming files from various users queued for subsequent processing). After thinking a little bit more, have a perl daemon to monitor inboxes and move it the common queue dir is the best solution(your 2nd idea). This requires minimal customization on ssh-side and is very clean....

Thanks,
Raghu

-----Original Message-----
From: Ángel González [mailto:keisial [at] gmail]
Sent: Thursday, June 07, 2012 5:57 PM
To: Raghu Udupa
Cc: 'openssh-unix-dev [at] mindrot'
Subject: Re: While using internal sftp server, need to access files outside chroot

On 07/06/12 23:14, Raghu Udupa wrote:
> Angel,
>
> I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory.
Why? Can they be chrooted to that queue directory?

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

mouring at eviladmin

Jun 7, 2012, 3:15 PM

Post #8 of 16 (821 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

The major edge case you need to worry about is the perl deamon moving/copying before sftp is done. A move to the same partition isn't a problem as sftp still has the file descriptor, but a copy or a move to another partition will result in corrupted data.

The easiest solution if clients are disconnected more often than connected is to skip all active inboxes with sftp sessions associated with them.

- Ben

On Jun 7, 2012, at 5:06 PM, Raghu Udupa wrote:

> Angel,
>
> I do not think I can chroot to that dir( basically it is a queue directory that contains all incoming files from various users queued for subsequent processing). After thinking a little bit more, have a perl daemon to monitor inboxes and move it the common queue dir is the best solution(your 2nd idea). This requires minimal customization on ssh-side and is very clean....
>
> Thanks,
> Raghu
>
> -----Original Message-----
> From: Ángel González [mailto:keisial [at] gmail]
> Sent: Thursday, June 07, 2012 5:57 PM
> To: Raghu Udupa
> Cc: 'openssh-unix-dev [at] mindrot'
> Subject: Re: While using internal sftp server, need to access files outside chroot
>
> On 07/06/12 23:14, Raghu Udupa wrote:
>> Angel,
>>
>> I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory.
> Why? Can they be chrooted to that queue directory?
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev [at] mindrot
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

carson at taltos

Jun 7, 2012, 3:56 PM

Post #9 of 16 (824 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

On 6/7/12 3:15 PM, Ben Lindstrom wrote:
>
> The major edge case you need to worry about is the perl deamon
> moving/copying before sftp is done. A move to the same partition
> isn't a problem as sftp still has the file descriptor, but a copy or
> a move to another partition will result in corrupted data.
>
> The easiest solution if clients are disconnected more often than
> connected is to skip all active inboxes with sftp sessions associated
> with them.

IFF you can control client behaviour, one standard work-around is to use
an atomic transaction to indicate the file is ready for processing. The
2 most common are rename and chmod. So either:

- upload file as foo.inprogress
- rename after complete to foo.alldone
- process all *.alldone files

or

- upload file as foo, umasking so it's not executable by default
- chmod u+x foo
- process all executable files
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

nkadel at gmail

Jun 7, 2012, 4:47 PM

Post #10 of 16 (819 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

On Thu, Jun 7, 2012 at 5:14 PM, Raghu Udupa <rudupa [at] easylink> wrote:

> Angel,
>
> I need to provide a set of users only SFTP access. But files these users
> put need to be copied to a generic queue directory.
>
> Your first solution of having a custom script to copy the file to generic
> queue dir would work.
>
> Can you think of a better way to move files given my requirements?
>
> Thanks,
> Raghu
>
>
If the propagation doesn't have to be instantaneous, "rsync" between the
source and target locations run from a cron job should work quite well.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

rudupa at easylink

Jun 7, 2012, 7:54 PM

Post #11 of 16 (821 views)
Permalink

RE: While using internal sftp server, need to access files outside chroot [In reply to]

Thanks all.

After a complete file is received, I will be moving file from say, inbox directory to received directory. Only files in received directory are going to be picked up and after successful copy, removed.

Regards,
Raghu
________________________________
From: Nico Kadel-Garcia [nkadel [at] gmail]
Sent: Thursday, June 07, 2012 7:47 PM
To: Raghu Udupa
Cc: Ángel González; openssh-unix-dev [at] mindrot
Subject: Re: While using internal sftp server, need to access files outside chroot

On Thu, Jun 7, 2012 at 5:14 PM, Raghu Udupa <rudupa [at] easylink<mailto:rudupa [at] easylink>> wrote:
Angel,

I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory.

Your first solution of having a custom script to copy the file to generic queue dir would work.

Can you think of a better way to move files given my requirements?

Thanks,
Raghu

If the propagation doesn't have to be instantaneous, "rsync" between the source and target locations run from a cron job should work quite well.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

keisial at gmail

Jun 8, 2012, 7:24 AM

Post #12 of 16 (830 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

On 08/06/12 00:15, Ben Lindstrom wrote:
> The major edge case you need to worry about is the perl deamon moving/copying before sftp is done. A move to the same partition isn't a problem as sftp still has the file descriptor, but a copy or a move to another partition will result in corrupted data.
>
> The easiest solution if clients are disconnected more often than connected is to skip all active inboxes with sftp sessions associated with them.
>
> - Ben
It also depends on how you watch the directory. Some mechanisms, like
inotfy, allow you to perform the action when the file has been closed by
the writing process.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

john.m.olsson at ericsson

Jun 18, 2012, 2:40 AM

Post #13 of 16 (777 views)
Permalink

RE: While using internal sftp server, need to access files outside chroot [In reply to]

> A move to the same partition isn't a problem as sftp still has the file
> descriptor, but a copy or a move to another partition will result in
> corrupted data.

What do you think of having the SFTP server temporarily rename the transfered file with a ".tmp" extension which is removed when transfer is completed? Then another application knows when a file has been transfered completely. Or is this an excercise best left to the client to do?

/John
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

Jun 18, 2012, 3:19 AM

Post #14 of 16 (780 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

John Olsson M wrote:
> What do you think of having the SFTP server temporarily rename the
> transfered file with a ".tmp" extension which is removed when
> transfer is completed?

What happens when I upload a file called foo.tmp ?

Even using inotify to know when a file gets closed does not tell the
full story - it is still unknown if the file was closed because the
SFTP upload finished successfully, or because it was aborted by the
client, or due to network error, or some other problem. :(

A reliable solution indeed requires sftp-server to take action in
order to signal successful vs. failed upload completion. I'd like
to use POSIX Message Queues for this, but they aren't widely
supported. :( It would work a treat on Linux however!

Please just verify your input and dismiss anything corrupt. This is
fundamental for any programming. Do it and you will be happier.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

djm at mindrot

Jun 21, 2012, 9:37 PM

Post #15 of 16 (753 views)
Permalink

RE: While using internal sftp server, need to access files outside chroot [In reply to]

On Mon, 18 Jun 2012, John Olsson M wrote:

> > A move to the same partition isn't a problem as sftp still has the
> > file descriptor, but a copy or a move to another partition will
> > result in corrupted data.
>
> What do you think of having the SFTP server temporarily rename the
> transfered file with a ".tmp" extension which is removed when transfer
> is completed? Then another application knows when a file has been
> transfered completely. Or is this an excercise best left to the client
> to do?

A few people have asked to be able to upload files under a temporary
name and rename them into place once the upload successfully completes.
This can be implemented pretty easily and purely in the client.

I'm pretty backlogged at the moment, but writing this (as a "put" flag)
would be an easy afternoon project for someone interested.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

sfandino at yahoo

Jul 19, 2012, 3:39 AM

Post #16 of 16 (667 views)
Permalink

Re: While using internal sftp server, need to access files outside chroot [In reply to]

On 06/08/2012 12:06 AM, Raghu Udupa wrote:
> Angel,
>
> I do not think I can chroot to that dir( basically it is a queue directory that contains all incoming files from various users queued for subsequent processing). After thinking a little bit more, have a perl daemon to monitor inboxes and move it the common queue dir is the best solution(your 2nd idea). This requires minimal customization on ssh-side and is very clean....
>

If you are going to use Perl, then consider using the Net::SFTP::Server
module from CPAN. It implements an SFTP server in Perl and can be easily
extended to perform some action after every put action.

See also
https://github.com/salva/p5-Net-SFTP-Server/blob/master/examples/sftp-server-rename-after-put.pl
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads