Comments on: openssh 5.1 chrootdirectory permissions issue http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/ Pondering the mystery... Sat, 06 Mar 2010 14:00:58 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: roborative http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-667 roborative Thu, 07 Jan 2010 02:30:24 +0000 http://www.tenshu.net/?p=236#comment-667 My last message didn't turn out quite right (dang angle brackets!). Please substitute /home/username where you see /home/. My last message didn’t turn out quite right (dang angle brackets!). Please substitute /home/username where you see /home/.

]]> By: roborative http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-666 roborative Thu, 07 Jan 2010 02:28:36 +0000 http://www.tenshu.net/?p=236#comment-666 I found this page helpful but here are a couple of things that I came across elsewhere that might prove useful. You can set the ChrootDirectory to a static value (such as /var/chroot -- that is, no %h or %u values) and then set the user's home directory to the standard home path (ie, /home/), create a home directory under the ChrootDirectory (eg, /var/chroot/home/), chown the directory to that user (ie, it doesn't have to belong to root), and the user will be placed in that directory. Also, if you use this approach and want to support key-based auth then create a symbolic link in /home to the user's chroot directory (eg, /home/ -> /var/chroot/home/) so that the key will be found on login. I found this page helpful but here are a couple of things that I came across elsewhere that might prove useful.

You can set the ChrootDirectory to a static value (such as /var/chroot — that is, no %h or %u values) and then set the user’s home directory to the standard home path (ie, /home/), create a home directory under the ChrootDirectory (eg, /var/chroot/home/), chown the directory to that user (ie, it doesn’t have to belong to root), and the user will be placed in that directory.

Also, if you use this approach and want to support key-based auth then create a symbolic link in /home to the user’s chroot directory (eg, /home/ -> /var/chroot/home/) so that the key will be found on login.

]]> By: Bockerl http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-602 Bockerl Thu, 17 Dec 2009 18:27:45 +0000 http://www.tenshu.net/?p=236#comment-602 Thank you ... this has me very helped. Thank you … this has me very helped.

]]> By: Iancho http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-502 Iancho Thu, 05 Nov 2009 13:42:36 +0000 http://www.tenshu.net/?p=236#comment-502 Thanks for the tip. Thanks for the tip.

]]> By: ganymede http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-58 ganymede Tue, 02 Dec 2008 22:31:39 +0000 http://www.tenshu.net/?p=236#comment-58 Thanks, the only guide that actually explained what I needed to do to fix the problem. Thanks, the only guide that actually explained what I needed to do to fix the problem.

]]> By: T0aD http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-57 T0aD Tue, 25 Nov 2008 14:03:41 +0000 http://www.tenshu.net/?p=236#comment-57 You may also have searched on Google for what to do about it and come away with very little useful information. Next time try to read the manpage sshd_config(5) " ChrootDirectory Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. " You may also have searched on Google for what to do about it and come away with very little useful information.

Next time try to read the manpage sshd_config(5)

” ChrootDirectory
Specifies a path to chroot(2) to after authentication. This
path, and all its components, must be root-owned directories that
are not writable by any other user or group.

]]> By: cmsj http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-55 cmsj Mon, 17 Nov 2008 13:24:37 +0000 http://www.tenshu.net/?p=236#comment-55 Geophphrie: I'd use the #ifdef section to set a variable to contain the uid and then use one bit of code to check it, rather than duplicate the whole section. Also I think you should file a bug about this, assuming that upstream care about windows. Geophphrie: I’d use the #ifdef section to set a variable to contain the uid and then use one bit of code to check it, rather than duplicate the whole section.
Also I think you should file a bug about this, assuming that upstream care about windows.

]]> By: Geophphrie http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-54 Geophphrie Tue, 11 Nov 2008 17:39:45 +0000 http://www.tenshu.net/?p=236#comment-54 Thanks for posting this. Since you found the code section, I was able to easily identify and fix the problem using this feature under Cygwin: that the "root" (Administrators) user is uid 544, not 0. I had to compile OpenSSH, of course, but that was worthwhile given that there's really not another reasonable solution for sftp on Windows that doesn't cost $500+ (and also wouldn't integrate into the existing ssh install). Note that I also adjusted the mode check NOT to check the actual chroot dir; it still checks the dirs leading up to it and requires root ownership still. I have no idea what the security implications of this change are, but it is sufficient for my purposes. #ifdef HAVE_CYGWIN if (st.st_uid != 544 || (cp != NULL && (st.st_mode & 022) != 0)) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "component ", component); #endif #ifndef HAVE_CYGWIN if (st.st_uid != 0 || (st.st_mode & 022) != 0) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "component ", component); #endif Thanks for posting this. Since you found the code section, I was able to easily identify and fix the problem using this feature under Cygwin: that the “root” (Administrators) user is uid 544, not 0. I had to compile OpenSSH, of course, but that was worthwhile given that there’s really not another reasonable solution for sftp on Windows that doesn’t cost $500+ (and also wouldn’t integrate into the existing ssh install).

Note that I also adjusted the mode check NOT to check the actual chroot dir; it still checks the dirs leading up to it and requires root ownership still. I have no idea what the security implications of this change are, but it is sufficient for my purposes.

#ifdef HAVE_CYGWIN
if (st.st_uid != 544 || (cp != NULL && (st.st_mode & 022) != 0))
fatal(“bad ownership or modes for chroot ”
“directory %s\”%s\”",
cp == NULL ? “” : “component “, component);
#endif
#ifndef HAVE_CYGWIN
if (st.st_uid != 0 || (st.st_mode & 022) != 0)
fatal(“bad ownership or modes for chroot ”
“directory %s\”%s\”",
cp == NULL ? “” : “component “, component);
#endif

]]> By: Andrew http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-53 Andrew Mon, 10 Nov 2008 15:38:11 +0000 http://www.tenshu.net/?p=236#comment-53 Wow... thanks for the hint -- appreciate you taking the time to dig for the answer. :-) Wow… thanks for the hint — appreciate you taking the time to dig for the answer. :-)

]]> By: Webagentur http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-52 Webagentur Wed, 05 Nov 2008 15:30:21 +0000 http://www.tenshu.net/?p=236#comment-52 What is that for a tutorial? What is that for a tutorial?

]]> By: cmsj http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-51 cmsj Thu, 30 Oct 2008 20:32:49 +0000 http://www.tenshu.net/?p=236#comment-51 Marko: you can't do that with the current code. Move your 777 directory inside root:root 644 directory and chroot into that one. Marko: you can’t do that with the current code. Move your 777 directory inside root:root 644 directory and chroot into that one.

]]> By: Marko http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-50 Marko Wed, 22 Oct 2008 19:17:26 +0000 http://www.tenshu.net/?p=236#comment-50 Hey, but what if I want to have permissions ChrootDirectory set to e.g. 777? The manual suggests I set "StrictModes" to "no", but that didn't work - I still get the same error (bad ownership...) Thanks, Marko Hey,

but what if I want to have permissions ChrootDirectory set to e.g. 777? The manual suggests I set “StrictModes” to “no”, but that didn’t work – I still get the same error (bad ownership…)

Thanks,

Marko

]]> By: cmsj http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-49 cmsj Mon, 13 Oct 2008 13:10:56 +0000 http://www.tenshu.net/?p=236#comment-49 Yeah, Minstrel's information about this is very useful, I recommend reading that stuff :) Yeah, Minstrel’s information about this is very useful, I recommend reading that stuff :)

]]> By: Minstrel http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/comment-page-1/#comment-48 Minstrel Fri, 10 Oct 2008 04:39:19 +0000 http://www.tenshu.net/?p=236#comment-48 Good to see solutions being published to this kind of problem - there are a few others on my Web page at: http://www.minstrel.org.uk/papers/sftp/ I hope this helps as well. -- Minstrel Good to see solutions being published to this kind of problem – there are a few others on my Web page at:

http://www.minstrel.org.uk/papers/sftp/

I hope this helps as well.


Minstrel

]]>