Comments on: openssh 5.1 chrootdirectory permissions issue http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/ Pondering the mystery... Wed, 07 Jan 2009 11:22:51 +0000 http://wordpress.org/?v=2.6.2 By: ganymede http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-58 ganymede Tue, 02 Dec 2008 22:31:39 +0000 http://www.tenshu.net/?p=236#comment-58 Thanks, the only guide that actually explained what I needed to do to fix the problem. Thanks, the only guide that actually explained what I needed to do to fix the problem.

]]> By: T0aD http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-57 T0aD Tue, 25 Nov 2008 14:03:41 +0000 http://www.tenshu.net/?p=236#comment-57 You may also have searched on Google for what to do about it and come away with very little useful information. Next time try to read the manpage sshd_config(5) " ChrootDirectory Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. " You may also have searched on Google for what to do about it and come away with very little useful information.

Next time try to read the manpage sshd_config(5)

” ChrootDirectory
Specifies a path to chroot(2) to after authentication. This
path, and all its components, must be root-owned directories that
are not writable by any other user or group.

]]> By: cmsj http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-55 cmsj Mon, 17 Nov 2008 13:24:37 +0000 http://www.tenshu.net/?p=236#comment-55 Geophphrie: I'd use the #ifdef section to set a variable to contain the uid and then use one bit of code to check it, rather than duplicate the whole section. Also I think you should file a bug about this, assuming that upstream care about windows. Geophphrie: I’d use the #ifdef section to set a variable to contain the uid and then use one bit of code to check it, rather than duplicate the whole section.
Also I think you should file a bug about this, assuming that upstream care about windows.

]]> By: Geophphrie http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-54 Geophphrie Tue, 11 Nov 2008 17:39:45 +0000 http://www.tenshu.net/?p=236#comment-54 Thanks for posting this. Since you found the code section, I was able to easily identify and fix the problem using this feature under Cygwin: that the "root" (Administrators) user is uid 544, not 0. I had to compile OpenSSH, of course, but that was worthwhile given that there's really not another reasonable solution for sftp on Windows that doesn't cost $500+ (and also wouldn't integrate into the existing ssh install). Note that I also adjusted the mode check NOT to check the actual chroot dir; it still checks the dirs leading up to it and requires root ownership still. I have no idea what the security implications of this change are, but it is sufficient for my purposes. #ifdef HAVE_CYGWIN if (st.st_uid != 544 || (cp != NULL && (st.st_mode & 022) != 0)) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "component ", component); #endif #ifndef HAVE_CYGWIN if (st.st_uid != 0 || (st.st_mode & 022) != 0) fatal("bad ownership or modes for chroot " "directory %s\"%s\"", cp == NULL ? "" : "component ", component); #endif Thanks for posting this. Since you found the code section, I was able to easily identify and fix the problem using this feature under Cygwin: that the “root” (Administrators) user is uid 544, not 0. I had to compile OpenSSH, of course, but that was worthwhile given that there’s really not another reasonable solution for sftp on Windows that doesn’t cost $500+ (and also wouldn’t integrate into the existing ssh install).

Note that I also adjusted the mode check NOT to check the actual chroot dir; it still checks the dirs leading up to it and requires root ownership still. I have no idea what the security implications of this change are, but it is sufficient for my purposes.

#ifdef HAVE_CYGWIN
if (st.st_uid != 544 || (cp != NULL && (st.st_mode & 022) != 0))
fatal(”bad ownership or modes for chroot ”
“directory %s\”%s\”",
cp == NULL ? “” : “component “, component);
#endif
#ifndef HAVE_CYGWIN
if (st.st_uid != 0 || (st.st_mode & 022) != 0)
fatal(”bad ownership or modes for chroot ”
“directory %s\”%s\”",
cp == NULL ? “” : “component “, component);
#endif

]]> By: Andrew http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-53 Andrew Mon, 10 Nov 2008 15:38:11 +0000 http://www.tenshu.net/?p=236#comment-53 Wow... thanks for the hint -- appreciate you taking the time to dig for the answer. :-) Wow… thanks for the hint — appreciate you taking the time to dig for the answer. :-)

]]> By: Webagentur http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-52 Webagentur Wed, 05 Nov 2008 15:30:21 +0000 http://www.tenshu.net/?p=236#comment-52 What is that for a tutorial? What is that for a tutorial?

]]> By: cmsj http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-51 cmsj Thu, 30 Oct 2008 20:32:49 +0000 http://www.tenshu.net/?p=236#comment-51 Marko: you can't do that with the current code. Move your 777 directory inside root:root 644 directory and chroot into that one. Marko: you can’t do that with the current code. Move your 777 directory inside root:root 644 directory and chroot into that one.

]]> By: Marko http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-50 Marko Wed, 22 Oct 2008 19:17:26 +0000 http://www.tenshu.net/?p=236#comment-50 Hey, but what if I want to have permissions ChrootDirectory set to e.g. 777? The manual suggests I set "StrictModes" to "no", but that didn't work - I still get the same error (bad ownership...) Thanks, Marko Hey,

but what if I want to have permissions ChrootDirectory set to e.g. 777? The manual suggests I set “StrictModes” to “no”, but that didn’t work - I still get the same error (bad ownership…)

Thanks,

Marko

]]> By: cmsj http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-49 cmsj Mon, 13 Oct 2008 13:10:56 +0000 http://www.tenshu.net/?p=236#comment-49 Yeah, Minstrel's information about this is very useful, I recommend reading that stuff :) Yeah, Minstrel’s information about this is very useful, I recommend reading that stuff :)

]]> By: Minstrel http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/#comment-48 Minstrel Fri, 10 Oct 2008 04:39:19 +0000 http://www.tenshu.net/?p=236#comment-48 Good to see solutions being published to this kind of problem - there are a few others on my Web page at: http://www.minstrel.org.uk/papers/sftp/ I hope this helps as well. -- Minstrel Good to see solutions being published to this kind of problem - there are a few others on my Web page at:

http://www.minstrel.org.uk/papers/sftp/

I hope this helps as well.


Minstrel

]]>