LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices



Reply
 
Search this Thread
Old 10-22-2010, 12:07 AM   #1
djlinuxquestions
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Rep: Reputation: 0
SFTP and SELinux is preventing sshd "create" access


hello,

I have been trying to set up sftp with chrooted users.

I am able to sftp to the user's chrooted home directory
I am able to list files after sftp'ing using 'ls'

But whenever I try to write to the chrooted directory I get the error:

Code:
remote open("/user1/file.txt"): Permission denied

when i look in /var/log/messages

i see the error:
Code:
SELinux is preventing sshd "create" access on file.txt
If I set SElinux to permissive I am able to write the file but the user can navigate to other home directories, etc.


my seetings and permissions:

/etc/ssh/sshd_config:
Code:
Subsystem       sftp    internal-sftp

Match group sftponly
         ChrootDirectory /home/chroot-users
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp
permissions:
Code:
drwxr-xr-x.  7 root root  4096 Oct 22 12:33 home
drwxr-xr-x.  4 root root  4096 Oct 22 13:48 chroot-users
drwxr-x---.  4 user1 user1 4096 Oct 22 13:37 user1

/etc/passwd:
Code:
user1:x:502:502::/user1:/bin/false
/etc/group:
Code:
sftponly:x:502:user1

any help in getting the write working would be appreciated.

cheers!
 
Old 10-22-2010, 12:24 AM   #2
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Hi,

Disable selinux.

vim /etc/sysconfig/selinux

Quote:
SELINUX=disabled
 
0 members found this post helpful.
Old 10-22-2010, 01:07 AM   #3
djlinuxquestions
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Original Poster
Rep: Reputation: 0
thanks for the prompt reply.

disabling selinux worked. I can only get to /home/chroot-users, and with appropriate permissions cannot enter other users' directories.

however, with the permissions I have set the user can:
1. sftp into their chrooted home directory (/home/chroot-users/user1)
2. cd .. (back to /home/chroot-users)
3. get files from /home/chroot-users
4. put files from user1's directory to /home/chroot-users

so, how can I stop points 2-4 happening (or at least 3 and 4).

the permissions are:
Code:
drwxr-xr-x.  7 root root  4096 Oct 22 12:33 home
drwxr-xr-x.  4 root root  4096 Oct 22 13:48 chroot-users
drwxr-x---.  4 user1 user1 4096 Oct 22 13:37 user1
thanks for any advice.
 
Old 10-22-2010, 01:11 AM   #4
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
For point 2.cd .. (back to /home/chroot-users):

Follow this link

http://www.cyberciti.biz/tips/howto-...ail-setup.html

See the end of link : To prevent user....

http://joedonner2001.wordpress.com/r...a-chroot-jail/
 
Old 10-22-2010, 01:34 AM   #5
djlinuxquestions
LQ Newbie
 
Registered: Oct 2010
Posts: 7

Original Poster
Rep: Reputation: 0
ok, will check that out.

thanks for the assistance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Summary: SELinux is preventing vbetool (vbetool_t) "read write" to ./video.rom kuwaitikid Linux - Newbie 6 10-20-2009 11:11 PM
SELinux is preventing certwatch (certwatch_t) "write" to ./cache CZTY Linux - Software 3 09-12-2009 02:57 AM
SELinux is preventing in.tftpd (tftpd_t) "write" to my tftp server designlogicmedia Linux - Newbie 4 09-07-2009 12:30 PM
SELinux is preventing hp (hplip_t) "search" to ./dbus (system_dbusd_var_run_t). CyberJet Linux - Newbie 4 11-13-2008 01:41 PM
"selinux is preventing sshd getattr to /usr/NX/home.nx" ericcarlson Fedora 3 08-25-2008 01:04 PM


All times are GMT -5. The time now is 06:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration