LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-07-2010, 09:51 AM   #1
brittonv
LQ Newbie
 
Registered: Jan 2010
Posts: 11

Rep: Reputation: 0
ChrootDirectory in sftp and "Couldn't get handle: Permission denied" errors


I have compiled and installed Openssh 5.3 on my centos 5.3 server following these instructions:
http://binblog.info/2009/02/27/packa...ssh-on-centos/

However I CAN NOT seem to get ChrootDirectory to work properly

I followed the directions I found here:
http://www.debian-administration.org/articles/590

I can connect via SFTP but once connected I can't do anything:

computer:~ user$ sftp test2@172.16.16.121
Connecting to 172.16.16.121...
test2@172.16.16.121's password:
sftp> ls
Couldn't get handle: Permission denied
sftp> cd download
Couldn't canonicalise: Permission denied
sftp> put test.txt
Uploading test.txt to /test.txt
Couldn't get handle: Permission denied

Here are my users settings:
[root@sftp ~]# more /etc/passwd |grep test2
test2:x:504:502::/:/bin/bash
[root@sftp ~]# more /etc/group |grep test2
sftponly:x:502:integra_prod,test2

Here are my settings in /etc/ssh/sshd_config:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL1 -l INFO
Subsystem sftp internal-sftp

Match group sftponly
ChrootDirectory /chroot/disk2/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Here are the permissions of the folder
drwx------ 3 root root 4096 Jan 6 04:14 chroot
drwx------ 5 root root 4096 Jan 6 11:08 disk2
drwx------ 3 root root 4096 Jan 6 11:11 test2

Now I have found that people saying it is a permission issues as root has to own the folder.

So I created a folder 'download' gave test2.sftponly 770 permission to the folder,
[root@sftp]# ls -la /chroot/disk2/test2/
total 12
drwxr-x--- 3 root root 4096 Jan 6 15:44 .
drwxr-x--- 5 root root 4096 Jan 6 11:08 ..
drwxrwx--- 2 test2 sftponly 4096 Jan 6 11:49 download


Changed the user profile to used the /download directory:
test2:x:504:502::/download:/bin/bash

Restarted sshd for good measure but it still doesn't work:
sftp> ls
Couldn't get handle: Permission denied
sftp> pwd
Remote working directory: /
sftp> cd download
Couldn't canonicalise: Permission denied

It didn't go to the home directory? So I change the user home to:
[root@sftp_prod_01 test2]# more /etc/passwd|grep test2
test2:x:504:502::/chroot/disk2/test2/download:/bin/bash

Restarted sshd for good measure and it still doesn't work:
sftp> pwd
Remote working directory: /
sftp> ls
Couldn't get handle: Permission denied
sftp> cd download
Couldn't canonicalise: Permission denied

It still doesn't go to the download directory? I don't know how to proceed in troubleshooting this at this point.

Any Ideas?

Here is some additional information in case it helps.

Selinux is disabled:
[root@sftp]# ls -la /selinux/
total 16
drwxr-xr-x 2 root root 4096 Jan 5 06:34 .
drwxr-xr-x 26 root root 4096 Jan 6 10:32 ..


If it is any help here are what is says in my /var/log/secure:
Jan 7 09:40:10 sftp sshd[15807]: Server listening on :: port 22.
Jan 7 09:40:10 sftp sshd[15807]: Server listening on 0.0.0.0 port 22.
Jan 7 09:40:15 sftp sshd[15604]: pam_unix(sshd:session): session closed for user test2
Jan 7 09:40:18 sftp sshd[15824]: Accepted password for test2 from 192.168.1.212 port 60889 ssh2
Jan 7 09:40:18 sftp sshd[15824]: pam_unix(sshd:session): session opened for user test2 by (uid=0)
Jan 7 09:40:18 sftp sshd[15826]: subsystem request for sftp
Jan 7 09:41:13 sftp sshd[15824]: pam_unix(sshd:session): session closed for user test2

And just so you have all the information, if I connect as a user I don't want chroot'd and is not in the sftponly group it works fine:

brit@linuxdevel:~> sftp brit@172.16.16.121
Connecting to 172.16.16.121...
brit@172.16.16.121's password:
sftp> ls
Desktop
sftp> pwd
Remote working directory: /home/brit
sftp> put test.txt
Uploading test.txt to /home/brittonv/test.txt
test.txt
 
Old 01-08-2010, 03:23 AM   #2
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
what about changing mode of parent directories to 0701? [drwx-----x]
I use that practice: works pretty good to deny all users to list directories but access the known locations in them.
SSH works well when /home=0701 and /home/user=0750. and ssh won't work if /home=0700, user will not be able to change directory to /home/user(0750 as it was).
try it and post back.
 
1 members found this post helpful.
Old 01-10-2010, 07:10 AM   #3
hapylestat
LQ Newbie
 
Registered: Jan 2010
Posts: 5

Rep: Reputation: 0
hm, watch this

=========>
drwx------ 3 root root 4096 Jan 6 04:14 chroot
drwx------ 5 root root 4096 Jan 6 11:08 disk2
drwx------ 3 root root 4096 Jan 6 11:11 test2
<========

all folders belongs to root user, and u login with test2 permissions.

make something like this: chown -R test2:test2 test2 (chown -R user:group folder)

Last edited by hapylestat; 01-10-2010 at 07:11 AM.
 
0 members found this post helpful.
Old 01-11-2010, 11:40 AM   #4
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
Post

hapylestat: i guess it won't work as you want it to: read my post first and try it with usual SSH login yourself. i mean it will work itself, but what will you do with other users, needing an access here? that's completely wrong solution. and the solution "chmod 0777", which i bet you will apply as soon as this fails, doesn't even needs comment.
test2 is the only directory needs to be chowned to test2 user.
also, "u" is a letter, "you" is a word, so if you meant "you" here(i may be wrong if you meant "user" but it doesn't look like):
Quote:
Originally Posted by hapylestat
and u login with
, i suggest you read this before your next reply.

Last edited by Web31337; 01-11-2010 at 11:42 AM.
 
Old 01-12-2010, 09:50 AM   #5
brittonv
LQ Newbie
 
Registered: Jan 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Wow, why is this not documented anywhere!

I am SOOOO much closer thank you!

So here is what I did.

I chmod the parent and home directories to 701 owned by root.

so /chroot/disk2/test2 is all owned by root, each having the permission of 701.

I then created a folder called 'download' in the test2 folder and changed the owner to be test2 with 700 permissions.

When I connect as 'test2' to to the sftp server and try to ls, I still get the "Couldn't get Handle: Permission denied" HOWEVER I can now 'cd download' and get full RW access to that folder. I had tried this before and it didn't work until I changed the permissions to the parent folders to be 701.

Now my question is this by design or do I still have a problem?

Should I be able to get a list of folder and files in my home folder?

From a permissions stand point I can't figure out how I could. The home folder has to be owned by root, so a normal user wouldn't be able to see the contents right?

Am I right or do I still have work to do?

Thank you soooooooo much for your help on this!!!!
 
Old 01-13-2010, 07:11 AM   #6
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
usually i set 0701 on /, /etc, /sbin, /usr/local and other folders should not be listed by anyone but root. it's a good practice for hosting boxes.
if you still get permission denined when logged in, what is in your /etc/passwd for that user?
Code:
test2:x:504:502::/download:/bin/bash
? or what?
 
Old 04-04-2010, 08:14 AM   #7
MheAd
Member
 
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Rep: Reputation: 36
I'm resurrecting this thread only to ask people (or brittonv, the original poster) whether you actually find the way to browse normally through the jailed home-dir of the sftp-user or is the hack above (the last post of brittonv) the only solution?
 
Old 04-20-2010, 01:35 PM   #8
brittonv
LQ Newbie
 
Registered: Jan 2010
Posts: 11

Original Poster
Rep: Reputation: 0
Yes I did find a way, I appologize for not posting it earlier:

It is possible with hard links:

To have an exact duplicate of the /var/ftp/incoming directory available in /home/bob/incoming and /home/dave/incoming, use one of these commands:

Linux (as of the 2.4.0 kernel):
mount --bind /var/ftp/incoming /home/bob/incoming
mount --bind /var/ftp/incoming /home/dave/incoming

I found this information here:
http://www.castaglia.org/proftpd/doc...TO-Chroot.html
 
Old 04-21-2010, 04:14 AM   #9
MheAd
Member
 
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Rep: Reputation: 36
Hi,

The link you posted is dead.
Also, according to the name of the link, it seems to be a guide to chrooting proftp, not homedirs for sftp?
 
Old 04-22-2010, 09:52 AM   #10
brittonv
LQ Newbie
 
Registered: Jan 2010
Posts: 11

Original Poster
Rep: Reputation: 0
:-( That link is dead now. Good thing I copied the entire text. I will post it below.

Yes this solution was for proftp. However this worked for me too with SFTP.

In conclusion, I performed the steps here and it worked in my SFTP setup!

Here are some notes I made regarding this:
Mount directory in 2 places:
mount -o bind /source/destination/path /new/target/path

Mount directory in second place with Read Only Permissions:
mount -o ro --bind /source/destination/path /new/target/path


Here is the full text from the orginal page, please post back if this works for you too:

DefaultRoot, Symlinks and chroot()

Restricting Users' Directories
One of the most common questions for new users of ProFTPD is "How do I restrict my users to only certain directories?" or, phrased another way, "How can I put my users in a chroot jail?" As a common question, it definitely has a place in the FAQ. Many users, I fear, do not read the FAQ carefully, and so miss that section. The answer is ProFTPD's DefaultRoot configuration directive, which accomplishes this functionality by using the chroot(2) function.
This configuration directive may appear in the <VirtualHost>, <Global>, and the "server config" (meaning not in any <VirtualHost> or <Global> sections) configuration contexts. The most common configuration requested is to restrict users to their home directories, which can be done simply by adding the following line to your proftpd.conf:
DefaultRoot ~
The ~ (tilde) is a Unix-ism that is expanded to the logging-in user's home directory. For slightly more complex setups, administrators may want to restrict only a subset of their users into home directories (or some other directory), but leave some privileged users unrestricted. For example, say you have your privileged users all as members of a group called ftp-special. The DefaultRoot's optional second parameter, a group-expression, can then be used, like so:
DefaultRoot ~ !ftp-special
This says to chroot() every user who is not a member of group ftp-special to their respective home directory, and:
DefaultRoot /path/to/dir group1,group2
will chroot() users who are members of both group1 and group2 into /path/to/dir. More complex group-expressions can be used as needed.
Note that the execute bit (--x) must be on in order to chroot() a user into that directory. This bit is also needed for a user to be able to chdir into that directory.
Symlinks
There have been many questions on the ProFTPD user mailing list about why symlinked directories are not visible to chrooted users (this includes <Anonymous> users as well as users restricted using DefaultRoot. This document is intended to clarify the issues and discuss some ways of achieving what is commonly desired.
These issues are not specific to ProFTPD, but rather to the workings of a Unix system. First, a brief review of how links work, and why chroot(2) poses such a problem. Then a look at ways around the issue.
How Links Work
There are two types of links in Unix: hard and symbolic.
A hard link is a file that is, for all intents and purposes, the file to which it is linked. The difference between a hardlink and the linked file is one of placement in the filesystem. Editing the hardlink edits the linked file. One limitation of hard links is that linked files cannot reside on different filesystems. This means that if /var and /home are two different mount points in /etc/fstab (or /etc/vfstab), then a file in /var/tmp cannot be hardlinked with a file in /home:
> pwd
/var/tmp
> ln /home/tj/tmp/tmpfile tmplink
ln: cannot create hard link `tmplink' to `/home/tj/tmp/tmpfile': Invalid cross-device link
A symbolic link (also referred to as a "symlink") is a file whose contents contain the name of the file to which the symbolic link points. For example:
lrwxrwxrwx 1 root root 11 Mar 2 2000 rmt -> /sbin/rmt
The file rmt contains the nine characters /sbin/rmt. The reason symbolic links fail when chroot(2) is used to change the position of the root (/)of the filesystem is that, once / is moved, the pointed-to file path changes. If, for example, if chroot(2) is used to change the filesystem root to /ftp, then the symlink above would be actually be pointing to /ftp/sbin/rmt. Chances that that link, if chroot(2) is used, now points to a path that does not exist. Symbolic links that point to nonexistent files are known as dangling symbolic links. Note that symbolic links to files underneath the new root, such as symlinks to a file in the same directory:
> pwd
/var/ftp
> ls -l
-rw-r--r-- 1 root root 0 Jan 16 11:50 tmpfile
lrwxrwxrwx 1 root root 7 Jan 16 11:50 tmplink -> tmpfile
will be unaffected; only paths that point outside/above the new root will be affected.
Filesystem Tricks
A typical scenario is one where "DefaultRoot ~" is used to restrict users to their home directories, and where the administrator would like to have a shared upload directory, say /var/ftp/incoming, in each user's home directory. Symbolic links would normally be used to provide an arrangement like this. As mentioned above, though, when chroot(2) is used (which is what the DefaultRoot directive does), symlinks that point outside the new root (the user's home directory in this case) will not work. To get around this apparent limitation, it is possible on modern operating systems to mount directories at several locations in the filesystem.
To have an exact duplicate of the /var/ftp/incoming directory available in /home/bob/incoming and /home/dave/incoming, use one of these commands:
• Linux (as of the 2.4.0 kernel):
mount --bind /var/ftp/incoming /home/bob/incoming
mount --bind /var/ftp/incoming /home/dave/incoming

or, alternatively:
mount -o bind /var/ftp/incoming /home/bob/incoming
mount -o bind /var/ftp/incoming /home/dave/incoming
• BSD (as of 4.4BSD):
mount_null /var/ftp/incoming /home/bob/incoming
mount_null /var/ftp/incoming /home/dave/incoming
• Solaris:
mount -F lofs /var/ftp/incoming /home/bob/incoming
mount -F lofs /var/ftp/incoming /home/dave/incoming
The same technique can be used for <Anonymous> directories, which also operate in a chroot()ed environment. Also, it should be possible to mount specific files this way, in addition to directories, should you need to (a directory is just another file in Unix).
As usual, more information can be found by consulting the man pages for the appropriate command for your platform. The commands for other flavors of Unix will be added as needed.
In order to have these tricks persist, to survive a system reboot, the /etc/fstab (or /etc/vfstab) file may need to have these mounts added. Consult your local fstab(5) (or vfstab(4) for Solaris) man pages for more information.

Contributor: Rod Whitworth <rodw at witworx dot com>
Date: $Date: 2003/04/25 18:34:31 $
 
Old 04-23-2010, 03:47 AM   #11
MheAd
Member
 
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Rep: Reputation: 36
Hi again,
I still don't understand how this can be implemented to the sshd.
Could you kindly post exactly what you did?

Basically, a dir like
/home/mhead

How should it be chrooted for SFTP?
Also, the other settings for the actual sshd - they should be the standard sftp-settings?
 
Old 04-26-2010, 12:08 PM   #12
brittonv
LQ Newbie
 
Registered: Jan 2010
Posts: 11

Original Poster
Rep: Reputation: 0
File folder you want to mount in a new directory:
/user/user1

Folder you want that new folder in:
/chroot/user1

Create a folder in the location you want to mount it, in this case /chroot/user1

mkdir /chroot/user1

mount that folder to original folder
mount -o /user/user1 /chroot/user1

That in combination with the information found here:
http://www.debian-administration.org/articles/590

You should be able to sort it out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failed to execute child process "ooffice" (Permission denied) Mol_Bolom Linux - Software 2 03-11-2009 05:23 PM
can't execute c++ binaries, "permission denied"... even though permission is 777 SerfurJ Programming 14 02-20-2009 05:50 AM
"Permission denied" and "recursive directory loop" when searching for string in files mack1e Linux - Newbie 5 06-12-2008 08:38 AM
"Permission Denied" errors during start-up (SuSE 9.0) Meowatilla Linux - Software 3 04-14-2004 11:40 AM
Samba is behaving poorly and causing "unable to handle kernel paging request" errors system Linux - Networking 6 01-26-2002 09:42 PM


All times are GMT -5. The time now is 03:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration