LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-05-2011, 05:27 PM   #1
ddenton
Member
 
Registered: May 2007
Posts: 114

Rep: Reputation: 15
Jailkit - SFTP users can see other user's home dirs


Hello all...

I have successfully set up Jailkit, both with FTP and SFTP users. The FTP users are fully contained in their home directories and can't see anything above them, but when I connect with WinSCP as an SFTP user, I can ascend to the "home" directory above the user's home dir and see the names of all other user's home dirs.

While I'm not able to descend into other user's home directories, I'm all but certain that customers won't appreciate their anonymity being compromised by others seeing that they're a customer of ours.

Each user's home directory has 700 perms and the jailed home directory above it has 755. I've tried reducing this to 750 but then SFTP logins fail.

Does anyone have a workaround to this issue besides setting up dedicated jails for each login?

Thanks,

Dan
 
Old 10-06-2011, 02:17 AM   #2
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Posts: 119

Rep: Reputation: 32
FTP is a dedicated server application. Obviously JailKit modifies its behaviour appropriately.

ASIDE: FTP should no longer be used for authenticated access. Anonymous access is fine, but if used for user access then passwords could be sent across the network in the clear to any snoopers between the user and he machine.

SFTP is completely different, it connects using SSH, and runs a psuedo FTP file transfer session over that encrypted link. Much like SCP can also do file transfers. As such what modifies FTP will generally not modify SFTP behaviour.

It will not 'jailed', unless you can find a more restricted SFTP subsystem program. The subsystem program is declared in /etc/ssh/sshd_config,
and on my system is /usr/libexec/openssh/sftp-server
 
Old 10-06-2011, 10:53 AM   #3
ddenton
Member
 
Registered: May 2007
Posts: 114

Original Poster
Rep: Reputation: 15
Thanks for the reply. I am aware of the differences between FTP and SFTP and what the shortcomings in the FTP protocol are. Jailkit doesn't modify the behavior of the FTP server; it provides a different shell to the user once the user is authenticated.

My problem is with the way Jailkit allows user who have been given access to the sftp-subsystem to see the contents of their home directory's parent folder. FTP users in the same jail can't leave their home directory, so I'm trying to understand why SFTP users can. If you or anyone else have any more ideas as to what I can do to limit this behavior, I'd appreciate hearing them.
 
Old 10-07-2011, 08:26 AM   #4
rodrifra
Member
 
Registered: Mar 2007
Location: Spain
Distribution: Ubuntu
Posts: 199

Rep: Reputation: 36
If you allow sftp access to the system the you should limit access from ssh itself.

Adding the next lines to your /etc/ssh/ssdh_config will limit access

Subsystem sftp internal-sftp #/usr/lib/openssh/sftp-server
Match group yourgrouphere
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
 
Old 10-09-2011, 07:48 PM   #5
A.Thyssen
Member
 
Registered: May 2006
Location: Brisbane, Australia
Posts: 119

Rep: Reputation: 32
Is there some other alternatives (variation) to the internal-sftp
or other types of ssh subsystems that has been developed.

SSH has been around for a long time and I'm certain someone much have done some projects in this area.
 
  


Reply

Tags
jailkit, sftp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SFTP and Jailkit Darkstar274 Linux - Server 4 05-12-2010 03:42 AM
proftpd allow user to access different home dirs skylimit123 Linux - Software 1 11-26-2008 04:59 AM
how to get apache to look in users' home dirs? realthor Linux - Software 5 03-15-2006 11:08 AM
give users access to home dirs jonas73 Linux - Newbie 2 03-16-2004 02:42 AM
vsftpd: restricting users to home dirs groovin Linux - Security 6 11-25-2002 05:20 PM


All times are GMT -5. The time now is 10:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration