Contributed by merdely on from the lock-em-up dept.
You may have seen the recent commit message from djm@ about the new feature in OpenSSH: ChrootDirectory
Damien Miller (djm@), who worked on this new feature with Markus Friedl (markus@), offers more details about ChrootDirectory:
This commit adds a chroot(2) facility to sshd, controlled by a new sshd_config(5) option "ChrootDirectory". This can be used to "jail" users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.
More from Damien follows.
Unfortunately, setting up a chroot(2) environment is complicated, fragile and annoying to maintain. The most frequent reason our users have given when asking for chroot support in sshd is so they can set up file servers that limit semi-trusted users to be able to access certain files only. Because of this, we have made this particular case very easy to configure.
In a previous commit, markus@ implemented an "in-process" sftp server in sshd, basically linking sftp-server(8) into sshd(8). When the in-process sftp server is used, sshd does not need any special chroot configuration (no /dev nodes, no libraries, no statically-linked sftp-server) so the chroot setup and maintenance burden is eliminated. The chroot support does work for login and command-execution sessions too, but administrators will need to configure the chroot environment manually.
To set up a restricted sftp server one should use the "ForceCommand" and "ChrootDirectory" directives in sshd_config. Presumably most people will not want to restrict every user, so they should also use the "Match" directive to select a user or group to apply the restrictions to. For example:
Match user djm ForceCommand internal-sftp ChrootDirectory /chrootThis will cause the user 'djm' to be chrooted to the "/chroot" directory at login, and the use of the in-process sftp server will be forced for all connections. I.e. the user will not be able to login interactively, or run arbitrary commands - the login will only be useful for sftp transfers. Note that the user's home directory may exist under the "/chroot" directory above (e.g. "/chroot/home/djm") and sshd will try to chdir to it before starting to serve files, but it doesn't matter if it does not exist.
Setting up a safe chroot jail is somewhat tricky, and it is quite easy to make to compromise one's security. To reduce this risk, sshd ensures the ChrootDirectory and each of its components is root-owned and not writable by other users, but it is still possible for administrators to break their own setups by doing dumb things (e.g. leaving /dev nodes for the physical drives in a chroot, executing scripts inside the chroot from cron(8) or elsewhere, etc.).
A limitation of the chroot support is that the in-process sftp server does not support scp(1) transfers. scp is a really busted protocol and it would be a fair bit more work to build it in in the way we have built in sftp. It is still possible to support chrooted scp, but administrators will need to populate the chroot environment manually. Please use sftp instead.
To make the internal-sftp chroot work for me, I made the following changes to /etc/ssh/sshd_config:
#Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp
The full commit message:
CVSROOT: /cvs Module name: src Changes by: djm@ 2008/02/08 16:24:08 Modified files: usr.bin/ssh : sshd_config.5 sshd_config sftp.h sftp-server.c sftp-server-main.c session.c servconf.h servconf.c Log message: add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@
Thanks to Damien Miller for taking the time to explain the ChrootDirectory feature.
(Comments are closed)
By Didier (194.154.200.108) didier.wiroth@mcesr.etat.lu on http://www.wiroth.net
1) for the excellent feature
2) for the excellent report on this page
3) for the good sample!!!
and THANKS AGAIN!!!
By Anonymous Coward (24.37.242.64) on
Comments
By Anonymous Coward (129.9.163.234) on
It is safe, considering that this was committed, and 4.3 has not yet been tagged.
Comments
By Anonymous Coward (129.174.113.70) on
>
> It is safe, considering that this was committed, and 4.3 has not yet been tagged.
>
But man, it wasn't far off.
By TomazZ (193.95.206.48) tzveglic@email.si on
Try to install new version of OpenSSH.
Just installed OpenSSH by this notes on 4.2:
http://www.openssh.org/openbsd.html
Chroot works just as I expected!
Thanks for that feature!
Regards,
TomazZ
By Anonymous Coward (81.83.46.237) on
GREAT feature
By Paul R. (72.227.179.28) on
By Paul Irofti (86.106.14.45) bulibuta@gmail.com on
the announcement just a few minutes after the code entered the tree. I
remember I just pool()-ed my cvs mirror to get in sync and fetch this
beauty!
Thank you *very* much!!!
By Anonymous Coward (64.129.81.169) on
but SCARRY, so many commands like ping could break out of other ssh jail setups....
So many web servers need to support scp/sftp that jury rigged ssh jails are widespread,
But if it is in the base, it stands a better chance of being better scrutinized... thank you.
By Anonymous Coward (24.222.223.104) on
Comments
By Anonymous Coward (24.222.223.104) on
I guess I should have read the rest of the post =) Good job fellas!!
Comments
By sthen (85.158.45.32) on
>
> I guess I should have read the rest of the post =) Good job fellas!!
So who will open the first scp://anonymous@ package mirror? (-:
Comments
By Anonymous Coward (84.42.224.231) on
> >
> > I guess I should have read the rest of the post =) Good job fellas!!
>
> So who will open the first scp://anonymous@ package mirror? (-:
scp does not work :))))
By Anonymous Coward (12.158.188.186) on
sftp auto completion would be another nail
Comments
By CODOR (CODOR) on
lftp (which, not surprisingly, is in ports) already does this. (Plus it speaks FTP so you can speak to silly people who still use that protocol...)
Comments
By Anonymous Coward (66.167.100.98) on
>
> lftp (which, not surprisingly, is in ports) already does this. (Plus it speaks FTP so you can speak to silly people who still use that protocol...)
yafc also does this. And of course there's also sshfs, which lets you use your shell's tab-completion!
By Anonymous Coward (128.171.90.200) on
>
> lftp (which, not surprisingly, is in ports) already does this. (Plus it speaks FTP so you can speak to silly people who still use that protocol...)
How does it do that ?
Does it login to the system when you hit tab and find appropriate options ?
By Alan Watson (132.248.81.29) alan@alan-watson-.org on http://www.alan-watson.org
Comments
By sthen (85.158.45.32) on
Depends how you set pf.conf.
By Mike Erdely (merdely) on http://erdelynet.com/
> internal sftp server still forward ports?
Yes. By default. Unless you set up something like this:
By Pete (12.147.96.10) on
Comments
By Anonymous Coward (84.197.62.5) on
Comments
By Pete (12.147.96.10) on
By Mike (203.99.66.6) on
sshd ensures the ChrootDirectory and each of its components is root-owned and not writable by other users
Does that mean that the whole chroot jail is actually read-only for the user? Or what does each of its components mean?
Comments
By Damien Miller (djm) on http://www.mindrot.org/~djm/
> root-owned and not writable by other users
>
> Does that mean that the whole chroot jail is actually read-only for
> the user? Or what does each of its components mean?
Yes, the jail directory must be read-only for the user. Typically the jail directory isn't the home directory though, so you might configure "ChrootDirectory=/chroot" and create "/chroot/home/djm" within in.
Comments
By Markus (83.227.160.33) on
> > root-owned and not writable by other users
> >
> > Does that mean that the whole chroot jail is actually read-only for
> > the user? Or what does each of its components mean?
>
> Yes, the jail directory must be read-only for the user. Typically the jail directory isn't the home directory though, so you might configure "ChrootDirectory=/chroot" and create "/chroot/home/djm" within in.
>
This defeats about half the purpose with this great feature... Consider the following, common setup:
users are placed in /home (or perhaps another filesystem; /web etc.)
the rationale for each user is the default, readable by others, in order to allow an httpd running as nobody/nobody to fetch content of the users' directory, and the content per itself is per default "RWXR-XR-X".
Now.. what is the point of not being able to use this setup to supply SFTP-only access to users to administrate their web content? Shouldn't there be a setting to override the "chroot dir must be read-only-by-the-user"? It seems quite useless without, since it only results in a read-only repository for unique users, hidden from everyone, including an eventual httpd.
I admit that I am not sure what the security implications might be to chroot to a directory owned and writable by a mortal user.... are there any that would make this an issue?
I'd like to see a way to finally allow users SFTP-only access to their normal home-dirs from where normal web content is served. Apparently this is not it.
Comments
By yann (64.208.49.28) on
> > > root-owned and not writable by other users
> > >
> This defeats about half the purpose with this great feature...
Maybe using --bind mount option may solve your problem (this option have always be of great use for real chrooted env: to be able to make some data subtrees accessible to sftp chrooted users).
You have your chroot dir with required owner (root)+rights:
/chroot
Inside this one, create /chroot/home
on the other side, consider:
/home/...
And, as root:
mount --bind /home /chroot/home
should do the job. Add it in your fstab to be reset persistant...
By Markus (83.227.160.33) on
to elaborate, the problem here with a shared webserver setup is that either you create a messy, nested dir-structure (/home/user1/user1 etc.) in order to keep users entirely isolated from eachother (as you may want to), or, you just keep a normal dir-tree and ChrootDirectory to /home and users will be locked out from the main system, but able to snoop around in eachothers' content since it has to be readable by others.
sigh... add a flag to circumvent this and point out all the risks with it?
By Anonymous Coward (12.158.188.186) on
>
> Does that mean that the whole chroot jail is actually read-only for the user? Or what does each of its components mean?
For example you have ChrootDirectory set to "/mnt/blah/chroot"
in this case it would have 3 component dirs: /mnt, /mnt/blah, and /mnt/blah/chroot, all of which must be root-owned and not writable by any other users.
By Anonymous Coward (80.172.22.46) on
users with internal-sftp on the same server?
Comments
By Damien Miller (djm) on http://www.mindrot.org/~djm/
> /usr/libexec/sftp-server and other chrooted
> users with internal-sftp on the same server?
Yes, use Match+ForceCommand+ChrootDirectory to contain the untrusted users but include a normal Subsystem line for the regular users.
By Lennie (84.246.2.129) on
But this looks like it's not that simple.
That's too bad.
I would have loved to have been able to do:
Match user user1
Match user user2
ChrootDirectory ~
AllowUsers adminuser1 adminuser2 user1 user2
It's to bad, this won't kill FTP, I'm afraid. It would have been better to have something really simple.
Maybe a chroot-dir and a hardlink per user would be kinda manageable ?
ssh killed telnet, sftp could have killed ftp.
Comments
By sthen (85.158.45.32) on
>
> But this looks like it's not that simple.
Read the manual page for sshd_config. It's linked from the article. Specifically look at the bit about ChrootDirectory.
Comments
By Mike Erdely (merdely) on http://erdelynet.com/
>> used for shared webservers...
>>
>> But this looks like it's not that simple.
>
> Read the manual page for sshd_config. It's linked from the article.
> Specifically look at the bit about ChrootDirectory.
djm@ even explained it earlier in the comments for this article.
By Anonymous Coward (212.123.14.6) on
>
> But this looks like it's not that simple.
>
> That's too bad.
>
> I would have loved to have been able to do:
>
> Match user user1
> Match user user2
> ChrootDirectory ~
>
> AllowUsers adminuser1 adminuser2 user1 user2
>
> It's to bad, this won't kill FTP, I'm afraid. It would have been better to have something really simple.
>
> Maybe a chroot-dir and a hardlink per user would be kinda manageable ?
>
> ssh killed telnet, sftp could have killed ftp.
Just use "Match group" instead and add all restricted users to that group.
By jirib (89.176.154.98) on
>
> But this looks like it's not that simple.
>
> That's too bad.
>
> I would have loved to have been able to do:
>
> Match user user1
> Match user user2
> ChrootDirectory ~
>
> AllowUsers adminuser1 adminuser2 user1 user2
>
> It's to bad, this won't kill FTP, I'm afraid. It would have been better to have something really simple.
>
> Maybe a chroot-dir and a hardlink per user would be kinda manageable ?
>
> ssh killed telnet, sftp could have killed ftp.
>
>
I tried it right now and i would suggest following:
Change homedir in /etc/passwd for users to /user1, /user2 etc...
Match Group sftpusers
ChrootDirectory /chroot/%u
ForceCommand internal-sftp
and make following dir structure:
/chroot/user1/user1
|-user2/user2
so they don't see theirs home dirs :)
j.
Comments
By Anonymous Coward (207.111.160.28) on
>
> Change homedir in /etc/passwd for users to /user1, /user2 etc...
>
> Match Group sftpusers
> ChrootDirectory /chroot/%u
> ForceCommand internal-sftp
>
> and make following dir structure:
>
> /chroot/user1/user1
> |-user2/user2
>
> so they don't see theirs home dirs :)
>
> j.
>
This was very helpful, but I do not understand the last point. Why do you not want them to see their home dirs? Exactly what are you accomplishing by this additional level of directory?
Thanks!
BTW, I am a new AC here - I'm not related to the previous AC posters. :-)
Comments
By jirib (89.176.154.98) on
>
'see their home dirs' means if you have more users they don't see home dir of other users :) like it works in chrooted ftp, you just see your 'home'.
j.
By Kamil Wencel (88.217.235.114) on http://www.reaktorblog.de
In case anyone is still looking for the homedir feature, have a look at
http://www.minstrel.org.uk/papers/sftp/builtin/
Modify /usr/local/etc/sshd_config to include the following lines (your environment may vary):
# Use the following line to *replace* any existing 'Subsystem' line
Subsystem sftp internal-sftp
# These lines must appear at the *end* of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
This means that all users you add to the 'sftponly' group will be chroot'd to their home directory, and will only be able to run the internal SFTP process.
By Rico Secada (ricosecada) coolzone@it.dk on
By Anonymous Coward (128.171.90.200) on
By Anonymous Coward (83.199.74.32) on
is it possible to build a jail with a bash session ?!
By TA (86.185.71.201) on
By morophla (184.162.174.15) on
Comments
By SirQuack (83.163.216.89) openbsd@roelof.io on
You'd give every user their own directory to work in. This is commonly done using a central chroot dir with a user-specific dir.
I use this for my clients:
ChrootDirectory /var/www/users/%u