[ale] Need wacky chroot setup help

Lightner, Jeff JLightner at dsservices.com
Fri Aug 21 11:56:57 EDT 2015


The logins to the chroot can’t follow symlinks that point outside of the chroot.  However, the application on the server CAN follow symlinks into the real path of the chroot’ed directories.   We use this for common accounts where we can’t tell who is logging in to drop files in the chroot.   Those users logging in never see anything but the chroot but our application’s common directory contains symlinks back to those real paths.

It confuses developers because if you make the chroot real path something like /secure/sftp/billybob then put a home under that the directory you need a symlink to might be /secure/sftp/billybob/home/billybob but user billybob sees that only as /home/billybob when they login.

Loop mounts would probably work just as well but we’ve been doing the symlink thing for a long time and you see it as a link when traversing the common directory.


From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Brian Mathis
Sent: Friday, August 21, 2015 10:49 AM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] Need wacky chroot setup help

Create directories owned by root for chrooted users in something like: /srv/sftp/$USER
Setup ssh to chroot those users into that directory
Create a directory /srv/sftp/$USER/jobout
Use a bind mount (mount -o bind) to mount /home/t1000/dept-fun-times to /srv/sftp/$USER/jobout for each user

This is the only way I know of since the chroot can't follow symlinks.

❧ Brian Mathis
@orev


On Fri, Aug 21, 2015 at 9:17 AM, James Sumners <james.sumners at gmail.com<mailto:james.sumners at gmail.com>> wrote:
I have some craptastic software that allows users to submit background jobs that are executed by a common system account. Let's call that account 't1000'. This system supports a configuration where the end user's submitted job can be written to a directory in their home directory, provided t1000's group is able to write to it. Otherwise, job output files get dumped in t1000's home directory. Further, I have departments with users that need to share a common job output directory.

So let's pretend I have users "foobar" and "bazbar" that need to submit jobs to a common output directory. Let's further assume I have the following file system layout:

- /home/t1000/
- /home/t1000/dept-fun-times/
- /home/foobar/
- /home/foobar/jobout/ => /home/t1000/dept-fun-times/
- /home/barbaz/
- /home/barbaz/jobout/ => /home/t1000/dept-fun-times/

Each user t1000, foobar, and barbaz are members of a group "vomit". Each "jobout" directory and the "dept-fun-times" directory have mode `0770`. Thus when either foobar or barbaz submit a job, that job's output will end up in `/home/t1000/dept-fun-times/`. Any other user that submits a job will result in the job output going to `/home/t1000/`.

All files in `/home/t1000/` and `/home/t1000/dept-fun-times/` are mode `0660`.

Now for the fun part:

I need foobar and barbaz to be able to ssh/sftp to the system and be "chrooted" to `/home/t1000/dept-fun-times/` such that they cannot change from that directory nor open any files outside of that directory.

SSHD requires the destination chroot to (rightly) be a proper jail. As does the rssh shell (when chrooting). Bash's restricted mode is also not a solution.

Do you guys have any ideas how I can accomplish this goal?

--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (band page)

_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150821/3889c753/attachment.html>


More information about the Ale mailing list