rssh-discuss Mailing List for rssh (Page 30)
Brought to you by:
xystrus
Menu
▾
▴
rssh-discuss — General discussion of rssh
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
(1) |
Jul
(15) |
Aug
(33) |
Sep
(5) |
Oct
(15) |
Nov
(8) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(5) |
Feb
|
Mar
(5) |
Apr
(4) |
May
(4) |
Jun
(15) |
Jul
(9) |
Aug
(11) |
Sep
(5) |
Oct
(2) |
Nov
|
Dec
(6) |
| 2005 |
Jan
(8) |
Feb
(6) |
Mar
(43) |
Apr
(2) |
May
(5) |
Jun
(6) |
Jul
(12) |
Aug
(22) |
Sep
(5) |
Oct
(7) |
Nov
(15) |
Dec
(5) |
| 2006 |
Jan
(60) |
Feb
(7) |
Mar
(12) |
Apr
(7) |
May
(5) |
Jun
(14) |
Jul
(19) |
Aug
(21) |
Sep
(16) |
Oct
(2) |
Nov
(15) |
Dec
(3) |
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
|
Jun
(26) |
Jul
(12) |
Aug
(1) |
Sep
(7) |
Oct
(2) |
Nov
|
Dec
(1) |
| 2008 |
Jan
(4) |
Feb
(6) |
Mar
(4) |
Apr
(4) |
May
(5) |
Jun
(4) |
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
(27) |
Mar
(20) |
Apr
(8) |
May
(1) |
Jun
(1) |
Jul
|
Aug
(3) |
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2010 |
Jan
(3) |
Feb
(1) |
Mar
(3) |
Apr
|
May
|
Jun
(4) |
Jul
(7) |
Aug
(6) |
Sep
(7) |
Oct
(1) |
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(5) |
Mar
(5) |
Apr
(16) |
May
|
Jun
(6) |
Jul
(20) |
Aug
(10) |
Sep
(4) |
Oct
|
Nov
|
Dec
(7) |
| 2012 |
Jan
(5) |
Feb
|
Mar
(9) |
Apr
|
May
(6) |
Jun
(3) |
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
(5) |
Dec
(6) |
| 2013 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
(3) |
Oct
(1) |
Nov
(1) |
Dec
|
| 2014 |
Jan
(5) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(7) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(7) |
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(11) |
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(2) |
| 2019 |
Jan
(8) |
Feb
(17) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(3) |
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2021 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: <el...@on...> - 2004-08-10 15:38:27
|
Hi! I compiled rssh 2.2.1 for my Debian Sarge system with kernel 2.6.7. But I can't make it work. I have openssh compiled from source too. I've enabled only one, per-user basis setting for rssh: user=3Dtemp:022:00010:"/var/www" I want the temp user to allow only to see the www directory but nothing else, and can access only by SFTP. In the passwd I use this: temp:x:1002:1002:,,,:/var/www:/usr/local/bin/rssh The user successfully authenticated: Aug 6 14:45:28 kistestver sshd[20832]: Server listening on 0.0.0.0 port 2222. Aug 6 14:45:45 kistestver sshd[31688]: Accepted keyboard-interactive/pam for temp from 212.97.16.7 port 2667 ssh2 Aug 6 14:45:45 kistestver sshd[31688]: subsystem request for sftp Aug 6 14:45:45 kistestver sshd[18846]: (pam_unix) session opened for user temp by (uid=3D0) I've already set UsePrivilegeSeparation to NO in sshd config (so sshd run= s with root privileges) I've tried to use rssh with suid bit set and NOT suid, but all the same: The user.log says: Aug 6 14:47:04 kistestver rssh[24731]: allowing sftp to all users Aug 6 14:47:04 kistestver rssh[24731]: setting umask to 022 Aug 6 14:47:04 kistestver rssh[24731]: user temp attempted to execute forbidden commands Aug 6 14:47:04 kistestver rssh[24731]: command: /usr/libexec/sftp-server For sure, /usr/libexec/sftp-server is on it's place, and accessible for execution,read by world. I compile openssh on this way: ./configure --with-ssl-dir=3D/usr --with-rand-helper --sysconfdir=3D/etc/= ssh --with-tcp-wrappers --with-md5-passwords --mandir=3D/usr/share/man --with-pam I compile rssh o this way: ./configure --prefix=3D/usr/local --with-sftp-server=3D/usr/libexec/sftp-server --sysconfdir=3D/etc Also, I've tried to execute rssh as user temp in a shell. It authenticate= d me successfully, and detected that no use of sftp: This account is restricted by rssh. Allowed commands: sftp If you believe this is in error, please contact your system administrator= . In addition my sftp-server surely worx, because when I use an other user account, not protected by rssh but having a simple bash shell, I could successfully use SFTP. I've also tried with and without chrooting. The message is the same (forbidden command). I've also tried static linking to be sure, it is not a library-access problem. but static linking gave the same results. >From this point, I don't know, where to go. Please help!!! Thank you in advance. |
|
From: Derek M. <co...@pi...> - 2004-08-10 15:33:26
|
On Tue, Aug 10, 2004 at 12:57:13PM +0200, jg...@ar... wrote: > Hello, > > First of all, I want to say that rssh is a great tool which closes a > gap OpenSSH has left open. Thanks! That's why I wrote it... > I have been using rssh 2.1.1 successfully to implement an > sftp-server in a chroot jail on an IBM pSeries Server using AIX 5.2 > ML3 and gcc version 3.3.2. When trying the new rssh 2.2.1 on the > same platform, everything works fine, apart from chroot. You can continue to use 2.1.1 if it works for you. The security issue which prompted the release of 2.2.1 isn't really serious... If it turns out to be an issue for you, you can solve it by careful management of filesystem permissions on your system. > 2.1.1 gives no output > 2.2.1 exits with "rssh_chroot_helper: error expanding arguments" [SNIP] > Perhaps this gives a hint, what might be the cause. I see from the > rssh-discuss list, that other users have similar experiences. If you read the list archives, then you know that this problem is largely out of my hands. The trouble is that wordexp() on your system is implemented in a way which is not readily compatible with chroot jails. Likely, there is some file missing from your chroot jail which your systems's implementation of wordexp() uses. It might be /bin/sh, /usr/bin/sh, /dev/zero, /dev/null, or something entirely different. You'll need to contact IBM's support and ask them about their implmentation of wordexp(). If you find out something useful, please report back... -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: <jg...@ar...> - 2004-08-10 10:57:23
|
Hello, First of all, I want to say that rssh is a great tool which closes a gap Op= enSSH has left open. I have been using rssh 2.1.1 successfully to implement an sftp-server in a = chroot jail on an IBM pSeries Server using AIX 5.2 ML3 and gcc version 3.3.= 2 When trying the new rssh 2.2.1 on the same platform, everything works fine,= apart from chroot. As soon as I add chroot functionality to the config, the sftp client ends w= ith a "Connection closed" Message. When manually running the command: /usr/local/libexec/rssh_chroot_helper "/home/sftpuser/chroot" 2 "/" /usr/sb= in/sftp-server 2.1.1 gives no output 2.2.1 exits with "rssh_chroot_helper: error expanding arguments" Perhaps this gives a hint, what might be the cause. I see from the rssh-discuss list, that other users have similar experiences= . Thanks for any suggestions. Joachim Gann Arcor-DSL: jetzt ohne Einrichtungspreis einsteigen oder wechseln Sie sparen 99,95 Euro. Arcor-DSL ist in vielen Anschlussgebieten verf=FCgbar. http://www.arcor.de/home/redir.php/emf-dsl-1 |
|
From: Derek M. <co...@pi...> - 2004-07-28 17:40:12
|
On Tue, Jul 27, 2004 at 02:05:24PM +1000, James McGrath wrote: > Do I need to copy some libraries into the users directory? Am i missing > any important steps? With the latest release of rssh, there is also a shell script which attempts to do everything that you need to do to get this working. I somehow neglected to make sure it got packaged in the RPM though, so if you want to use the script, you'll have to download the source code. Or, if you check back to the site later, I should have uploaded new RPM packages with the scripts included. If you don't see the new packages after a few days, please remind me. I'm currently on vacation and expect to be all tied up until after the weekend. ;-) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2004-07-28 01:59:00
|
On Tue, Jul 27, 2004 at 02:05:24PM +1000, James McGrath wrote: > Hi, > I am new to RSSH, and am having troubles setting up a chroot jail > for a single user "foo". Hello! I hope you find rssh useful. :) [SNIP] > I am then challenged, enter my password and get the following message: > > "Connection Closed" > > Do I need to copy some libraries into the users directory? Am i missing > any important steps? Yes, and yes. Setting up a chroot jail is complicated. Look in /usr/share/doc/rssh-* and carefully read all the documentation listed there. Good luck! -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: James M. <j.m...@un...> - 2004-07-27 04:05:42
|
Hi,
I am new to RSSH, and am having troubles setting up a chroot jail
for a single user "foo".
I am running Fedora RC2. and installed the following rpm without incident:
rssh-2.2.1-1.i386.rpm
I have configured the following files:
/etc/passwd :
foo:x:502:503::/home/foo:/usr/bin/rssh
File: /etc/rssh.conf :
logfacility = LOG_USER
user = foo:011:00011:"/home/foo" # sftp and scp with chroot
The /home/foo directory does exist with Umask of 700 and owned by "foo"
If i try to ssh from a remote machine (or "su - foo" on the localhost) I
get the following message after entering the password:
This account is restricted by rssh.
Allowed commands: scp sftp
If you believe this is in error, please contact your system
administrator.
Which seems is promising as rssh seems to be working.
But when I issue the following command:
sftp fooman@machinename
I am then challenged, enter my password and get the following message:
"Connection Closed"
Do I need to copy some libraries into the users directory? Am i missing
any important steps?
any help would be appreciated
Cheers,
James.
|
|
From: Derek M. <co...@pi...> - 2004-07-22 18:32:52
|
On Thu, Jul 22, 2004 at 12:12:37PM -0400, Jonathan Delgado wrote: > Hi, I am having a problem with chrooting 2.2.1 under FreeBSD 5.2.1 > that seems similar to that in the ongoing thread about chroot under > Solaris 9 > (http://sourceforge.net/mailarchive/forum.php?thread_id=4992072&forum_id=33294). This is unfortunate, but there's not really too much I can do about it. The problem is that these OEs implement wordexp() in a way which is not immediately compatible with chroot jails, and (at least in the case of Solaris) don't document what needs to be done to make it work. Most probably, it's as simple as making sure that some file or other exists within the chroot. But I have no guesses as to what that file (or files) might be... My suggestion would be to contact the developers of FreeBSD's C libraries, and find out how they implemented wordexp(). I've basically finished rssh, and I don't really intend to support it beyond reporting the solution to this issue. One thing I could do, for example, is re-implement a chroot-capable wordexp(). But I'm simply not going to do that... When the reasons it doesn't work now are discovered, I'll post the solution. Beyond that, I don't have a lot to offer... -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Jonathan D. <de...@te...> - 2004-07-22 16:12:43
|
Hi, I am having a problem with chrooting 2.2.1 under FreeBSD 5.2.1 that seems similar to that in the ongoing thread about chroot under Solaris 9 (http://sourceforge.net/mailarchive/forum.php?thread_id=4992072&forum_id=33294). I have had 2.1.1 running succesfully with chroot (rssh built from the FreeBSD ports collection), and then made the move to 2.2.1 (built from source). I have updated my rssh.conf and regular non- chroot usage is fine, but when I try to connect to a chroot the connection gets dropped. An error message is logged: Jul 22 15:03:30 myhost rssh_chroot_helper[89019]: error expanding arguments for user (null) For kicks I applied the patch provided in the Solaris 9 thread. The error now logged is: Jul 22 15:22:32 myhost rssh_chroot_helper[90788]: wordexp() bad syntax Any thoughts on this? -Jonathan |
|
From: Marty S. <ma...@ca...> - 2004-07-19 22:29:58
|
Thanks for the reply Derek. I've contacted Sun and told them what you said, and they are going to get back to me, hopefully with some progress from their end...I'll post whatever I find out. Thanks again- Marty On Mon, 19 Jul 2004, Derek Martin wrote: > On Tue, Jul 06, 2004 at 01:44:02PM -0400, Marty Saletta wrote: > > > > Hi Derek- > > > > Okay, I just built and tried rssh with the patch > > and, along with the usual, my logs show the following new message: > > Sorry to take so long getting back to you. I've been very busy with > certain anti-coding activites lately... ;-) > > > Jul 6 13:40:17 xxxxxx rssh_chroot_helper[7857]: [ID 381274 user.error] > > retc = 127 (this shouldn't happen) > > Indeed, it shouldn't. According to Solaris 9's wordexp.h file, > wordexp() should never return 127. Until you get a reply from the > boys at Sun, I'm afraid there's nothing I can do to fix this. Sorry > guys... Get on Sun's case to find out what the problem is, and I'll > get it fixed up (or, more likely, post a FAQ about how to fix the > chroot jail for Solaris 9) as soon as I get a definitive solution. > > -- > Derek D. Martin > http://www.pizzashack.org/ > GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2004-07-19 13:30:25
|
On Tue, Jul 06, 2004 at 01:44:02PM -0400, Marty Saletta wrote: > > Hi Derek- > > Okay, I just built and tried rssh with the patch > and, along with the usual, my logs show the following new message: Sorry to take so long getting back to you. I've been very busy with certain anti-coding activites lately... ;-) > Jul 6 13:40:17 xxxxxx rssh_chroot_helper[7857]: [ID 381274 user.error] > retc = 127 (this shouldn't happen) Indeed, it shouldn't. According to Solaris 9's wordexp.h file, wordexp() should never return 127. Until you get a reply from the boys at Sun, I'm afraid there's nothing I can do to fix this. Sorry guys... Get on Sun's case to find out what the problem is, and I'll get it fixed up (or, more likely, post a FAQ about how to fix the chroot jail for Solaris 9) as soon as I get a definitive solution. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Marty S. <ma...@ca...> - 2004-07-06 17:44:06
|
Hi Derek- Okay, I just built and tried rssh with the patch and, along with the usual, my logs show the following new message: Jul 6 13:40:17 xxxxxx rssh_chroot_helper[7857]: [ID 381274 user.error] retc = 127 (this shouldn't happen) Thanks! Marty On Sat, 3 Jul 2004, Derek Martin wrote: > On Wed, Jun 30, 2004 at 09:17:31AM -0400, Marty Saletta wrote: > > I've got a call into Sun concerning this function, and > > what exactly it needs to run in a chrooted environment. > > When I get a reply back, I'll be sure to post the info to > > this list. > > Ok, I wrote up a quick patch to help solidify what the problem is. It > just checks for the case where wordexp() sets errno (it only does this > on Solaris, AFAIK) and reports the error. It also explicitly checks > all the other cases of WRDE_* macros. The patch is attached. Apply > it with this command: > > patch -p0 < patch.argvec > > Then let me know what turns up in the logs... > > -- > Derek D. Martin > http://www.pizzashack.org/ > GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2004-07-03 05:06:27
|
On Wed, Jun 30, 2004 at 09:17:31AM -0400, Marty Saletta wrote: > I've got a call into Sun concerning this function, and > what exactly it needs to run in a chrooted environment. > When I get a reply back, I'll be sure to post the info to > this list. Ok, I wrote up a quick patch to help solidify what the problem is. It just checks for the case where wordexp() sets errno (it only does this on Solaris, AFAIK) and reports the error. It also explicitly checks all the other cases of WRDE_* macros. The patch is attached. Apply it with this command: patch -p0 < patch.argvec Then let me know what turns up in the logs... -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Marty S. <ma...@ca...> - 2004-06-30 13:17:35
|
I've got a call into Sun concerning this function, and what exactly it needs to run in a chrooted environment. When I get a reply back, I'll be sure to post the info to this list. Thanks! Marty On Wed, 30 Jun 2004, Derek Martin wrote: > On Mon, Jun 28, 2004 at 04:44:28PM -0400, Marty Saletta wrote: > > Hi Derek- > > > > Thanks for the reply. I tried the suggestions below- no luck. > > Actually, I already had /dev/zero and /dev/null in place > > in the chrooted environment to support syslog reporting, so I > > tried copying sh to both /usr/bin and /bin of the chroot jail, > > neither of which worked. > > They key is in how wordexp() is implemented on Solaris, and I haven't > been able to find anything useful out about it. I don't have time > right now, but I'll hack up a quick patch to help identify the > problem, and post it later (maybe tomorrow). Then you can run rssh > again, and possibly see what's going on. > > You will probably have to find the file wordexp.h on your system, and > see what the error is that it is returning. I don't have access to a > Solaris box, so I can't do it... Hopefully the file is commented > well, and it will give us some clue as to what the problem is. > > -- > Derek D. Martin > http://www.pizzashack.org/ > GPG Key ID: 0x81CFE75D > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > rssh-discuss mailing list > rss...@li... > https://lists.sourceforge.net/lists/listinfo/rssh-discuss > |
|
From: Derek M. <co...@pi...> - 2004-06-30 03:53:07
|
On Mon, Jun 28, 2004 at 04:44:28PM -0400, Marty Saletta wrote: > Hi Derek- > > Thanks for the reply. I tried the suggestions below- no luck. > Actually, I already had /dev/zero and /dev/null in place > in the chrooted environment to support syslog reporting, so I > tried copying sh to both /usr/bin and /bin of the chroot jail, > neither of which worked. They key is in how wordexp() is implemented on Solaris, and I haven't been able to find anything useful out about it. I don't have time right now, but I'll hack up a quick patch to help identify the problem, and post it later (maybe tomorrow). Then you can run rssh again, and possibly see what's going on. You will probably have to find the file wordexp.h on your system, and see what the error is that it is returning. I don't have access to a Solaris box, so I can't do it... Hopefully the file is commented well, and it will give us some clue as to what the problem is. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Marty S. <ma...@ca...> - 2004-06-28 20:44:33
|
Hi Derek- Thanks for the reply. I tried the suggestions below- no luck. Actually, I already had /dev/zero and /dev/null in place in the chrooted environment to support syslog reporting, so I tried copying sh to both /usr/bin and /bin of the chroot jail, neither of which worked. I'm going to continue to poke around with this, since wordexp does seem like the culprit. When I find the solution (got to stay positive, eh?) I'll post it here, unless someone beats me to it of course. Thanks! Marty On Sun, 27 Jun 2004, Derek Martin wrote: > On Sun, Jun 27, 2004 at 01:51:52PM +0900, Derek Martin wrote: > > > error expanding arguments for user marty > > > > It seems that the call to wordexp() is failing on your system. I have > > no idea why that could be. I can't debug it, because I don't have > > access to a solaris 9 system. > > Actually after reviewing the man page for wodexp() and giving it some > thought, I do have a guess, but it's only a guess. > > My guess is that the Solaris 9 implementation of wordexp() tries to > open a file which does not exist inside the chroot jail. I think > there are three main suspects for which one it is: > > (/usr)/bin/sh > /dev/zero > /dev/null > > I think they are in decreasing order of likelihood. Please try them > one at a time, and see if that solves the problem, and report back. > > -- > Derek D. Martin > http://www.pizzashack.org/ > GPG Key ID: 0x81CFE75D |
|
From: <tdi...@fu...> - 2004-06-28 14:11:02
|
From what I can tell, I'm in the same position as Marty. I've added the files that you've specified, though still no luck. As a heads up, I'm using Solaris 9 and rssh-2.2.1. Any further thoughts or assistance would be most appreciative. Thanks, Troy > > From: Derek Martin <co...@pi...> > Date: 2004/06/27 Sun AM 01:17:25 EDT > To: rss...@li... > CC: Marty Saletta <ma...@ca...> > Subject: Re: 2.2.1 and chrooted Solaris 9 not working > > |
|
From: Derek M. <co...@pi...> - 2004-06-27 05:23:33
|
On Thu, Jun 24, 2004 at 11:46:32AM +0200, Yves Martin wrote: > I have a really strange issue. A project was used to have its cvs > repository on a old Mandrake 8.0 - with a "CVS 1.11" [SNIP] > used to) - but I found another bug with the old binary: > . it tries to chdir to the $HOME directory (from the variable) > > . whereas the woody cvs uses the /etc/passwd (I have compared with > strace in a chroot command) Since rssh changes the $HOME variable, and you have control over what /etc/passwd looks like inside the chroot jail, either way you can control where the binary is looking. So I don't understand what the issue is here... > Is it a good idea that rssh should change all environment variables > defined to reflect the chroot ? That's an interesting point, but I'm not sure it's necessary within the scope of what rssh is designed to do. If I understand you (and I may not), then I also don't see how it will help your problem. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2004-06-27 05:17:42
|
On Sun, Jun 27, 2004 at 01:51:52PM +0900, Derek Martin wrote: > > error expanding arguments for user marty > > It seems that the call to wordexp() is failing on your system. I have > no idea why that could be. I can't debug it, because I don't have > access to a solaris 9 system. Actually after reviewing the man page for wodexp() and giving it some thought, I do have a guess, but it's only a guess. My guess is that the Solaris 9 implementation of wordexp() tries to open a file which does not exist inside the chroot jail. I think there are three main suspects for which one it is: (/usr)/bin/sh /dev/zero /dev/null I think they are in decreasing order of likelihood. Please try them one at a time, and see if that solves the problem, and report back. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Derek M. <co...@pi...> - 2004-06-27 04:52:23
|
On Wed, Jun 23, 2004 at 05:07:49PM -0400, Marty Saletta wrote: > ... > Jun 23 16:41:57 HOST rssh[1956]: [ID 853327 user.info] chroot cmd > line: /usr/local/libexec/rssh_chroot_helper "/CHROOT" 2 "/u1/marty" > /usr/local/libexec/sftp-server > Jun 23 16:41:57 HOST rssh_chroot_helper[1956]: [ID 630356 user.info] > new session for marty, UID=[not provided] > Jun 23 16:41:57 HOST rssh_chroot_helper[1956]: [ID 919885 > user.error] > error expanding arguments for user marty It seems that the call to wordexp() is failing on your system. I have no idea why that could be. I can't debug it, because I don't have access to a solaris 9 system. So far, you're the only person to have reported this problem, so I am inclined to think it is specific to your environment... But I really can't know. Did you convert your rssh.conf file to the new format? That's the only other thing I can think of which might cause a problem... But I can't see how it would result in this kind of problem. FWIW, if your site is not a high-security site, and your data is not so sensitive that merely seeing what files exist on the server in world-readable directories is a problem, then you could just use 2.1.1 instead. The security issue really is pretty trivial for most sites. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Yves M. <yve...@el...> - 2004-06-24 09:47:09
|
Hello, I have a really strange issue. A project was used to have its cvs repository on a old Mandrake 8.0 - with a "CVS 1.11" When a module is checkouted (with a reduced set of directories), that binary declared partially checkouted directories as linked to CVSROOT/EmptyDir - so an update -d on that directory does not get all existing directories from the repository. With the woody cvs 1.11.1p1, the same checkouted directory is linked to a really position on the repository - and of course the update -d command behaves differently. How strange it is to discover such an issue ! So I just copied the old cvs binary in the RSSH chroot environment to try to get back that strange behavior (the project developpers are used to) - but I found another bug with the old binary: . it tries to chdir to the $HOME directory (from the variable) . whereas the woody cvs uses the /etc/passwd (I have compared with strace in a chroot command) [ Argh ! The more I analyse CVS, the more I find it ugly ] So here is my question: Is it a good idea that rssh should change all environment variables defined to reflect the chroot ? If HOME is set to /chroot/home/user by SSH, RSSH just change into /home/user. Of course, it may be usefull for any other variables containing file paths. What do you think about that idea ? Best regards, -- Yves Martin |
|
From: Marty S. <ma...@ca...> - 2004-06-23 21:07:53
|
Based on the latest minor security issue with 2.1.1, I've tried to upgrade to 2.2.1, and I've been having some trouble. It goes like this: I'm using Solaris 9, OpenSSH 3.8.1p1, and trying to move to 2.2.1 of rssh from 2.1.1 in a chrooted environment. I am allowing both scp and sftp via the rssh_config file. I downloaded and built 2.2.1 with the defaults, moved the new rssh programs in both /usr/local and the /[chrooted]/usr/local, and now chroot doesn't work. After entering the correct password, the user sees "Connection closed." The following error gets reported in /var/adm/messages: ... Jun 23 16:41:57 HOST rssh[1956]: [ID 853327 user.info] chroot cmd line: /usr/local/libexec/rssh_chroot_helper "/CHROOT" 2 "/u1/marty" /usr/local/libexec/sftp-server Jun 23 16:41:57 HOST rssh_chroot_helper[1956]: [ID 630356 user.info] new session for marty, UID=[not provided] Jun 23 16:41:57 HOST rssh_chroot_helper[1956]: [ID 919885 user.error] error expanding arguments for user marty If I comment out the chrootpath line in rssh.conf, everything works, but of course I'm not chrooted anymore. At least it proves that the 2.2.1 binaries might be built okay. There were no errors reported during the make. I've done an ldd on the new rssh and rssh_chroot_helper, and it looks like I've got everything needed from /usr/lib in the chrooted environment. To be sure, I copied the entire contents of /usr/lib to the chrooted environment and it still failed. I also examined the new script to make a Linux chroot area, and made sure everything is there, at least as close as I can get for Solaris. If I replace the executables with the 2.1.1 versions, everything works again, including the chroot, so it looks like something really changed for 2.2.1. I'm going to continue to try more things, but I was wondering if anyone has seen this before and may have found a fix, even with prior versions of rssh. I guess I must still be missing something in the chrooted area for 2.2.1 that 2.1.1 didn't need? Thanks! Marty |
|
From: Derek M. <co...@pi...> - 2004-06-19 07:43:24
|
William F. McCaw identified a minor security flaw in rssh when used with chroot jails. There is a bug in rssh 2.0 - 2.1.x which allows a user to gather information outside of a chrooted jail unintentionally. The latest release of rssh fixes this problem, and also improves support for some non-openssh sftp clients. Additionally, it extends rssh by allowing cvs, rsync, and rdist. The cause of the problem identified by Mr. McCaw is that rssh expanded command-line arguments prior to entering the chroot jail. This bug DOES NOT allow a user to access any of the files outside the jail, but can allow them to discover what files are in a directory which is outside the jail, if their credentials on the server would normally allow them read/execute access in the specified directory. For example (from William's bug report), if a user has an account on a server machine which restricts them into a jail using rssh, the user can use the following command to access the server and see what files exist in the /etc directory: scp target:/etc/* . The results of this command will look something like this: scp: /etc/DIR_COLORS: No such file or directory scp: /etc/HOSTNAME: No such file or directory scp: /etc/X11: No such file or directory scp: /etc/adjtime: No such file or directory [ ... ] ld.so.cache 100% 675 0.0KB/s 00:00 ld.so.conf 100% 0 0.0KB/s 00:00 [ ... ] passwd 100% 51 0.0KB/s 00:00 [ ... ] scp: /etc/termcap-Linux: No such file or directory scp: /etc/updatedb.conf: No such file or directory scp: /etc/warnquota.conf-sample: No such file or directory scp: /etc/xml: No such file or directory The files which succeed in copying exist inside the chroot jail, and thus should be harmless. All of the files which produce an error message exist in the system's /etc directory, but do not exist inside the chroot jail. The user is placed in the jail before access to any of these files is attempted, so again, it is not possible to access them. For many sites, this is not a serious issue. However if it is important at your site that users not be able to know about any files which exist outside the chroot jail, then you should upgrade as soon as possible. The 2.2.0 release of rssh fixed the problem in question, but was mistakenly released missing some code for parsing per-user options. The 2.2.1 release corrects that problem, and should be the final release of rssh. No further development is planned. You can get the latest release of rssh here: http://www.pizzashack.org/rssh/ -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Yves M. <yve...@el...> - 2004-06-11 13:51:27
|
Hello, I would like to precise that the HOME directory in the chroot/etc/passwd must be correct (relative to the chroot) to make cvs works correctly (the file CHROOT should mention it). cvs commit -m "Test" CVSROOT/modules Password: Checking in CVSROOT/modules; /cvsroot/CVSROOT/modules,v <-- modules new revision: 1.2; previous revision: 1.1 done cvs [server aborted]: can't chdir(/home/cvs_testp/home/utest1-testp): No such file or directory The user real home is /home/cvs_testp/home/utest1-testp After changing the /home/cvs_testp/etc/passwd with a relative home /home/utest1-testp, everything is OK. Moreover, you can play with user names logged in CVS with passwd (author in RCS files). In my case, the real user is utest1-testp but the name in CVS log is 'utest1'. In the real /etc/passwd: utest1-testp:x:1021:102:Test:/home/cvs_testp/home/utest1-testp:/usr/local/bin/rssh In the chroot /home/cvs_testp/etc/passwd: utest1:x:1021:102:Test:/home/utest1-testp:/bin/false I would like to sumup what I have done with rssh: - A chroot per 'project', each project has a chroot /home/cvs_project. Each project has its own cvsroot: /home/cvs_project/cvsroot - The user contains the user name and project name (with a dash) to enable a user to access to 2 differents cvsroot. - A group per project is created too, each project user is in that group, and /home/cvs_project/cvsroot is group writable. - The user password is available for 2 weeks, time for the user to install its public key with scp and its password. - Then the certificat is OK for cvs client/server authentication - Security points: only scp and cvs are enabled, each cvs project is chrooted, rssh.conf contains one entry per user to chroot into the right /home/cvs_project directory. Great ! My job is done. Have a nice week-end -- Yves Martin |
|
From: Derek M. <co...@pi...> - 2004-06-05 04:01:32
|
Hi again Landon, On Wed, May 26, 2004 at 05:54:06AM +0900, Derek Martin wrote: > On Mon, May 24, 2004 at 11:45:14PM -0700, rss...@as... wrote: > > The source, by default in v2.2.0, installs the rssh_chroot_helper > > in /usr/local/libexec/rssh_chroot_helper. However the pathname.h > > file that is built by configure has PATH_CHROOT_HELPER hard coded > > to /usr/local/bin/rssh_chroot_helper. > > Look again; it only does that if it isn't already defined. If you run > configure appropriately, it will be defined... I did it this way so that there would be a failsafe default if the user somehow managed to compile without running configure. > > It would be nice if pathname.h honored the --prefix config > > convention. > > It does. But --prefix doesn't set the location of libexec files... > I suggest you read the output of configure --help. Hint: you're > looking for --exec-prefix. :) Actually revisiting this issue, I don't find that you need --exec-prefix at all... I tested it by running "configure --prefix=/blah", without giving --exec-prefix, and as one would expect, in the makefile the compile is run with -DPATH_CHROOT_HELPER=\"/blah/libexec/rssh_chroot_helper\" -- so I'm not sure why you mentioned this. Are you seeing different behavior? > On Mon, May 24, 2004 at 11:56:12PM -0700, rss...@as... wrote: > > Consider the following line in /etc/rssh.conf: > > > > user = test:002:11111: Did the patch I posted fix your problem with this? -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Yves M. <yve...@el...> - 2004-06-04 06:57:12
|
Derek Martin <co...@pi...> writes: > I'll release 2.2.1 this weekend, I guess. Let us know. What kind of bug ? Is it critical ? > If I understand you correctly, the problem was you didn't copy > libnss_files.* to your jail. You're right that ldd won't show this > library. However the CHROOT file specifically mentions this issue... > mkchroot.sh also warns about it. Shame on me. But it does not matter, I have learned something new by my own. > It would, if you did it correctly. You need to use the equal sign: > --with-scp=/bin/scp Argh ! I'm addicted to Perl Getopt::Long package... Thanks again -- Yves Martin |
12 messages has been excluded from this view by a project administrator.