Thread: set up problem on FreeBSD-10.3
Brought to you by:
xystrus
Menu
▾
▴
rssh-discuss
|
From: Adam J. <ha...@ri...> - 2016-10-05 02:58:51
|
My step-by-step process is posted here - https://forums.freebsd.org/threads/57935/ Basically, I do this: sudo pkg install rssh sudo pw groupadd -n rsshuser sudo chown root:rsshuser /usr/local/bin/rssh sudo chown root:rsshuser /usr/local/libexec/rssh_chroot_helper sudo chmod 4550 /usr/local/libexec/rssh_chroot_helper sudo pw useradd -n banks -d /usr/local/chroot/banks -g rsshuser \ -s /usr/local/bin/rssh sudo mkdir -p /usr/local/chroot/banks sudo chown banks:rsshuser /usr/local/chroot/banks sudo passwd banks sudo vi /usr/local/etc/rssh.conf logfacility=LOG_USER umask=022 chrootpath=/usr/local/chroot user=banks:022:10011:/usr/local/chroot/banks But when I test it with: scp blah ba...@mi...:/ Password for ba...@mi...: rssh_chroot_helper: wordexp() bad syntax lost connection The same thing also happen for: scp blah ba...@is...:/banks/ scp blah ba...@is...:~ scp blah ba...@is...:/usr/local/chroot/banks/ Curiously, with this modification to /usr/local/etc/rssh.conf logfacility=LOG_USER umask=022 chrootpath=/usr/local/chroot user=banks:022:10011: #user=banks:022:10011:/usr/local/chroot/banks Then, scp blah ba...@is...:/banks/ Password for ba...@mi...: scp: /banks/: Permission denied scp blah ba...@is...:/usr/local/chroot/banks/ Password for ba...@mi...: blah 100% 17 0.0KB/s 00:00 That copied the file but the chroot facility isn't working. If Filezilla is used to sftp into ba...@mi..., the entire file system can be viewed. Any ideas? |
|
From: Adam J. <ha...@ri...> - 2016-10-05 03:17:50
|
On 10/04/2016 11:09 PM, Russ Allbery wrote: > I'll bet that /bin/sh in your chroot is not the same as /bin/sh outside > your chroot, it's not recognizing this shell built-in, and libc is > incorrectly interpreting this as a syntax error. This is an interesting statement. There isn't anything inside the chrootpath directory. That is, pwd /usr/local/chroot ls banks/ Should there be a '/usr/local/chroot/bin/sh'? If so, what else needs to be in the chrootpath? |
|
From: Russ A. <ea...@ey...> - 2016-10-05 03:27:48
|
Adam Jensen <ha...@ri...> writes:
> But when I test it with:
> scp blah ba...@mi...:/
> Password for ba...@mi...:
> rssh_chroot_helper: wordexp() bad syntax
> lost connection
This error message means that:
wordexp(str, &result, WRDE_NOCMD|WRDE_DOOFFS)
is returning WRDE_SYNTAX on your system. According to wordexp(3), this
means:
WRDE_SYNTAX
Shell syntax error, such as unbalanced parentheses or
unmatched quotes.
wordexp here is being used to parse the command that ssh is sending under
the hood when you scp. Apparently there's something about that FreeBSD
wordexp doesn't like, or somehow the command line is being parsed
incorrectly.
My bet on why this is succeeding outside the chroot and not succeeding
inside the chroot is this tantalizing statement in the FreeBSD wordexp(3)
man page:
The wordexp() function is implemented as a wrapper around the
undocumented wordexp shell built-in command.
I'll bet that /bin/sh in your chroot is not the same as /bin/sh outside
your chroot, it's not recognizing this shell built-in, and libc is
incorrectly interpreting this as a syntax error.
--
Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/>
|
|
From: Russ A. <ea...@ey...> - 2016-10-05 03:30:58
|
Adam Jensen <ha...@ri...> writes:
> On 10/04/2016 11:09 PM, Russ Allbery wrote:
>> I'll bet that /bin/sh in your chroot is not the same as /bin/sh outside
>> your chroot, it's not recognizing this shell built-in, and libc is
>> incorrectly interpreting this as a syntax error.
> This is an interesting statement. There isn't anything inside the
> chrootpath directory. That is,
> pwd
> /usr/local/chroot
> ls
> banks/
> Should there be a '/usr/local/chroot/bin/sh'? If so, what else needs to
> be in the chrootpath?
Yeah, sadly you need a bunch of stuff in the chroot because you have to
execute the server end of scp or whatever in the chroot. So it needs all
of its libraries and so forth.
The mkchroot.sh script in the distribution does an okay job for Linux
systems but is probably missing a ton of stuff for FreeBSD. There's a
bunch more details in the CHROOT file.
BTW, the wordexp thing is also discussed there:
IMPORTANT NOTE ABOUT wordexp() IMPLEMENTATIONS: rssh requires a
working implementation of the wordexp() library function, specified by
POSIX.2 (or whatever they're calling it these days). A number of
vendors ship a version of wordexp() that execvp()'s the system shell
in order to expand the arguments. This means that if you are using
such a platform, you'll need to copy their system shell into the
chroot jail, along with all the other necessary files. The symptoms
of this problem are:
1. When a user logs in, they immediately get "Connection closed."
2. In the system logs, rssh reports "error expanding arguments for
user ..."
For Solaris 9, the required shell is /bin/ksh. For AIX 5.2, you need
/usr/bin/ksh93. FreeBSD also has this problem, but I don't know what
the default system shell is on FreeBSD. Other platforms will probably
also experience this problem. If you need help determining which shell
to include, try running rssh with strace or truss, whichever your
system has. See the relevant manpages for details.
Also, I feel obligated to warn that rssh may be inherently insecure on
FreeBSD given this statement in the wordexp(3) manual page:
Do not pass untrusted user data to wordexp(), regardless of whether
the WRDE_NOCMD flag is set. The wordexp() function attempts to
detect input that would cause commands to be executed before passing
it to the shell but it does not use the same parser so it may be
fooled.
This is exactly what rssh does and has to do, so if there are indeed such
flaws, they would allow an authenticated attacker to bypass all of the
command restrictions (although, at least in theory, not the chroot).
--
Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/>
|
|
From: Adam J. <ha...@ri...> - 2016-10-05 03:50:48
|
On 10/04/2016 11:30 PM, Russ Allbery wrote: > Yeah, sadly you need a bunch of stuff in the chroot because you have to > execute the server end of scp or whatever in the chroot. So it needs all > of its libraries and so forth. > > The mkchroot.sh script in the distribution does an okay job for Linux > systems but is probably missing a ton of stuff for FreeBSD. There's a > bunch more details in the CHROOT file. > [snip] > Also, I feel obligated to warn that rssh may be inherently insecure on > FreeBSD given this statement in the wordexp(3) manual page: > [snip] > This is exactly what rssh does and has to do, so if there are indeed such > flaws, they would allow an authenticated attacker to bypass all of the > command restrictions (although, at least in theory, not the chroot). > That is immensely helpful. I naively installed rssh from the FreeBSD package system assuming, well... I'm looking through the rssh source directory now; I'm not sure how I will proceed. Thanks for help. The response was awesome! (I'm thoroughly impressed). |
|
From: Derek M. <co...@pi...> - 2016-10-05 04:53:54
|
On Tue, Oct 04, 2016 at 11:50:39PM -0400, Adam Jensen wrote: > On 10/04/2016 11:30 PM, Russ Allbery wrote: > > The mkchroot.sh script in the distribution does an okay job for Linux > > systems but is probably missing a ton of stuff for FreeBSD. There's a > > bunch more details in the CHROOT file. [...] > Thanks for help. The response was awesome! (I'm thoroughly impressed). Me too... I don't even remember writing most of that. =8^) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Nico Kadel-G. <nk...@gm...> - 2016-10-05 13:01:11
|
On Tue, Oct 4, 2016 at 11:30 PM, Russ Allbery <ea...@ey...> wrote: > Adam Jensen <ha...@ri...> writes: >> On 10/04/2016 11:09 PM, Russ Allbery wrote: > >>> I'll bet that /bin/sh in your chroot is not the same as /bin/sh outside >>> your chroot, it's not recognizing this shell built-in, and libc is >>> incorrectly interpreting this as a syntax error. > >> This is an interesting statement. There isn't anything inside the >> chrootpath directory. That is, > >> pwd >> /usr/local/chroot > >> ls >> banks/ > >> Should there be a '/usr/local/chroot/bin/sh'? If so, what else needs to >> be in the chrootpath? > > Yeah, sadly you need a bunch of stuff in the chroot because you have to > execute the server end of scp or whatever in the chroot. So it needs all > of its libraries and so forth. > > The mkchroot.sh script in the distribution does an okay job for Linux > systems but is probably missing a ton of stuff for FreeBSD. There's a > bunch more details in the CHROOT file. It's pretty seriously out of date. I've published a much more recent one, at https://github.com/nkadel/rssh-chroot-tools I've offered it before. |
|
From: Derek M. <co...@pi...> - 2016-10-08 22:52:41
|
On Wed, Oct 05, 2016 at 09:00:59AM -0400, Nico Kadel-Garcia wrote: > > The mkchroot.sh script in the distribution does an okay job for Linux > > systems but is probably missing a ton of stuff for FreeBSD. There's a > > bunch more details in the CHROOT file. > > It's pretty seriously out of date. I've published a much more recent > one, at https://github.com/nkadel/rssh-chroot-tools I've offered it > before. The thing is, the script was never really meant to solve the problem... I only created it because I needed to set up chroot jails in order to test chroot. I provided it since I'd already done the work, and saw no reason not to; but I only ever meant it to serve as a guide, to illustrate the kinds of things you need to do. It is therefore not maintained, and was never meant to be. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Nico Kadel-G. <nk...@gm...> - 2016-10-08 23:15:18
|
On Sat, Oct 8, 2016 at 6:52 PM, Derek Martin <co...@pi...> wrote: > On Wed, Oct 05, 2016 at 09:00:59AM -0400, Nico Kadel-Garcia wrote: >> > The mkchroot.sh script in the distribution does an okay job for Linux >> > systems but is probably missing a ton of stuff for FreeBSD. There's a >> > bunch more details in the CHROOT file. >> >> It's pretty seriously out of date. I've published a much more recent >> one, at https://github.com/nkadel/rssh-chroot-tools I've offered it >> before. > > The thing is, the script was never really meant to solve the > problem... I only created it because I needed to set up chroot jails > in order to test chroot. I provided it since I'd already done the > work, and saw no reason not to; but I only ever meant it to serve as > a guide, to illustrate the kinds of things you need to do. It is > therefore not maintained, and was never meant to be. If it's going to be unmaintained and left that way, then please disable it and consider dropping in a reference to my tool, especially rather than leaving an executable in place that fails without error message. It's confusing to anyone who sees your old source code. Nico Kadel-Garcia > -- > Derek D. Martin > http://www.pizzashack.org/ > GPG Key ID: 0x81CFE75D > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > rssh-discuss mailing list > rss...@li... > https://lists.sourceforge.net/lists/listinfo/rssh-discuss > |
|
From: Derek M. <co...@pi...> - 2016-10-10 17:57:14
|
On Sat, Oct 08, 2016 at 07:15:09PM -0400, Nico Kadel-Garcia wrote: > If it's going to be unmaintained and left that way, then please > disable it and consider dropping in a reference to my tool, especially > rather than leaving an executable in place that fails without error > message. It's confusing to anyone who sees your old source code. We've already discussed this at length Nico, I'm not going to repeat myself. If you need a reminder the discussion is in the list archives. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D |
|
From: Nico Kadel-G. <nk...@gm...> - 2016-10-11 01:25:56
|
On Mon, Oct 10, 2016 at 1:56 PM, Derek Martin <co...@pi...> wrote: > On Sat, Oct 08, 2016 at 07:15:09PM -0400, Nico Kadel-Garcia wrote: >> If it's going to be unmaintained and left that way, then please >> disable it and consider dropping in a reference to my tool, especially >> rather than leaving an executable in place that fails without error >> message. It's confusing to anyone who sees your old source code. > > We've already discussed this at length Nico, I'm not going to repeat > myself. If you need a reminder the discussion is in the list > archives. It's been a while, and I'm asking again with different details. I'm specifically asking you, now, to delete or *disable* the old tool as out of date and unmaintained, not to accept my offered patches. |
Thanks for helping keep SourceForge clean.
X