Re: chroot and OpenSSH

To: debian-isp@lists.debian.org
Subject: Re: chroot and OpenSSH
From: Eirik Dentz <eirikdentz@brainlink.com>
Date: Fri, 03 Aug 2001 13:53:03 -0400
Message-id: <[🔎] 3B6AE4FF.18C34F3F@brainlink.com>
Reply-to: eirikdentz@brainlink.com
References: <[🔎] 3B6AADE6.B49E9B24@brainlink.com> <[🔎] 20010803152447.F1519@challah.msrl.com> <[🔎] 3B6AD95D.D050D035@brainlink.com> <[🔎] 20010803171845.B5884@challah.msrl.com>

> > > > Then I tried the following which probably indicates my ignorance of the
> > > > Linux/SSH/login process, I tried changing  the user's shell: "/bin/bash"
> > > > to a shell script with: usermod -s /bin/usr_login.sh which contained one line:
> > > >
> > > > chroot /path/to/userhomedir /bin/bash
> > > >
> > > > This fails, and I'm pretty sure that I know why, but I wanted to seek
> > > > advice and guidance from those of you who might have experience with
> > > > this before proceeding.
> > >
> > > Did you add '/bin/usr_login.sh' to /etc/shells?
> >
> > Oops hadn't noticed /etc/shells. I added usr_login.sh to it and I'm
> > still getting the same error message as before:
> >
> > chroot: cannot change root directory to /home/userdir: Operation not permitted
> 
> I'm not sure what they should be, but this looks like a permissions
> problem.  Try adding global execute permissions to '/home/userdir'.
> This might or might not be a security hole.  I don't see anything
> obvious.

I think Frank and Alans' responses (pasted below) are correct (I had a
feeling this was the problem).
 
<snip>
Only root can do a chroot. So best thing to do would be to dig into
the code and add a chroot() call just before the setuid ...
</snip>

<snip>
chroot has to be run as root (ie. before a process drops privileges).  You
can't run it as a user.
</snip>

So the the shell actually runs as a process owned by the user... Of
course, what a dummy I am!  So I need the SSHD process to do the chroot
prior to authentication (and starting of the shell...) Hmm any idea if
that is possible, without getting into OpenSSH's source code?  I'm
starting to think it might just be easier to switch to SSH2... 

> You do understand that by chroot-ing a user, you need to put
> all the commands and libraries into the chroot-ed directory.  (At least
> the commands that user will use).

Yes, this is in fact exactly what i want.

> > In addition these are the corresponding lines from my /var/log/messages:
> >
> > Aug  3 12:16:22 server1 sshd[1770]: Accepted password for user1 from
> > xxx.xxx.xxx.xxx port 49155 ssh2
> > Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session opened for user
> > user1 by (uid=0)
> > Aug  3 12:16:22 server1 sshd[1770]: fatal: session_input_channel_req:
> > channel 0: no session
> > Aug  3 12:16:22 server1 PAM_pwdb[1770]: (sshd) session closed for user user11

Reply to:

Follow-Ups:
- Re: chroot and OpenSSH
  - From: Eirik Dentz <eirikdentz@brainlink.com>

References:
- chroot and OpenSSH
  - From: Eirik Dentz <eirikdentz@brainlink.com>
- Re: chroot and OpenSSH
  - From: Aaron Ghent <dementia@tembel.org>
- Re: chroot and OpenSSH
  - From: Eirik Dentz <eirikdentz@brainlink.com>
- Re: chroot and OpenSSH
  - From: Aaron Ghent <dementia@tembel.org>

Prev by Date: Re: chroot and OpenSSH
Next by Date: Re: chroot and OpenSSH
Previous by thread: Re: chroot and OpenSSH
Next by thread: Re: chroot and OpenSSH
Index(es):
- Date
- Thread