[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Qemu 9pfs sftp chrootdirectory option issue

On 10/28/2020 6:51 PM, Markus Schönhaber wrote:

28.10.20, 18:30 +0100 john doe:


On 10/21/2020 11:02 PM, Markus Schönhaber wrote:

21.10.20, 19:11 +0200, john doe:


On 10/20/2020 7:59 PM, Markus Schönhaber wrote:



How about moving the 9pshare to a root-owned directory and pointing the
ChrootDirectory there, for example:
share -> /all/owned/by/root/9pshare
ChrootDirectory -> /all/owned/by/root



Thank you for this.

I can only do that if 'passthrough' is used, as I don't realy understand
the implecations of running qemu as root, I was hoping to find a way
with 'mapped'.
'mapped' requires that the directory on the host is set to the group and
user used by qemu, 'libvirt-qemu in this case.


I don't see the problem with chown'ing the 9pshare directory to the qemu
user in my example above.



Okay, following your instructions I can now connect using sftp but I can
not access the content of the share:


No, you seemingly didn't follow what I said.



On the host, the directory to be exported is set to
libvirt-qemu:libvirt-qemu.

In the guest, if I set the mount point to libvirt-qemu:libvirt-qemu, I
get the following error:

"fatal: bad ownership or modes for chroot directory "/srv/sftp/9p""


the above error is triggered by the chrootdirectory directive which
requires 'root:root 0700' as ownership and mode.

From (1):

"ChrootDirectory
Specifies a path to chroot(2) to after authentication. This path, and
all its components, must be root-owned directories that are not writable
by any other user or group. After the chroot, sshd(8)"


$ ls -dl /srv/sftp/9p
drwx------ 8 root root ... /srv/sftp/9p


Isn't "9p" supposed to be the share directory? If it is, why is it owned
by root and has these restrictive permissions?



Because of the chrootdirectory directive (see above).


Assuming
ChrootDirectory -> /srv/sftp -> make this root:root, drwxr-xr-x
share -> /srv/sftp/9p -> make this libvirt-qemu:libvirt-qemu, drwxr-xr-x



If I do that, I can't even connect to the sftp server:

$ sftp sftp9p
packet_write_wait: Connection to ::1 port 22: Broken pipe
Connection closed


$ sftp sftp9p
Connected to sftp9p.
sftp> ls
remote readdir("/"): Permission denied


Of course. Guessing from what you wrote above, only root can even list
the directory's contents (or change into it, in the first place).



No argument there.


I appriciate your help/feedback.


1)  https://linux.die.net/man/5/sshd_config

--
John Doe
Reply to: