SFTP only access in chrooted jail?

Similar Messages

• How to restrict "sftp only" user into your home dir and subdir

  Hi OTN forums members
  Question : I want restrict a sftp only user to browse ONLY in your home directory and subdirectory . I don't want sftp user access into other directory.
  Details : I want use a "ssh bundle package" on s10(only package on SUNWCXall installation cluster). I don't want to use the "extrernal package", as "ProFTP", "Chroot", sunfreeware OpenSSH package,ecc. It's possible?
  Technical Details of my system(test) : the hostname and username it's fantasy name, not real ;-)
  root@sunlab1:/[1]$ cat /etc/release
                         Solaris 10 5/09 s10s_u7wos_08 SPARC
             Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
                          Use is subject to license terms.
                               Assembled 30 March 2009
  root@sunlab1:/[2]$ uname -a
  SunOS sunlab1 5.10 Generic_142909-17 sun4u sparc SUNW,Sun-Blade-100
  root@sunlab1:/[3]$ grep explorer /etc/group
  explorer::111:
  root@sunlab1:/[4]$ grep explorer /etc/passwd
  explorer:x:111:111:Sun Explorer Data Collector sftp only user:/export/home/explorer:/usr/lib/ssh/sftp-server
  root@sunlab1:/[5]$ zfs list
  NAME                       USED  AVAIL  REFER  MOUNTPOINT
  rpool                     27.3G  9.33G    96K  /rpool
  rpool/ROOT                11.6G  9.33G    18K  legacy
  rpool/ROOT/s10s_u7wos_08  11.6G  9.33G  11.6G  /
  rpool/cfengine            73.7M   950M  73.7M  /var/cfengine
  rpool/dump                1.00G  9.33G  1.00G  -
  rpool/export              5.01G  9.33G  11.8M  /export
  rpool/export/home         1.40G  3.60G  1.40G  /export/home
  rpool/mp3                 2.65G  2.35G  2.65G  /mp3
  rpool/patches              206M  2.80G   206M  /var/patches
  rpool/swap                 768M  9.58G   514M  -
  root@sunlab1:/[6]$
  root@sunlab1:/[7]$ cd /export/home
  root@sunlab1:/export/home[9]$ ls -la
  total 47
  drwxr-xr-x   5 root     root           9 Oct  7 09:51 .
  drwxr-xr-x   4 root     sys            6 Jun  7 09:44 ..
  drwxr-x---  11 explorer explorer      11 Oct  7 11:30 explorer
  root@sunlab1:/[8]$ sftp explorer@sunlab1
  Connecting to sunlab1...
  Password:
  sftp> dir
  [...more output...]
  sftp> pwd
  Remote working directory: /export/home/explorer
  sftp> cd /var/adm
  sftp> dir
  [...more output...]
  sftp> get messages
  Fetching /var/adm/messages to messages
  sftp> pwd
  Remote working directory: /var/adm
  sftp> bye
  root@sunlab1:/[9]$
  root@sunlab1:/[10]$ pkginfo -l SUNWsshr
     PKGINST:  SUNWsshr
        NAME:  SSH Client and utilities, (Root)
    CATEGORY:  system
        ARCH:  sparc
     VERSION:  11.10.0,REV=2005.01.21.15.53
     BASEDIR:  /
      VENDOR:  Sun Microsystems, Inc.
        DESC:  Secure Shell protocol Client and associated Utilities
  [...snip...]
  root@sunlab1:/[11]$ pca -l installed --pattern=[Ss]sh
  [...snip...]
  Using /var/patches/pca/patchdiag.xref from Oct/14/10
  Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
  List: installed (3/584)
  Patch  IR   CR RSB Age Synopsis
  141742 04 = 04 -S- 427 Obsoleted by: 141444-09 SunOS 5.10: sshd patch
  143140 04 = 04 RS- 119 Obsoleted by: 143559-03 SunOS 5.10: ssh patch
  143559 03 = 03 RS-  38 SunOS 5.10: ssh scp patch
  root@sunlab1:/[12]$ pca -l 141444 143559
  Using /var/patches/pca/patchdiag.xref from Oct/14/10
  Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
  List: 141444 143559 (2/405)
  Patch  IR   CR RSB Age Synopsis
  141444 09 = 09 RS- 367 SunOS 5.10: kernel patch
  143559 03 = 03 RS-  38 SunOS 5.10: ssh scp patch
  root@sunlab1:/[13]$Legenda:
  PCA = [url http://www.par.univie.ac.at/solaris/pca/] Patch Check Advanced  , PCA is 3PP free and fast tool for Analyze, download and install patches for Solaris
  IR =Installed Rev. CR = Current Rev. (published on patchdiag.xref from Oct/14/10)
  RSB =[R]eccommended,[S]ecurity, [\B]ab patches
  Not helpful reading "<tt>man sshd_config</tt>" and "<tt>man sftp-server</tt>", and Google searching. Nothing by MOS Community search.
  Any idea?
  Best Regards
  Michele V.
  P.S.: Excuse me for my bad English.

  Hi OTN forums members,
       I find the solution. Thanks Andrea Manganaro (aka Amanga) for the help.
  1) Download and install OpenSSH for Solaris 10/SPARC and all dependencies(Please read the http://www.sunfreeware.com/openssh.html note):
       - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssh-5.6p1-sol10-sparc-local.gz]openssh-5.6p1-sol10-sparc-local.gz
       - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-1.0.0a-sol10-sparc-local.gz]openssl-1.0.0a-sol10-sparc-local.gz
       - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/zlib-1.2.5-sol10-sparc-local.gz]zlib-1.2.5-sol10-sparc-local.gz
       - [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/libgcc-3.4.6-sol10-sparc-local.gz]ibgcc-3.4.6-sol10-sparc-local.gz
  2) Configure <tt>/usr/local/etc/sshd_config</tt> file with the "+<tt>ChrootDirectory</tt>+" directive. For me:
  # override default of no subsystems
  #Subsystem      sftp    /usr/local/libexec/sftp-server
  Subsystem       sftp    internal-sftp[...]
  # Example of overriding settings on a per-user basis
  Match Group sftponly
          ChrootDirectory %h
          ForceCommand internal-sftp
          AllowTcpForwarding no3) Create group and user for sftp-only account. For me:
  root@taurus # groupadd sftponly
  root@taurus # grep sftponly /etc/group
  sftponly::202:
  root@taurus # useradd -g sftponly -c "Sftp only user" -d /export/home/explorer -s /bin/false -m explorer
  explorer:x:1002:202:Sftp only user:/export/home/explorer:/bin/false
  root@taurus # passwd explorer
  New Password:
  Re-enter new Password:
  passwd: password successfully changed for explorer
  root@taurus # 4) Change home directory permission and create a r/w direcorty (uploads) for sftponly user account.
  root@taurus # cd /export/home
  root@taurus # ls -la
  total 14
  drwxr-xr-x   4 root     root           4 Oct 29 15:28 .
  drwxr-xr-x   3 root     sys            3 Jan 22  2009 ..
  drwxr-xr-x   3 explorer sftponly       3 Oct 29 15:41 explorer
  root@taurus # chown root:sftponly explorer; chmod 750 explorer
  root@taurus # ls -la
  total 14
  drwxr-xr-x   4 root     root           4 Oct 29 15:28 .
  drwxr-xr-x   3 root     sys            3 Jan 22  2009 ..
  drwxr-x---   3 root     sftponly       3 Oct 29 15:41 explorer
  root@taurus # This will make a read-only, chrooted directory perfect for people to come in and get stuff, but never write.
  For example, you could make a directory explorer/uploads that allow people to write in.Then you can moderate what gets copied into the read-only /explorer area. Remember that if a user can write in a directory then they can also delete anything in that directory.
  root@taurus # cd explorer
  root@taurus # mkdir uploads && chown -R explorer:sftponly uploads && chmod 0755 uploads
  root@taurus # ls -al
  total 9
  drwxr-x---   3 root     sftponly       3 Oct 29 15:41 .
  drwxr-xr-x   4 root     root           4 Oct 29 15:28 ..
  drwxr-xr-x   2 explorer sftponly       2 Oct 29 15:56 uploads
  root@taurus # 5) Disable SunSSH "service" and enable OpenSSH "service" (with SMF):
  root@taurus # svcadm disable sshSee [url http://www.sunfreeware.com/sshsol10.html]here for Running openssh vis SMF on Solaris 10 Systems
  root@taurus # svcadm disable ossh
  root@taurus # svcs -a | grep ssh
  disabled       12:37:51 svc:/network/ssh:default
  online         15:29:41 svc:/network/ossh:default
  root@taurus # 6) Test your job :-)
  Helpful links:
  ==============
  http://www.sunfreeware.com
  http://www.openssh.org
  http://calomel.org/sftp_chroot.html
  HTH
  Michele Vecchiato

• About chroot jails and ACL

  I want to run rtorrent in a chroot jail. Correct me if wrong, but jailing rtorrent would consume much more RAM cause rtorrent will not use libraries that it needs and may be already in memory.
  So I wonder, why people just don't create a new user, install ACL, block everything to that user but read access to /lib and some config files, and execute permission to only the needed binaries. It would be easy to do since as I understand if you block all /bin permissions to the restricted user, all future files there will inherit those permissions. The only problem I see is that if you update, you will have to set some permissions again, easily fixed with a script. ACL seems much more easier to setup than chroot jails!
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  So, why is it that people seem to prefer chroot jails? Does installing ACL has some kind of performance penalty?

  _Mike_ wrote:Does installing ACL has some kind of performance penalty?
  Do you mean Mandatory Access Control? Filesystem ACL is already installed on every Linux system.
  When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
  Chroot jails were not created to be used as a security tool and are very easy to break out of. Filesystem ACL is very limited in scope and also provides little security.
  You might want to look into using Mandatory Access Control (MAC) which is available with TOMOYO Linux, AppArmor, SELinux or SMACK. SELinux is the most powerful, but will take a long time to master. TOMOYO Linux is easier to use and the relevant packages are already in [community]. See the wiki page for more information.
  All MAC implementations have a small degree of performance penalty. SELinux probably has the greatest penalty, but overall you probably won't notice anything with any of the implementations.
  Last edited by jnguyen (2011-04-13 06:48:36)

• Chroot-jail password problem

  I've got a running chroot-jail to allow semi-trusted users ssh-access to my webhosting server. The problem is that they can't change their passwords because `passwd` can't access files outside the chroot-jail (as it's suppose to be). I've read about someone solving this using nsswitch.conf and some sort of setup to make it possible for the users to change their passwords.
  The question is basically, how do I get around this problem, making it possible for the logged in users to change their own password?

  Oh what a tangled web we weave.  I read up on keychain and I don't understand what I'm reading.  Right now I cannot download my email on my computer, I can access it through the cloud. I'm sure it will be the same for the other iCloud feathers.   When I go to preferences and select iCloud when ever I try to sign in I get some dialog box it shows up "A keychain cannot be found to store 1076701306.  It doesn't matter whether I reset it or cancel it out iCloud preferences remains grayed out. 
  In keychain access on the left side under keychains and Read's local item, systems, and systems roots.
  When I select local items nothing shows up to the right under the name column even when down under all items is selected nothing shows up.  And nothing shows up to the right when under categories I selected the other options password etc.  On the other hand when I select under keychains systems, systems roots I do get items to show up on the right side under names under all items, passwords, etc.  Where do I start?

• HT4314 i have 2 game center account with 1 apple id  but it will only access one account. it says the other id is used but i cant change . help.

  I have a game center account that has 2 accounts in the same apple id. the problem is i can only access one account. when i try to type in for the second account it says already taken. How do i change to the 2nd account with the same apple id? Please help.

  that's the issue, you bought the OS online so Donald is right, it is being mailed to you. post the URL where you bought it.
  the 'app store' is an application running on OSX itself where you can DL software.
  so, you have to wait for mountain lion to arrive.
  if you want to get a clean OS on your machine now, do this
  reboot holding down command/option/R (hoping your machine supports this)
  open disk utility, erase your HD so you have a single mac journaled partition
  choose install OSX on this HD
  let it run. from what you said, you will be back on lion.

• Can only access emails through OWA after migration from exchange 2007 to 2013

  can only access emails through OWA after migration from exchange 2007 to 2013, in other words unable to access mails through outlook or from other Applications services.
  needed RCA ... plz help..

  Hi,
  From your description, you can send and receive messages only when you use OWA after migration from Exchange 2007 to Exchange 2013. If I have misunderstood your concern, please let me know.
  In your case, I recommend you create a new test mailbox in your Exchange 2013 and check if you can send and receive messages on Outlook. If yes, it is recommended to create a new profile to solve this issue.
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• I have two apple accounts, but can only access one. I did all the steps to recover the older account's password but nothing worked. I need to access the older account to update apps. Also would there be a way to just combine both accounts?

  I have two apple accounts, but can only access one. I did all the steps to recover the older account's password but nothing worked. I need to access the older account to update apps. Also would there be a way to just combine both accounts?

  Were you able to reset the account's password ? If not then how did you try to get it reset e.g. http://iforgot.apple.com (which would have sent it to the rescue email address if you have one on that account) ? You can also try contacting iTunes Support in your country to get it reset : http://support.apple.com/kb/HT5699
  And no, accounts can't be merged nor content transferred between accounts.

• On imac 10.6.8 using current version of Aperture.  How can I access the Aperture Library  on my external hard drive that I use with time machine for backup?  I can only access the application but not the library..

  On imac 10.6.8 using current version of Aperture.  How can I access the Aperture Library  on my external hard drive that I use with time machine for backup?  I can only access the application but not the library..

  Go into Time Machine (the program not the bundle on the extrnal disk) and using Time Machine's browser go to the Folder where the library lives. You could look in the library bundle in Time Machine but that won't really tell you much,
  If you want to make sure it truely has backed up your library you will need to restore it and open the restored library with Aperture.
  If all this still has you confused you need to read up on Time Machine in order to get a feel for how it works, for what it is doing and for how to restore files from it.

• I can access my time capsule from my mac mini at work but my macbook can only access it from my home network. how do i fix this?

  I have a Mac Mini and a MacBook, both were configured at home to access the time capsule. I have since moved the mini to work to use there and it has no issues looking up files on the time capsule which remains at home. The macbook whoever can only access the time capsule from within the home network. I can't seem to find what I may have done differently. Can anybody help?
  Not sure if your allowed to post two questions, but it's may be related. I find that accessing the files on the time capsule from the mac mini or the macbook is very slow. Accessing the same files from an older HP laptop is as fast as accessing its own hard drive. How can I speed up the accessing of these files from my apple products. One would think they would work fast and the 'windows' computers would take minutes to map the drive each time... 
  Thanks for any help.

  I have since moved the mini to work to use there and it has no issues looking up files on the time capsule which remains at home.
  This cannot happen by magic though.. you must have configured the mini to access the TC remotely.. which method are you using, BTMM and iCloud??
  The macbook whoever can only access the time capsule from within the home network. I can't seem to find what I may have done differently. Can anybody help?
  How is the Macbook configured to access the TC remotely?? If you are trying to use BTMM and iCloud, then it might be a case that with the mini running the connection cannot be done by more than one computer at a time.. this is generally the case although I do not know if that is specifically true of BTMM method. Try turning off the mini and leave it off.. (off not standby)... then reboot the TC when you are at home.. and then try and connect the laptop to the TC the next morning from work. See if it is then able to capture the connection.. if so start up the mini and I suspect it now will not be able to connect.. that will prove that the TC cannot cope with two remote connections.
  There also could be another factor in here. If you are accessing the laptop via the same router as the mini is on.. then actually you cannot have two users mount the same files on a TC.. from the same IP address.. as far as the TC is concerned both devices have identical IP, that is the public IP of the work location router.
  If you happen to not be using BTMM then the situation is even easier.. you cannot make two different devices connect to the same network resource using the same port. That is the failing of the NAT system.. one device uses the port then it cannot be used by a second device. You will need to do some fancy footwork and use a different port.
  Anyhow tell us exactly how you are doing remote access.. otherwise I am just guessing.
  Not sure if your allowed to post two questions, but it's may be related. I find that accessing the files on the time capsule from the mac mini or the macbook is very slow.
  Are you talking about files you are hosting on the TC?? Not Time Machine backups??
  Can you tell me exactly how you are accessing the TC.. please do a test..
  Copy a file to the TC and from the TC using the Laptop.. Use a single very large file, eg 1GB movie file.
  Give me a read and write speed.. you can use activity monitor to give me an aprox average speed as well as peak.
  Do the same test from the same computer with wireless turned off running ethernet.
  Then do the tests from the mini.. same ones.. copy large file to and from the TC by ethernet and by wireless.. when using ethernet make sure wireless is off.
  I strongly recommend you set IPv6 to link local only for your wireless and ethernet setup in the Mac.
  eg
  Now do the test from the HP laptop and give me the results from that.
  Is the issue wireless only.. ??
  Then you might need to spend a bit of time fixing the wireless in the Macs.. you can run wireless diagnostics in Mavericks.
  About Wireless Diagnostics

• I have 2 game centers on 1 Apple ID and it willl only access 1 of them may someone tell me how to access the other one

  I have 2 game centers on 1 Apple ID and it will only access 1 of them may someone tell me how to access the other one

  You don't have to use the same ID for iCloud as you do for purchasing.  You can just set up iCloud using your other ID. 
  If your have already have another account, you have to go to Settings>iCloud, tap Delete Account, choose Keep on My iDevice when prompted, set up your new account with the other ID, turn on your iCloud data syncing and when prompted, choose Merge to upload your data to the new account.

• I saved photos from my Macbook Pro onto my Iphone (using itunes, 4 years ago). My macbook is now dead and I need to get the photos I saved off of my iphone 3GS transferred to a pc.  Any help...  From my PC I can only access "internal storage"

  I saved photos from my Macbook Pro onto my Iphone (using itunes, 4 years ago). My macbook is now dead and I need to get the photos I saved off of my iphone 3GS transferred to a pc.  Any help...  From my PC I can only access "internal storage"

  The iphone is not a storage/backup device.  The picture sycn is one way - computer to iphone.  The photos are also reduced in size when synced to iphone so they are not of the original quality
  It has always been very basic to always maintain a backup of your computer.
  Have you failed to do this?
  If so, not good at all, you can e-mail the pics to yourself - keep in mind they will never be of the original quality

• Read Only Access to Storage Container

  Is it possible to give Read Only access to a particular storage container without adding someone to Subscription and providing them the access key without anonymous request without going through SAS route

  By default, a container and any blobs within it may be accessed only by the owner of the storage account. If you want to give anonymous users read permissions to a container and its blobs, you can set the container permissions to allow public access. Anonymous
  users can read blobs within a publicly accessible container without authenticating the request.
  This link gives full details
  https://msdn.microsoft.com/en-us/library/azure/dd179354.aspx
  Frank

• Read Only access to UCCX server

    Hi,
  I would like to know if it was possible to create an account for Read Only access for server in UCCX 8.02.
  Saima

  Saima,
  Unfortunately no it is not, you have either Admin access or supervisor access. The admin access has full access and supervisor access allows configuration of the RM subsystem either foe own team or all teams.
  HTH,
  Chris

• Read-Only Access to Specific SAP tables

  Is it possible to grant a user read-only access to a specific table or tables?
  For example, say I wanted to give someone SE16N capability for just EKKO/EKPO/EKBE and NO OTHER tables.  Is this possible?  How?
  Thanks.

  Hi,
  as it was mentioned the transaction SE16N checks for authorization object S_TABU_DIS. The problem in your case is that the tables EKKO, EKPO and EKBE are already assigned to the authorization group MA - MM Appl. table. But there are many more tables assigned to this group. Changing assignment of standard tables is not a good idea.
  Cheers

• Read Only access to tablespace

  Hi,
  Oracle 10.2.0.4
  How can I grant read only access to a tablespace for a user.
  Thanks

  It is no ussual.... a tablespace is a box where one or more user store his data... sure you do not want to say user and not tablespace?
  Grant select to the objects of this tablespace...DBA_TABLES or ALL_TABLES...
  Select 'GRANT SELECT ON ' || OWNER || '.' || TABLE_NAME || ' TO <USERNAME> ' FROM DBA_TABLES WHERE TABLESPACE_NAME = <TABLESPACE>