Chrooting SFTP

Version 4.8 of OpenSSH has built-in chrooting cpabilities.

There is two ways to implement SSH/SFTP chrooting for version before 4.8:

• via a patch for OpenSSH (that implies patching the sources and compiling them, finding make files for the distro and other tedious work)
• or via PAM, the modular access control system every linux distro

Required directories in jail:

• /users/dev - Device file
• /users/etc - Configuration file such as passwd
• /users/lib - Shared libs
• /users/usr - rssh and other binaries
• /users/bin - Copy default shell such as /bin/csh or /bin/bash

NEWS CONTENTS

• 20111006 : Directory permissions in chroot SFTP ( OpenSSH Dev )
• 20111006 : Chrooting SFTP - a knol by Dirk H. Schulz ( www.brandonhutchinson.com )

Old News ;-)

[Oct 06, 2011] Directory permissions in chroot SFTP

We ban this because allowing a user write access to a chroot target is dangerously similar to equivalence with allowing write access to the root of a filesystem. If you want the default directory that users start in to be writable then you must create their home directory under the chroot. After sshd(8) has chrooted to the ChrootDirectory, it will chdir to the home directory as normal.

OpenSSH Dev

Re: Directory permissions in chroot SFTP Remove Highlighting [In reply to]

On Tue, 11 Nov 2008, Carlo Pradissitto wrote:

> Hi,
> I configured openssh 5.1p1 for sftp server.
>
> Here the specifications in sshd_config file:
>
> Subsystem sftp internal-sftp
> Match Group sftp
> ForceCommand internal-sftp
> ChrootDirectory /home/%u
> AllowTcpForwarding no
>
> When a user is logged in, he can't upload his document and he receives
> this message:
>
> carlo [at] Musi:~$ sftp user [at] 213
> Connecting to 213.217.147.123...
> user [at] 213's password:
> sftp> put prova
> Uploading prova to /prova
> Couldn't get handle: Permission denied
> sftp>

>From the sshd_config manual page:

> ChrootDirectory
> Specifies a path to chroot(2) to after authentication. This path,
> and all its components, must be root-owned directories that are
> not writable by any other user or group.

> Here the directory permissions:
>
> [root [at] sftp-serve ~]# ls -la /home/user/
> total 24
> drwxr-xr-x 6 root sftp 4096 Nov 10 18:05 .
> drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
>
> OK, my user is a sftp group member, and the sftp group hasn't
> sufficient permissions to write in user's home directory.

Your permissions are correct.

> I add the write permission for the sftp group:
>
> [root [at] sftp-serve ~]# chmod 770 /home/user/
> [root [at] sftp-serve ~]# ls -la /home/user/
> total 24
> drwxrwx--- 6 root sftp 4096 Nov 10 18:05 .
> drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
>
>
> But now the user can't access:
>
> carlo [at] Musi:~$ sftp user [at] 213
> Connecting to 213.217.147.123...
> user [at] 213's password:
> Read from remote host 213.217.145.321: Connection reset by peer
> Couldn't read packet: Connection reset by peer
>
> Here the error message in /var/log/messages of sftp-server:
>
> Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user
> from 213.217.145.329 port 38685 ssh2
> Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes
> for chroot directory "/home/user"

Right, this is on purpose. We ban this because allowing a user write access to a chroot target is dangerously similar to equivalence with allowing write access to the root of a filesystem.

If you want the default directory that users start in to be writable then you must create their home directory under the chroot. After sshd(8) has chrooted to the ChrootDirectory, it will chdir to the home directory as normal. So, for a passwd line like:

djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh

Create a home directory "/chroot/djm/home/djm". Make the terminal "djm" directory user-owned and writable (everything else must be root-owned). Set "ChrootDirectory /chroot" in /etc/config.

A variant of this that yields less deep directory trees would be to set the passwd file up as:

djm:*:1000:1000:Damien Miller:/upload:/bin/ksh

Create "/chroot/djm/upload", with "upload" the only user-owned and writable
component.

-d

Chrooting SFTP - a knol by Dirk H. Schulz

chrooting is a technique of restricting a process or user (who, in UNIX, is just a process) to a certain directory that is its root directory "/". Since this directory is the topmost entry of this process' file system it cannot break out of this jail.

Giving somebody SSH/SFTP access to a server has the disadvantage of letting him/her roam the entire file system (having a close look at it one can find lots of files that are world readable). So there is the need to restrict those users to certain directories, in most cases their home directories or webserver document folders or whatever.

Here is how to do that easily using onboard means.

In this article I show how to setup chrooting with the means of PAM. I have done and verified this on RHEL5, so you can redo it to the bit on CentOS 5.

In this setup all Users reside in one jail; the home directories (the individual root directories) are subdirectories of the jail. That has the psychologic disadvantage of one user being able to cd into other users' home dirs (without being able to read or write anything there, see below), and it has the advantage of one directory of shared binaries. Inside a chroot jail, the user has access only to the binaries INSIDE the jail. Typing e. g. "ls" in the shell only works if the program file "ls" is located inside the jail. So if every user has its own jail, every user needs its own set of binaries - that can mean a lot of redundant copying.
So we use a shared jail with one set of binaries.

Dependencies
pam_chroot.so has to be installed. On RHEL5 it is installed by default and located in /lib/security/. For other distros this has to be checked.

Configuration
In /etc/pam.d/sshd the following entry has to be added at the end:
session required pam_chroot.so debug
The "debug" is optional and can be used for troubleshooting during config and verification phase.
In /etc/ssh/sshd_config the following has to be uncommented or added:
UsePAM yes
Next we have to create the chroot jail. The place in the file system is up to the server admin; I have used /var/chroot:
mkdir /var/chroot
chmod 755 /var/chroot
As explained above a set of binaries, config files and others is needed for SFTP to work inside the jail. Here is the complete list:
http://knowledgebase.kinzesberg.de/files/lslr_varchroot.txt
These files should be copied with
cp -p /etc/onefile /var/chroot/etc/onefile
to preserve permissions.
Additionally to this list there is the directory /var/chroot/home where the home directories/chroot directories of the SFTP users reside.
The list of binaries, libraries etc. has been thoroughly tested. It makes SFTP work, but not SSH. In our setup SSH was not needed, and preventing it was an additional means of security. So if both is needed there has to be quite some testing to find out what SSH needs additionally.
Next there is a few device files that have to be created inside the jail:
cd /var/chroot/dev/
mknod random c 1 8
mknod tty c 5 0
mknod urandom c 1 9
mknod zero c 1 5
mknod pts/1 c 136 1
mknod null c 1 3
To make user management easier we have symlinked /home to /var/chroot/home. One beneficial side effect of this is that /etc/passwd and /var/chroot/etc/passwd do not have to differ.
mv /home /var/chroot
ln -s /var/chroot/home /home

Adding Users
All our users are system users, so they are added the way we always do it (useradd in the shell or some GUI tool). Remember to copy /etc/passwd, /etc/group and /etc/shadow into the jail afterwards.
Every user that should be chrooted needs an entry in /etc/security/chroot.conf with user name and path to the jail, e.g.
testuser /var/chroot/
That makes it possible to exclude certain users (e.g. root) from the chroot mechanism. Otherwise remote administration of our server would become a bit complicated. :-)

Do not faint, please
If you test the setup now you will find that a chrooted user can cd into the home dir/chroot dir of every other user. No problem! He will have no rights to read and write there, so "ls" shows an empty directory even if it is filled.

One more thing
Chrooting SFTP users can be combined with chrooted FTP access using vsftpd. So the same user can use FTP and SFTP and be jailed into the same directory. Chrooting vsftpd is described in a separate article.

chroot sshd-sftp

www.brandonhutchinson.com

Fedora Core 1 instructions

1. Remove the vendor-supplied OpenSSH RPMs.
# rpm -e openssh openssh-clients openssh-server

2. Download and install the latest openssh-chroot tarball from http://chrootssh.sourceforge.net/download/

3. Create an sshd startup/shutdown script.

cat << END_FILE > /etc/init.d/sshd
#!/bin/sh

# chkconfig: 2345 55 25
# description: OpenSSH server daemon

case $1 in
'start' )
/usr/local/sbin/sshd
;;
'stop' )
pkill sshd
;;
*)
echo "usage: `basename $0` {start|stop}"
esac
END_FILE

4. Add the sshd startup/shutdown script to chkconfig.
# /sbin/chkconfig --add sshd

5. Create the chroot environment. The following shell script installs all $REQUIRED_CHROOT_FILES, shared library dependencies, and required device files in $CHROOT_DIR. Note: /lib/libnss_files.so.2 is required for UID-to-username resolution. Otherwise, you may receive "cannot find username for UID" errors.

#!/bin/sh

CHROOT_DIR=/chroot

REQUIRED_CHROOT_FILES=" /bin/cp \
/bin/ls \
/bin/mkdir \
/bin/mv \
/bin/rm \
/bin/rmdir \
/bin/sh \
/usr/local/libexec/sftp-server \
/lib/libnss_files.so.2"

# Create CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir $CHROOT_DIR
cd $CHROOT_DIR

# Copy REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment

for FILE in $REQUIRED_CHROOT_FILES
do
DIR=`dirname $FILE | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
cp $FILE `echo $FILE | cut -c2-`
for SHARED_LIBRARY in `ldd $FILE | awk '{print $3}'`
do
DIR=`dirname $SHARED_LIBRARY | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
[ ! -s "`echo $SHARED_LIBRARY | cut -c2-`" ] && cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
done
done

# Create device files
mkdir $CHROOT_DIR/dev
mknod $CHROOT_DIR/dev/null c 1 3
mknod $CHROOT_DIR/dev/zero c 1 5

# Create chroot /etc/passwd placeholder
mkdir $CHROOT_DIR/etc
touch $CHROOT_DIR/etc/passwd

6. Create the chroot user. The chroot user's home directory should use the following format:
/path_to_chroot/./home_directory

To support chrooted ssh and sftp, use /bin/sh as the chroot user's shell.
To support chrooted sftp-only, use /usr/local/libexec/sftp-server as the chroot user's shell.

ex. $ grep hutch /etc/passwd
hutchib:x:1000:1:Brandon Hutchinson:/home/chroot/./home/hutch:/bin/sh

7. Add each chroot user's /etc/passwd entry to /etc/passwd within the chroot directory. Note: if /etc/passwd does not exist in the chroot directory, chrooted sftp will work, but chrooted ssh will not.

ex. # grep hutch /etc/passwd >> /home/chroot/etc/passwd

When user "hutch" logs in via ssh or sftp, he will be chrooted to /home/chroot and placed in the /home/hutch directory.

Solaris 7 instructions

1. Download and install the latest openssh-chroot tarball from http://chrootssh.sourceforge.net/download/

2. Create the chroot environment.

Note: the file system containing the chroot jail must be mounted suid. Attempting to use a chroot jail in a nosuid-mounted file system may result in the following error message:

ld.so.1: /bin/sh: fatal: /dev/zero: open failed: No such file or directory
Killed

Remounting the nosuid file system with mount -o remount,suid file_system will not fix the problem. You must unmount the file system, remove nosuid from /etc/vfstab (if applicable), and remount the file system.

The following shell script builds a chroot environment for OpenSSH 3.7.1p2 on a Solaris 7 Sparc system.

#!/bin/sh

CHROOT_DIRECTORY=chroot_directory

mkdir $CHROOT_DIRECTORY
cd $CHROOT_DIRECTORY

# Create directories
mkdir -m 755 -p bin dev usr/local/ssl/lib usr/local/lib usr/local/libexec usr/lib usr/bin usr/platform/`uname -i`/lib

# Copy files
cp -p /bin/sh $CHROOT_DIRECTORY/bin/sh

cp -p /usr/bin/cp /usr/bin/ls /usr/bin/mkdir /usr/bin/mv /usr/bin/rm /usr/bin/rmdir $CHROOT_DIRECTORY/usr/bin

cp -p /usr/lib/ld.so.1 /usr/lib/libc.so.1 /usr/lib/libdl.so.1 /usr/lib/libgen.so.1 /usr/lib/libmp.so.2 /usr/lib/libnsl.so.1 /usr/lib/libsocket.so.1 /usr/lib/librt.so.1 /usr/lib/libaio.so.1 $CHROOT_DIRECTORY/usr/lib

cp -p /usr/local/lib/libz.so $CHROOT_DIRECTORY/usr/local/lib

cp -p /usr/local/libexec/sftp-server $CHROOT_DIRECTORY/usr/local/libexec

cp -p /usr/local/ssl/lib/libcrypto.so.0.9.6 $CHROOT_DIRECTORY/usr/local/ssl/lib

cp -p /usr/platform/`uname -i`/lib/libc_psr.so.1 $CHROOT_DIRECTORY/usr/platform/`uname -i`/lib

# Create required character devices
mknod $CHROOT_DIRECTORY/dev/zero c 13 12
mknod $CHROOT_DIRECTORY/dev/null c 13 2
chmod 666 $CHROOT_DIRECTORY/dev/zero $CHROOT_DIRECTORY/dev/null

3. Create the chroot user. The chroot user's home directory should use the following format:
/path_to_chroot/./home_directory

To support chrooted ssh and sftp, choose /bin/sh as the chroot user's shell.
To support chrooted sftp-only, choose /usr/local/libexec/sftp-server as the chroot user's shell.

ex. $ grep hutch /etc/passwd

hutchib:x:1000:1:Brandon Hutchinson:/home/chroot/./home/hutch:/bin/sh

When user "hutch" logs in via ssh or sftp, he will be chrooted to /home/chroot and placed in the /home/hutch directory.

Back to brandonhutchinson.com.

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019