Bug 2048 (PreLoginCommand)

Summary: Make chrooted sftp more user friendly using bind mount (solution suggested)
Product: Portable OpenSSH Reporter: harvie <harviecz>
Component: sftp-serverAssignee: Assigned to nobody <unassigned-bugs>
Status: REOPENED ---    
Severity: enhancement CC: bugmenot, djm
Priority: P5    
Version: 6.1p1   
Hardware: All   
OS: Linux   

Description harvie 2012-11-13 05:09:33 AEDT 
I'll be bit verbose, sorry.

There are lots of people running own shared hosting machines and they are in need to suply some kind of remote acess to their clients. Most of them are using FTP/FTPS, but i think that SFTP/SCP is much better, more secure and less problematic. We all know that we can't make normal Windows BFU see all system files and let him to search own home directory in directory structure because this will often leave him confused and he'll often call helpdesk and complain about it. That's one of reasons why we have chroot support in OpenSSH. Other reason is obvious: better security.

So this is typical configuration:

Subsystem       sftp    internal-sftp

Match Group sftpusers
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no


It has one big problem. For security reasons we cannot chroot into directory that is not owned by root (or writable by user). There's probably nothing we can do about this right now, but let's take a deeper look and see if there are some workarounds which will prevent us from modifying directory structure, chowning all homes to root (such home is no longer "sweet home"), etc...

And guess what. I've came up with solution that enables OpenSSH to securely isolate user without disabling writing to home directory!

I've implemented it as PoC pam_module (not very secure at this moment), but i hope it can make it's way directly into OpenSSH. I'll tell you more, but here is the source if you wish anyway:
https://github.com/Harvie/pam-ftpfuck/blob/master/src/mypam.c


So how it works?
It bind-mounts home directory of user into subdirectory of root-owned directory created especially for this user...

so we're no longer chrooting into /home/user/ (which can be now owned by root)
we'll rather chroot into /var/ssh-chroot/user/ (which is created on demand and owned by root)
and it contains user owned directory /var/ssh-chroot/user/user/ which is bind mount pointig to /home/user/

So after loging into SFTP server our client will only see root containing single directory /user which seems to me quite user friendly :-)

Of course we can create these bind-mounts by some cron-script, but it's not nearly as elegant as when done directly on-demand by OpenSSH.


Other thoughts?
- Read-only bind mounts! (don't forget to check if RO option successfully aplied)
- I am not sure if bind mounts are available on BSDs (never been using BSD), maybe mount_null or some kind of symlinks can be used???
Comment 1 Damien Miller 2013-02-08 11:01:13 AEDT 
There is now an option to specify the starting directory in sftp-server that might help you. E.g.

Match group sftpusers
  ChrootDirectory /chroot/%u
  ForceCommand internal-sftp -d /%h

We have no desire to build bind-mounting into OpenSSH itself though.

Otherwise, discussion of your module is better suited to our openssh-unix-dev@mindrot.org mailing list rather than out bug tracker. I'll close this bug and people more knowledgeable about PAM might be able to assist you there.
Comment 2 bugmenot 2013-08-22 01:36:17 AEST 
Hi Damien, thanks for answer... It seems reasonable, but i'd like to see at least some more generic way to get the job done. Eg. way to specify some pre-login command:

Match group sftpusers

  PreLoginCommand sh -c 'mkdir /chroot/%u; mount -t bind %h /chroot/%u'

  ChrootDirectory /chroot/%u
  ForceCommand internal-sftp -d /%h



Well. i can do this using my pam module, however it's bit annoying to build it, install and configure manually on multiple servers, when it can be done simply by altering OpenSSH configuration (if openssh gets patched a little).

And i can imagine that there's much more use for such feature... (like mounting home directory for LDAP users, etc...). I personally like OpenSSH because it is very versatile and i think this would make it even more versatile.