1951 – Add home directory facility for chrooted environments

Bug 1951 - Add home directory facility for chrooted environments

Summary: Add home directory facility for chrooted environments

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P2 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-11-19 04:40 AEDT by D'Arcy Cain
Modified:	2011-12-03 09:27 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Diffs agains NetBSD 5.1 (3.12 KB, application/octet-stream) 2011-11-19 04:40 AEDT, D'Arcy Cain	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'Arcy Cain 2011-11-19 04:40:32 AEDT

Created attachment 2107 [details]
Diffs agains NetBSD 5.1

I find that the internal-sftp mostly does what I want except that it leaves the user in the root of the chroot area.  I can't make the user's directory the chroot since that is not owned by root.  So I added code to allow me to specify the home directory.  So, for example, I have the following Match stanza in sshd_config:

Match Group sftponly
    ChrootDirectory /u/
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
    HomeDirectory /%u/

Now the user is dropped into his own home directory under the chroot area.

I'm not sure if the name is correct - we don't have to actually specify his home directory - but I have tested this on NetBSD 5.1 and it works.

Comment 1 Damien Miller 2011-12-02 10:56:13 AEDT

Actually, when ChrootDirectory is in use sshd will try to change to the user's home directory as obtained from the password database.

Comment 2 D'Arcy Cain 2011-12-02 23:00:39 AEDT

That's not what I saw in my case.  If you mean the system passwd file then that does not help.  That might be a different structure than the chrooted area.  I tried creating a passwd file in the chroot are but that didn't work.  Maybe it is internal-sftp that is different.

Try it yourself.  Create a test user and group and add a Match stanza similar to the one in my report except for the HomeDirectory.  See if you can make a passwd file that will drop that user into their home directory. I tried all sorts of things and none of them worked.

Comment 3 Damien Miller 2011-12-03 07:57:54 AEDT

No, it uses the system password file and not one inside the chroot.

You can recreate the home directory structure from the password file inside the chroot and it will work. E.g. create /u/home/sftponly (if that's what the password home directory is)

Comment 4 D'Arcy Cain 2011-12-03 09:27:52 AEDT

Again, not that useful.  Here is the issue.  My user is "joe" so his home directory, where his public_html lives, is /u/joe.  In the chroot directory he is /joe.  I want him to wind up in /joe.  After chroot /u/joe doesn't even exist.  But I need it to exist in the top level in order to display his web site so I can't modify /etc/passwd.

Yes, I could probably do all sorts of funky links/null mounts but a simple sshd_config directive would be so much simpler and cleaner.

I do create a passwd and group file under /u so that directory listings show ownership.