OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Martin Peikert (Martin.Peikertdiscon.de)
Date: Tue Apr 02 2002 - 04:51:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Francesc Dantí wrote:
    > Hi,
    >
    > How can I do a chroot when a user login in the server?
    > My idea is that when somebody logs in (with ssh) he/she can't
    > get access to my files.
    >
    > What about editing a script that when it makes a chroot, finaly
    > runs the correct shell?
    > That's creating a new shell that only includes the line "chroot ~"
    > and finally runs sh.
    > When I try it, it returns me that I have no permision. Is it a good
    > idea?
    > I'm new in linux world, and i supose it's a very simple question,
    > but i don't find anything in manuals or texts...

    [Please wrap your lines at 72 characters. Thanks.]

     From the debian security mailinglist:
    -------- Original Message --------
    Subject: Re: scp and sftp
    Resent-From: debian-securitylists.debian.org
    Date: Sun, 31 Mar 2002 00:11:28 -0800
    From: "Christian G. Warden" <cwardenxerus.org>
    To: Jon McCain <jmccaindavlong.com>
    CC: debian-securitylists.debian.org
    References: <3CA6816C.A52691B1davlong.com>

    the commercial ssh server has an option to chroot to a user's home
    directory. there are patches available to openssh to do it also,
    though i don't know if they've been thoroughly audited. check out
    http://mail.incredimail.com/howto/openssh/
    you can make sftp-server the user's shell to only allow sftp access.

    xn

    On Sat, Mar 30, 2002 at 10:24:28PM -0500, Jon McCain wrote:
    > I've been playing around with the scp and sftp components of putty
    > and noticed what I consider a security hole. Winscp does the same
    > thing. The user can change to directories above their home. Is
    > there a way to chroot them like you can in an ftp config file? I
    > don't see anything in the sshd config files. If you can't, how can
    > I disable the scp functionality? I'm not talking about scp from the
    > linux box. The users don't have shell access so that's not a
    > problem. I'm referring to remote people using a scp client to
    > access my linux machine. You can disable sftp ability by removing
    > the sftp-server program but the scp server part seems to be part of
    > sshd.
    >
    > I did not see anything about this issue on the openssh web site.
    > Anybody got any suggestions?

    For more on this topic take a look at the debian security list archive.

    HTH
    GTi 

    -- 
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here