SFTP issues

Issues related to applications and software problems
Post Reply
gilljr
Posts: 17
Joined: 2005/03/24 16:19:11
Location: Phoenix, AZ
Contact:

SFTP issues

Post by gilljr » 2018/09/21 01:34:14

If I take restrictions off of the account, I can see the whole directory tree, but I want the account put in a chroot directory. It used to work, but recently after some updates it no longer seems to be working (I have not used in a while, so I am not sure when it stopped working). It is running the latest updates as of today 9/20/2018. As far as I can tell, I have the directories set properly permission wise.

sshd-config snip...

Match User abc
ForceCommand internal-sftp
ChrootDirectory /var/www/abc
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

permissions...
drwxr-xr-x. 21 root root 4096 Jul 9 10:05 var
drwxr-xr-x. 8 root root 137 Jun 27 06:49 www
drwxr-xr-x 3 root root 62 Nov 10 2017 abc
drwxrwxr-x 16 abc abc 4096 Aug 19 17:41 public_html

passwd file...
abc:x:1004:1004::/var/www/abc/public_html:/bin/bash


When attempt a connection I get...
Sep 20 18:14:13 websvr sshd[1583]: Accepted password for abc from 192.168.1.20 port 58271 ssh2
Sep 20 18:14:13 websvr sshd[1583]: pam_unix(sshd:session): session opened for user abc by (uid=0)
Sep 20 18:14:13 websvr sshd[1583]: fatal: bad ownership or modes for chroot directory component "/" [postauth]
Sep 20 18:14:13 websvr sshd[1583]: pam_unix(sshd:session): session closed for user abc
Gilbert T. Gutierrez, Jr.

gilljr
Posts: 17
Joined: 2005/03/24 16:19:11
Location: Phoenix, AZ
Contact:

Re: SFTP issues

Post by gilljr » 2018/09/21 01:49:30

I tried getting more info by running in debug mode (/usr/sbin/sshd -ddd)

It matched my rules
debug1: user abc matched 'User abc' at line 143
debug3: match found
debug3: reprocess config:144 setting ForceCommand internal-sftp
debug3: reprocess config:145 setting ChrootDirectory /var/www/abc
debug3: reprocess config:146 setting PermitTunnel no
debug3: reprocess config:147 setting AllowAgentForwarding no
debug3: reprocess config:148 setting AllowTcpForwarding no
debug3: reprocess config:149 setting X11Forwarding no

It failed though as it never made it past checking '/'. In examples, I saw that each directory in the path would have permissions tested and my debug did not.
debug1: monitor_reinit: /dev/log doesn't exist in /var/www/abc chroot - will try to log via monitor using [postauth] suffix
User child is on pid 1682
debug1: PAM: establishing credentials [postauth]
debug3: safely_chroot: checking '/' [postauth]
bad ownership or modes for chroot directory component "/" [postauth]
debug1: do_cleanup [postauth]
Gilbert T. Gutierrez, Jr.

gilljr
Posts: 17
Joined: 2005/03/24 16:19:11
Location: Phoenix, AZ
Contact:

Re: SFTP issues

Post by gilljr » 2018/09/21 01:51:35

SSH version

openssh-clients-7.4p1-16.el7.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64
openssh-server-7.4p1-16.el7.x86_64
openssh-7.4p1-16.el7.x86_64
Gilbert T. Gutierrez, Jr.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SFTP issues

Post by TrevorH » 2018/09/21 06:18:28

And what are the permissions on / and /var/www/abc/? (I'm not sure if it's complaining about the real / or the chrooted one).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

gilljr
Posts: 17
Joined: 2005/03/24 16:19:11
Location: Phoenix, AZ
Contact:

Re: SFTP issues

Post by gilljr » 2018/09/21 14:36:05

TrevorH wrote:
2018/09/21 06:18:28
And what are the permissions on / and /var/www/abc/? (I'm not sure if it's complaining about the real / or the chrooted one).
My original post shows the permissions...

drwxr-xr-x. 21 root root 4096 Jul 9 10:05 var
drwxr-xr-x. 8 root root 137 Jun 27 06:49 www
drwxr-xr-x 3 root root 62 Nov 10 2017 abc
drwxrwxr-x 16 abc abc 4096 Aug 19 17:41 public_html
Gilbert T. Gutierrez, Jr.

gilljr
Posts: 17
Joined: 2005/03/24 16:19:11
Location: Phoenix, AZ
Contact:

Re: SFTP issues

Post by gilljr » 2018/09/21 15:15:24

Resolved the issue. Somehow the write bit was set on the root directory, '/'

dr-xrwxr-x. 17 root root 244 Jul 9 10:05 .
dr-xrwxr-x. 17 root root 244 Jul 9 10:05 ..

That was not right! I don't know when I did it, but I must have done it when I was working on a virtual host permissions, not paying attention to directories. It makes me angry that I did it :oops: !

Now it is
dr-xr-xr-x. 17 root root 244 Jul 9 10:05 .
dr-xr-xr-x. 17 root root 244 Jul 9 10:05 ..


THE ISSUE IS NOW RESOLVED, MY MISTAKE WAS ASSUMING THAT I DON'T MAKE MISTAKES.
Gilbert T. Gutierrez, Jr.

Post Reply