Hi Luke,

--On 10. Juli 2008 17:52:12 -0700 Luke Brannon
wrote:

> I've been attempting to set up a chroot jail for a group of sftp users on
> a Mac OS X 10.4.11 server.

First of all, how did you get OS X' ssh to chroot? Did you apply the chroot
patch to the darwin source OpenSSH?

> Unfortunately when any of the users login,
> they get kicked out with the following error in my /var/log/secure.log:
>
> "fatal: bad ownership or modes for chroot directory component "/""
>
> Here are my configuration settings:
>
> /etc/sshd_config
># override default of no subsystems
> Subsystem sftp internal-sftp
>
> Match Group webgroup
> ChrootDirectory %h
> ForceCommand internal-sftp
> AllowTcpForwarding no
>
> (note: I've also tried: ChrootDirectory /webhome/web)
>
> Users are from an OpenDirectory Master. Shells are currently set to
> /bin/bash (no /bin/false as some write-ups suggest to use) and their home
> directories are set to /webhome/web.
>
> Permissions and ownership on the chroot home (/webhome/web/) are:
>
> $ ls -alG /webhome/
> total 0
> drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
> drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 ..
> drwxr-xr-x 6 root wheel 204 Jul 7 11:32 web
>
> Within web, users have access to write to different directories:
>
> $ ls -alG /webhome/web/
> total 8
> drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
> drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 ..
> -rw-r--r-- 1 root admin 7 Jul 2 15:48 index.html
> drwxrwxr-x 3 user1 web1grp 102 Jul 7 12:07 site1
> drwxrwxr-x 3 user2 web2grp 102 Jul 7 12:18 site2
> drwxrwxr-x 2 user3 web3grp 68 Jul 7 11:32 site3
>
> (note: web1grp, web2grp, web3grp are nested into webgroup)
> (note: acls are used on the site directories to deny read access to
> specific groups)
>
> Users not in the webgroup are able to login to the server with no
> problems.

Are those users chrooted as well?

I do not see any binaries in your chroot environment. Do you supply any?

Dirk

--------------------------------------------------------------
Dirk H. Schulz
IT Systems Service
Wiesenweg 12, 85567 Grafing
Tel. 0 80 92/86 25 68
Fax. 0 80 92/86 25 72
--------------------------------------------------------------
Technik vom Feinsten - und das nötige Tuning

On Jul 11, 2008, at 10:46 PM, Dirk H. Schulz wrote:

> Hi Luke,
>
> --On 10. Juli 2008 17:52:12 -0700 Luke Brannon
> wrote:
>
>> I've been attempting to set up a chroot jail for a group of sftp
>> users on
>> a Mac OS X 10.4.11 server.
>
> First of all, how did you get OS X' ssh to chroot? Did you apply the
> chroot patch to the darwin source OpenSSH?

I failed to mention that I compiled openssh v5.0p1 (which I understand
to have native chroot support) in /opt/openssh. It's running in
daemon mode at the moment as I have not integrated it with launchd
yet. (/System/Library/LaunchDaemons/ssh.plist has been unloaded with
launchctl)


>> Unfortunately when any of the users login,
>> they get kicked out with the following error in my /var/log/
>> secure.log:
>>
>> "fatal: bad ownership or modes for chroot directory component "/""
>>
>> Here are my configuration settings:
>>
>> /etc/sshd_config
>> # override default of no subsystems
>> Subsystem sftp internal-sftp
>>
>> Match Group webgroup
>> ChrootDirectory %h
>> ForceCommand internal-sftp
>> AllowTcpForwarding no
>>
>> (note: I've also tried: ChrootDirectory /webhome/web)
>>
>> Users are from an OpenDirectory Master. Shells are currently set to
>> /bin/bash (no /bin/false as some write-ups suggest to use) and
>> their home
>> directories are set to /webhome/web.
>>
>> Permissions and ownership on the chroot home (/webhome/web/) are:
>>
>> $ ls -alG /webhome/
>> total 0
>> drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
>> drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 ..
>> drwxr-xr-x 6 root wheel 204 Jul 7 11:32 web
>>
>> Within web, users have access to write to different directories:
>>
>> $ ls -alG /webhome/web/
>> total 8
>> drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
>> drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 ..
>> -rw-r--r-- 1 root admin 7 Jul 2 15:48 index.html
>> drwxrwxr-x 3 user1 web1grp 102 Jul 7 12:07 site1
>> drwxrwxr-x 3 user2 web2grp 102 Jul 7 12:18 site2
>> drwxrwxr-x 2 user3 web3grp 68 Jul 7 11:32 site3
>>
>> (note: web1grp, web2grp, web3grp are nested into webgroup)
>> (note: acls are used on the site directories to deny read access to
>> specific groups)
>>
>> Users not in the webgroup are able to login to the server with no
>> problems.
>
> Are those users chrooted as well?

No.

> I do not see any binaries in your chroot environment. Do you supply
> any?

No. Ultimately users will have only sftp access. I was under the
impression I'd only need to include binaries if shell access was
granted. The error message is generated when I attempt either ssh or
sftp logins.

> Dirk
>
> --------------------------------------------------------------
> Dirk H. Schulz
> IT Systems Service
> Wiesenweg 12, 85567 Grafing
> Tel. 0 80 92/86 25 68
> Fax. 0 80 92/86 25 72
> --------------------------------------------------------------
> Technik vom Feinsten - und das nötige Tuning

Regards,

Luke

Hi Luke,

--On 12. Juli 2008 09:46:14 -0700 Luke Brannon
wrote:

- snip -

>> I do not see any binaries in your chroot environment. Do you supply
>> any?
>
> No. Ultimately users will have only sftp access. I was under the
> impression I'd only need to include binaries if shell access was granted.

No, there is lots of shared libs and binaries you need for sftp as well. I
have configured chrooting via pam on linux a few weeks ago (which in this
aspect makes no difference) and needed quite some time for collecting all
necessary things.

Dirk