Chroot SSH Question - SSH

This is a discussion on Chroot SSH Question - SSH ; FSecure sshd set to chroot accounts in a specific group: so /home/user is the effective root. question is, is it possible to add /arbitary/dir/ to their chroot jail where /arbitary/dir is on a separate logical volume? thanks...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Chroot SSH Question

  1. Chroot SSH Question

    FSecure sshd set to chroot accounts in a specific group:

    so /home/user is the effective root.

    question is, is it possible to add /arbitary/dir/ to their chroot jail
    where /arbitary/dir is on a separate logical volume?

    thanks

  2. Re: Chroot SSH Question

    john yeo wrote:

    > FSecure sshd set to chroot accounts in a specific group:
    >
    > so /home/user is the effective root.
    >
    > question is, is it possible to add /arbitary/dir/ to their chroot jail
    > where /arbitary/dir is on a separate logical volume?


    Under Linux 2.4.0+ use the 'bind' argument with mount:

    mount --bind olddir newdir

    This will make olddir visible as newdir even if the newdir is inside and
    olddir is outside the jail.

    Ximinez
    --
    Our three weapons are fear, surprise, and ruthless efficiency...
    and an almost fanatical devotion to the Pope....
    http://www.ai.mit.edu/people/paulfitz/spanish/t1.html

  3. Re: Chroot SSH Question

    In comp.security.ssh john yeo :
    > FSecure sshd set to chroot accounts in a specific group:


    > so /home/user is the effective root.


    > question is, is it possible to add /arbitary/dir/ to their chroot jail
    > where /arbitary/dir is on a separate logical volume?


    Unfortunately you don't tell which OS you are using?

    With Linux there is a "bind" option (mount(8)) which should do
    what you want, take care there's nothing in it getting the user
    out of the chroot environment.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 111: The salesman drove over the CPU board.

  4. Re: Chroot SSH Question

    Michael Heiming wrote:
    > In comp.security.ssh john yeo :
    >> FSecure sshd set to chroot accounts in a specific group:

    >
    >> so /home/user is the effective root.

    >
    >> question is, is it possible to add /arbitary/dir/ to their chroot jail
    >> where /arbitary/dir is on a separate logical volume?

    >
    > Unfortunately you don't tell which OS you are using?
    >
    > With Linux there is a "bind" option (mount(8)) which should do
    > what you want, take care there's nothing in it getting the user
    > out of the chroot environment.


    Mmm, what can you think of that will get the user out of a chroot?

    Ximinez
    --
    Our three weapons are fear, surprise, and ruthless efficiency...
    and an almost fanatical devotion to the Pope....
    http://www.ai.mit.edu/people/paulfitz/spanish/t1.html

  5. Re: Chroot SSH Question

    In comp.security.ssh The Spanish Inquisition :
    > Michael Heiming wrote:
    >> In comp.security.ssh john yeo :
    >>> FSecure sshd set to chroot accounts in a specific group:


    [ removed quoting of empty lines ]

    >>> so /home/user is the effective root.


    >>> question is, is it possible to add /arbitary/dir/ to their chroot jail
    >>> where /arbitary/dir is on a separate logical volume?


    >> Unfortunately you don't tell which OS you are using?


    >> With Linux there is a "bind" option (mount(8)) which should do
    >> what you want, take care there's nothing in it getting the user
    >> out of the chroot environment.


    > Mmm, what can you think of that will get the user out of a chroot?


    Don't know for sure as I haven't tested this out and won't do it.

    This is just a warning to check for some symlink or alike inside
    a with bind mounted directory and test it for possible problems.
    Nothing more.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 174: Backbone adjustment

  6. Re: Chroot SSH Question

    Michael Heiming wrote:

    > In comp.security.ssh The Spanish Inquisition :
    >> Michael Heiming wrote:
    >>> In comp.security.ssh john yeo :
    >>>> FSecure sshd set to chroot accounts in a specific group:

    >
    > [ removed quoting of empty lines ]
    >
    >>>> so /home/user is the effective root.

    >
    >>>> question is, is it possible to add /arbitary/dir/ to their chroot jail
    >>>> where /arbitary/dir is on a separate logical volume?

    >
    >>> Unfortunately you don't tell which OS you are using?

    >
    >>> With Linux there is a "bind" option (mount(8)) which should do
    >>> what you want, take care there's nothing in it getting the user
    >>> out of the chroot environment.

    >
    >> Mmm, what can you think of that will get the user out of a chroot?

    >
    > Don't know for sure as I haven't tested this out and won't do it.
    >
    > This is just a warning to check for some symlink or alike inside
    > a with bind mounted directory and test it for possible problems.
    > Nothing more.


    Not if the chroot functionality is properly implemented, this shouldn't
    be possible:

    "The chroot mechanism itself is not entirely secure. On some systems,
    chroot contexts do not stack properly; on such a system, if a chrooted
    program has root privileges, it can perform a second chroot to break out."

    http://en.wikipedia.org/wiki/Chroot

    I also found this: http://www.securityfocus.com/bid/17735/discuss

    Doesn't seem to affect my setup.

    Ximinez
    --
    Our three weapons are fear, surprise, and ruthless efficiency...
    and an almost fanatical devotion to the Pope....
    http://www.ai.mit.edu/people/paulfitz/spanish/t1.html

  7. Re: Chroot SSH Question

    In comp.security.ssh The Spanish Inquisition :

    [ removed quoting of empty lines ]

    [ making some dir visible under chroot which is out of the chroot
    environment using Linux (bind) ]

    > Not if the chroot functionality is properly implemented, this shouldn't
    > be possible:


    Yep, if not or alike. This was just a warning to do some checks
    on your own and not trust anything blindly.

    > "The chroot mechanism itself is not entirely secure. On some systems,
    > chroot contexts do not stack properly; on such a system, if a chrooted
    > program has root privileges, it can perform a second chroot to break out."


    > http://en.wikipedia.org/wiki/Chroot


    > I also found this: http://www.securityfocus.com/bid/17735/discuss


    > Doesn't seem to affect my setup.


    Sure, based on your header you are running windose anyway. ;-)

    BTW
    You wonder what the question has to do with ssh?

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 294: PCMCIA slave driver

  8. Re: Chroot SSH Question

    Michael Heiming wrote:

    > In comp.security.ssh The Spanish Inquisition :
    >
    > [ removed quoting of empty lines ]
    >
    > [ making some dir visible under chroot which is out of the chroot
    > environment using Linux (bind) ]
    >
    >> Not if the chroot functionality is properly implemented, this shouldn't
    >> be possible:

    >
    > Yep, if not or alike. This was just a warning to do some checks
    > on your own and not trust anything blindly.
    >
    >> "The chroot mechanism itself is not entirely secure. On some systems,
    >> chroot contexts do not stack properly; on such a system, if a chrooted
    >> program has root privileges, it can perform a second chroot to break out."

    >
    >> http://en.wikipedia.org/wiki/Chroot

    >
    >> I also found this: http://www.securityfocus.com/bid/17735/discuss

    >
    >> Doesn't seem to affect my setup.

    >
    > Sure, based on your header you are running windose anyway. ;-)


    On my laptop, yes. My servers are all running Linux and I have more
    servers than desktops...

    > BTW
    > You wonder what the question has to do with ssh?


    Chroot is very popular with ssh. Security is about giving people access
    to what they need, but not more than they need.

    I use scponly with chroot to allow people access to certain files.

    Ximinez
    --
    Our three weapons are fear, surprise, and ruthless efficiency...
    and an almost fanatical devotion to the Pope....
    http://www.ai.mit.edu/people/paulfitz/spanish/t1.html

  9. Re: Chroot SSH Question

    In comp.security.ssh The Spanish Inquisition :
    > Michael Heiming wrote:
    >> In comp.security.ssh The Spanish Inquisition :


    [ removed quoting of empty lines ]

    >> [ making some dir visible under chroot which is out of the chroot
    >> environment using Linux (bind) ]


    [..]

    >> BTW
    >> You wonder what the question has to do with ssh?


    > Chroot is very popular with ssh. Security is about giving people access
    > to what they need, but not more than they need.


    > I use scponly with chroot to allow people access to certain files.


    All well, but we still don't know what OS the OP is using at all
    and I'm off-hand not aware of other OS having the nifty "bind"
    option to mount?

    After all the question is about chroot but hasn't much to do with
    ssh...

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 112: The monitor is plugged into the serial port

+ Reply to Thread