Wednesday, January 28, 2009

SFTP Jails

The usual method to reduce the risk of exploits by local users on a system, is to substitute /bin/false as the login shell. However, the users still need FTP access so that they can manipulate their files on the system, so you still need to prevent them from wondering around the filesystem. Some FTP servers, like vsftd, will let you put the user in a chroot jail. I prefer secure FTP which is included with secure shell server, but how do you jail the user?

I found two solutions: scponly and rssh. Both are packaged in Debian etch and both provide scripts to build the jails, so they are equal in most repects. I opted for scponly because it only provides SFTP capability and thus requires a simpler chroot environment than rssh, which allows for full shell access within the jail.

After I installed scponly, I run the script to create a test jail. It works fine. But, when I login with sftp, the connection is terminated immediately. My initial search reveals that the usual reason for this is the jail is not setup correctly. Indeed, the log shows that sftp-server terminates with a "file not found" error. Yes, but which file?

Some more searching eventually reveals that the setup script has two problems. It does not create /dev/null and it does not copy the correct dynamic linker on a 64bit system. The clearest solution was here. As that page also points out, if I had checked the Debian bug reports for scponly first, I would have found the solution a lot sooner.

Why didn't I think of that? Umm...

[Updated 2009/07/17: Fixed link at request of owner.]

No comments:

Post a Comment