FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-30-2012, 06:39 PM
Dr Beco
 
Default chroot ssh and ftp

Hi there debian users,


I've being searching a "how-to" to work this out, but all I got was
old blogs with very strange and different suggestions.

I need to configure a system with 3 groups of people: admins,
professors and students.

Professors can browse all /home of students, can read/write to them
also, but not browse to other professors.
Students can't browse each others homes.

None, professors or students can get out of /home (jail?), but only admins can.

Now, for debian squeeze, is there any news on a more recent way to do
these things, or some scripts that might help?

Do I need to create another directory, like /chroot/home, or can that
be made in /home as it is now?


Thanks for your attention, I hope we can figure it out.

Beco




--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2w1WFZy1vo3qiGaKT1hSe5mWnFp+ixqcCWSB3VWZfmLD g@mail.gmail.com">http://lists.debian.org/CALuYw2w1WFZy1vo3qiGaKT1hSe5mWnFp+ixqcCWSB3VWZfmLD g@mail.gmail.com
 
Old 03-30-2012, 07:11 PM
wlan
 
Default chroot ssh and ftp

If you have configured ssh-server you can simple configure sftp.

2012/3/30 Dr Beco <rcb@beco.cc>

Hi there debian users,





I've being searching a "how-to" to work this out, but all I got was

old blogs with very strange and different suggestions.



I need to configure a system with 3 groups of people: admins,

professors and students.



Professors can browse all /home of students, can read/write to them

also, but not browse to other professors.

Students can't browse each others homes.



None, professors or students can get out of /home (jail?), but only admins can.



Now, for debian squeeze, is there any news on a more recent way to do

these things, or some scripts that might help?



Do I need to create another directory, like /chroot/home, or can that

be made in /home as it is now?





Thanks for your attention, I hope we can figure it out.



Beco









--

Dr. Beco

A.I. research, Cognitive Scientist and Philosopher

Linux Counter #201942





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/CALuYw2w1WFZy1vo3qiGaKT1hSe5mWnFp+ixqcCWSB3VWZfmLD g@mail.gmail.com
 
Old 03-30-2012, 07:13 PM
Keith McKenzie
 
Default chroot ssh and ftp

On 30/03/12 19:39, Dr Beco wrote:

Hi there debian users,


I've being searching a "how-to" to work this out, but all I got was
old blogs with very strange and different suggestions.

I need to configure a system with 3 groups of people: admins,
professors and students.


MAYBE THE FOLLOWING WILL WORK

Professors can browse all /home of students, can read/write to them
also, but not browse to other professors.

/home/professors/
'professor' group has read/write permissions on /home/students/

Students can't browse each others homes.

Normal 'user' - (file creation mode 777; I think)


None, professors or students can get out of /home (jail?), but only admins can.

admins in 'admin' group


Now, for debian squeeze, is there any news on a more recent way to do
these things, or some scripts that might help?

Do I need to create another directory, like /chroot/home, or can that
be made in /home as it is now?


Thanks for your attention, I hope we can figure it out.

Beco





Sounds like permissions on groups to me.
Maybe /home/professors /home/admins /home/students


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4F7605C4.6080000@gmail.com">http://lists.debian.org/4F7605C4.6080000@gmail.com
 
Old 03-30-2012, 08:09 PM
Dr Beco
 
Default chroot ssh and ftp

Hi there wlan and Keith,

I'm not so sure it's that simple, but I would be glad if it is.

When I say "browse", I mean through ftp or through commands in a login
session with bash, like 'cd' or a simple 'ls /etc'.

(I thought the "subject" would make it clear, ssh and ftp, but
actually it is bash and ftp)

Also, if a student is simply a 777 permission, they all can spy on
each others files, buy issuing things like
$cp /home/sam/samfile.txt /home/simon/

If all this can be done using only group permissions, I would need
help to learn more about how to setup it, because I don't know how
it's done.

Thanks,
Beco



--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2xM18wvzeuoUx+CQWJOzF6ZUgXY=MriHT2EQ2bDU3naE g@mail.gmail.com">http://lists.debian.org/CALuYw2xM18wvzeuoUx+CQWJOzF6ZUgXY=MriHT2EQ2bDU3naE g@mail.gmail.com
 
Old 03-30-2012, 09:18 PM
Kelly Clowers
 
Default chroot ssh and ftp

On Fri, Mar 30, 2012 at 13:09, Dr Beco <rcb@beco.cc> wrote:
> Hi there ┬*wlan and Keith,
>
> I'm not so sure it's that simple, but I would be glad if it is.
>
> When I say "browse", I mean through ftp or through commands in a login
> session with bash, like 'cd' or a simple 'ls /etc'.
>
> (I thought the "subject" would make it clear, ssh and ftp, but
> actually it is bash and ftp)
>
> Also, if a student is simply a 777 permission, they all can spy on
> each others files, buy issuing things like
> $cp /home/sam/samfile.txt /home/simon/
>
> If all this can be done using only group permissions, I would need
> help to learn more about how to setup it, because I don't know how
> it's done.
>
> Thanks,
> Beco
>

Off the cuff: all student dirs have a group owner of "professors" with
rwx perm, and students are not in that group.
Professors are in group "professors" and the group owner of their dirs
is "professors" but the perms for group are blank (or make the group
owner "admins" or something).

Make use of sgid and umask so everything stays proper. Not sure about
chrooting. Is that really needed?

I think that should work if you just want to stop casual
interference/reading. If you want to presume that students and/or
professors may mount sophisticated, persistent attacks, you need to
setup much more serious security, probably including ACLs,
Capabilities, SELinux, restricted shells, etc.

I am not a security expert at all, salt to taste.


Cheers,
Kelly Clowers


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAFoWM´┐ŻUsRad4YJS91r8U7CLgKrdTS8tR=9-kfJvd0pcfD75A@mail.gmail.com
 
Old 03-31-2012, 12:53 PM
Dr Beco
 
Default chroot ssh and ftp

> Off the cuff: all student dirs have a group owner of "professors" with
> rwx perm, and students are not in that group.
> Professors are in group "professors" and the group owner of their dirs
> is "professors" but the perms for group are blank (or make the group
> owner "admins" or something).
> Make use of sgid and umask so everything stays proper. Not sure about
> chrooting. Is that really needed?
> I think that should work if you just want to stop casual
> interference/reading. If you want to presume that students and/or
> professors may mount sophisticated, persistent attacks, you need to
> setup much more serious security, probably including ACLs,
> Capabilities, SELinux, restricted shells, etc.
> I am not a security expert at all, salt to taste.
>
> Cheers,
> Kelly Clowers
>

Hi Kelly, hi guys,

Thanks for the explanation. I never used SUID, GUID and UMASK, so I
did some research about it here [5]. I see that this could probably
work. It's weird though to have a student issue the command

$ls -l

and see his files owned by him, and group professor, him being a student.

-rwx------ 3 sam professor 4kB Mar 29 15:59 studsamfile.txt

But I think I can do the same by letting students in group student,
and adding all professors to that group also, can't I?
Lets say this examples here:

/etc/group
student:...:sam,simon,sony
professor:...aul,peter,patrick
admin:...:alf,art,abbie

I wonder, can't a student simple give the command chown and make a
mess with it all?

Now, maybe this group permission is a good way to deal with who can
see what, but the main point of the thread [1] is CHROOTing the users
inside /home. Yes, Kelly, I do believe they can cause
(non-sophisticated) problems, because I saw some history commands
(like this one I can't explain: $explode professor's computer,
hopefully I did not had 'explode' package installed, and all the
student got was a 'command not found'). Also, this server has a very
fast link with a governmental institution that must be preserved by
outsider's attacks (that can be a little more sophisticated).

I'll not install ACL or SELinux, but if by restricted shell you mean
chroot a system, then yes. Lets get back on track.

>From [2][3] I got that to keep ftp on /home is easy. But the site is
for debian lenny.
I just need a working sftp to change to

$vi /etc/ssh/sshd_config
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
Match

Restart OpenSSH:
$/etc/init.d/ssh restart

And quote: "If you chroot multiple users to the same directory, but
don't want the users to browse the home directories of the other
users, you can change the permissions of each home directory as
follows:"
$chmod 700 /home/falko

Now this chmod may conflict with the previous solution.

Still [3] tells me there is a script that helps locking a user to the
home directory. Is this the procedure to follow in debian squeeze?

$cd /usr/local/sbin
$wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
$chmod 700 /usr/local/sbin/make_chroot_jail.sh


In [4] I found that I need to manually copy a lot of programs to the
new root. Do I really need that? Is there an easy way to prevent
something like $cd .. from a user in his dir?


Thanks guys,
Beco


[1] Maybe I did asked for a solution to a problem that should be
addressed in both ways: group perms and chroot. If that is the case, a
moderator might want to split the thread to something like: group
permissions (was chroot ssh and ftp)
[2] http://netport.org/?p=379
[3] http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny
[4] http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
[5] http://forums.eukhost.com/f30/more-file-permissions-suid-sgid-umask-882/



--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2z430=170Z5R++N21G+iCb=T_EMbQupV_jG031mWMWP3 w@mail.gmail.com">http://lists.debian.org/CALuYw2z430=170Z5R++N21G+iCb=T_EMbQupV_jG031mWMWP3 w@mail.gmail.com
 
Old 03-31-2012, 04:25 PM
Chris Davies
 
Default chroot ssh and ftp

Dr Beco <rcb@beco.cc> wrote:
> It's weird though to have a student [...] see his files owned by him,
> and group professor, him being a student.

The group name is just a label. There's no real reason why you couldn't
call it something else. (Stay away from "staff", and be aware that on
many systems "users" already exists.)


> I wonder, can't a student simple give the command chown and make a
> mess with it all?

Someone can chgrp/chmod a file or directory that they own, yes. But you
could override that with a frequent cron job (or a script built around
inotify) if you needed to.


> The main point of the thread [1] is CHROOTing the users inside
> /home. Yes, Kelly, I do believe they can cause (non-sophisticated)
> problems, because I saw some history commands (like this one I can't
> explain: $explode professor's computer,

If you put an account inside chroot then you will need to ensure that
you've copied in all the commands that this account needs to use. I
really don't see that this buys you anything whatsoever for an interactive
account. An interactive account with a decent subset of commands will
let you create executables - and it's often all too easy to get around
r*shell restrictions on PATH, so effectively anyone can run any command
sooner or later anyway.


> Also, this server has a very fast link with a governmental institution
> that must be preserved by outsider's attacks

Simple answer here is to prevent access to the remote system by
unauthorised users. If your students shouldn't have access to it, then
put your students on a different system that doesn't have access. If
that's not possible then disconnect this system from the sensitive one
and put the appropriate subset of authorised users on another system
that does have access to it. Look at your policies and procedures -
a (signed) piece of paper telling people not to access unauthorised
systems can be extremely useful as part of a access protection system.

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: ipnj49xrkd.ln2@news.roaima.co.uk">http://lists.debian.org/ipnj49xrkd.ln2@news.roaima.co.uk
 

Thread Tools




All times are GMT. The time now is 06:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org