Re: ls hangs in internal-sftp for LDAP users + numeric uid/gid instead of names

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2017-05-18T13:13, mh@xxxxxxx <mh@xxxxxxx> wrote:
> Le 18/05/2017 à 12:17, mh@xxxxxxx a écrit :
> > However, I get uid/gid numbers instead of names within sftp session (ls
> > -l) ? I don't know if it's new but I would definitively prefer names...
> 
> It seems the reason is :
> 
> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
> 
> okay, etc folder in the chroot wasn't world readable. If I put an entry
> in the passwd file, the sftp session start resolving names.
> 
> Notice the sftp process is owned by the connecting user, and if etc/
> folder is world readable, it means I expose those file to sftp user. I
> don't like it but unsure if there is a better solution...
> 
> Or I could simply only resolve entries from the ldap and get rid of
> passwd file (see below).
> 
> I also had this error:
> socket(PF_LOCAL, SOCK_STREAM, 0)        = 4
> fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
> fcntl(4, F_SETFD, FD_CLOEXEC|0x2)       = 0
> connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) =
> -1 ENOENT (No such file or directory)
> 
> Of course /var/run/nslcd/socket doesn't exist in the chroot.
> 
> To solve this I did :
> mount -o bind /var/run/nslcd/ <chrootfolder>/var/run/nslcd/

Yes, and additionally you want to get rid of 'compat' nsswitch entries,
because those also consult the passwd/group/... files.

Another option, if you don't want to have a socket reaching out of the
chroot (including the corresponding possible chroot escape possibility)
is to just "copy everything from ldap into a local file". Which would be
exactly what https://github.com/google/nsscache does. YMMV.



Ciao,

Alexander Wuerstlein.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux