Re: ls hangs in internal-sftp for LDAP users + numeric uid/gid instead of names

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Le 18/05/2017 à 15:38, Alexander Wuerstlein a écrit :
> On 2017-05-18T13:13, mh@xxxxxxx <mh@xxxxxxx> wrote:
>> Le 18/05/2017 à 12:17, mh@xxxxxxx a écrit :
>>> However, I get uid/gid numbers instead of names within sftp session (ls
>>> -l) ? I don't know if it's new but I would definitively prefer names...
>>
>> It seems the reason is :
>>
>> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
>>
>> okay, etc folder in the chroot wasn't world readable. If I put an entry
>> in the passwd file, the sftp session start resolving names.
>>
>> Notice the sftp process is owned by the connecting user, and if etc/
>> folder is world readable, it means I expose those file to sftp user. I
>> don't like it but unsure if there is a better solution...
>>
>> Or I could simply only resolve entries from the ldap and get rid of
>> passwd file (see below).
>>
>> I also had this error:
>> socket(PF_LOCAL, SOCK_STREAM, 0)        = 4
>> fcntl(4, F_GETFL)                       = 0x2 (flags O_RDWR)
>> fcntl(4, F_SETFD, FD_CLOEXEC|0x2)       = 0
>> connect(4, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) =
>> -1 ENOENT (No such file or directory)
>>
>> Of course /var/run/nslcd/socket doesn't exist in the chroot.
>>
>> To solve this I did :
>> mount -o bind /var/run/nslcd/ <chrootfolder>/var/run/nslcd/
> 
> Yes, and additionally you want to get rid of 'compat' nsswitch entries,
> because those also consult the passwd/group/... files.
> 
> Another option, if you don't want to have a socket reaching out of the
> chroot (including the corresponding possible chroot escape possibility)
> is to just "copy everything from ldap into a local file". Which would be
> exactly what https://github.com/google/nsscache does. YMMV.
> 

Hi Alex,
Thanks,
Well, yes, but isn't it comes down exposing all the users entries to the
sftp users? (as I've mentioned above). In my case it's not that critical
but still i'm not comfortable with it in a chroot'd ftp context/usage.


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux