On 12.11.23 03:52, Damien Miller wrote:
On Sat, 11 Nov 2023, Bob Proulx wrote:
I am supporting a site that allows members to upload release files. I
have inherited this site which was previously existing. The goal is
to allow members to file transfer to and from their project area for
release distribution but not to allow general shell access and not to
allow access to other parts of the system.
Currently rsync and old scp has been restricted using a restricted
shell configuration. But of course that does not limit sftp. And of
course sftp can be chrooted which would work okay for us. Use the
ForceCommand internal-sftp configuration to put the process in a
chroot. But then that configuration blocks rsync.
Match ... other stuff
Match ALL
ChrootDirectory /releases
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
I have not been able to deduce a way to set up sftp-in-a-chroot *only*
when sftp is requested and allow rsync when rsync is requested and
allow rsync to work normally when rsync is requested.
You can do this using a custom setuid shell or forcecommand (it needs
to be setuid because chroot requires privileges). It can look at
the contents of $SSH_ORIGINAL_COMMAND and decide on whether to run
rsync or chroot then run sftp-server.
It is possible to do this without setuid, but the forcecommand would
need to live inside the ChrootDirectory along with everything else
sftp-server and rsync needs.
If you're on Linux, then maybe you could cook something up using
namespaces and bind mounts to simplify this.
A while ago I used the following bubblewrap-based login shell to
implement said Linux namespace and bind mount solution to give
restricted shell access to a mostly trusted user. Using bwrap saves the
perilous trouble of writing a safe setuid solution yourself. Could be
extended by looking at $SSH_ORIGINAL_COMMAND to get the sftp/rsync
behavior you're looking for. Obviously, no guarantees about its safety.
For example, a "Subsystem sftp" directive in the sshd_config will bypass
the login shell, IIRC.
Best regards,
Carsten
---
#!/bin/bash
set -euo pipefail
(exec bwrap \
--ro-bind /bin /bin \
--ro-bind /usr /usr \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--dir /home \
--dir /run/user/$(id -u) \
--dir /tmp \
--dir /var \
--symlink ../tmp var/tmp \
--bind /home/user /home/user \
--proc /proc \
--dev /dev \
--chdir /home/user \
--unshare-all \
--file 11 /etc/passwd \
--file 12 /etc/group \
--file 13 /etc/bash.bashrc \
--file 14 /etc/hostname \
--file 15 /etc/localtime \
--file 16 /etc/nsswitch.conf \
--file 17 /etc/profile \
/bin/bash "$@"
) \
11< <(getent passwd $UID 65534) \
12< <(getent group $(id -g) 65534) \
13< <(cat /etc/bash.bashrc) \
14< <(cat /etc/hostname) \
15< <(cat /etc/localtime) \
16< <(cat /etc/nsswitch.conf) \
17< <(cat /etc/profile)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev