Topic: Chrooted shell

Hi,

Is there a way to chroot the shell access (Shell directive) ?

I did try to put "/usr/sbin/chroot /chrooteddir /bin/bash" as the shell directive but this doesn't work.

Also, would there be a similar possibility as the "Forced Commands restriction" we can use with ssh keys ? This would help creating a kind of profile script with predefined commands.
Ex: http://binblog.info/2008/10/20/openssh- … -commands/

Seb

Re: Chrooted shell

Hi,

Can you post your configuration file ?

Re: Chrooted shell

## MySecureShell Configuration File ##
#Default rules for everybody
<Default>
    GlobalDownload        50m    #total speed download for all clients
                    # o -> bytes   k -> kilo bytes   m -> mega bytes
    GlobalUpload        0    #total speed download for all clients (0 for unlimited)
    Download         0    #limit speed download for each connection
    Upload             0    #unlimit speed upload for each connection
    StayAtHome        true    #limit client to his home
    VirtualChroot        true    #fake a chroot to the home account
    LimitConnection        10    #max connection for the server sftp
    LimitConnectionByUser    1    #max connection for the account
    LimitConnectionByIP    2    #max connection by ip for the account
    Home            /home/$USER    #overrite home of the user but if you want you can use
                        #    environment variable (ie: Home /home/$USER)
    IdleTimeOut        30m    #(in second) deconnect client is idle too long time
    ResolveIP        true    #resolve ip to dns
#    IgnoreHidden        true    #treat all hidden files as if they don't exist
#    DirFakeUser        true    #Hide real file/directory owner (just change displayed permissions)
#    DirFakeGroup        true    #Hide real file/directory group (just change displayed permissions)
#    DirFakeMode        0400    #Hide real file/directory rights (just change displayed permissions)
                    #Add execution right for directory if read right is set
    HideNoAccess        true    #Hide file/directory which user has no access
#    MaxOpenFilesForUser    20    #limit user to open x files on same time
#    MaxWriteFilesForUser    10    #limit user to x upload on same time
#    MaxReadFilesForUser    10    #limit user to x download on same time
    DefaultRights        0640 0750    #Set default rights for new file and new directory
#    MinimumRights        0400 0700    #Set minimum rights for files and dirs

    ShowLinksAsLinks    false    #show links as their destinations
#    ConnectionMaxLife    1d    #limits connection lifetime to 1 day

#    Charset            "ISO-8859-15"    #set charset of computer
</Default>

#Rules only for group ftp
#<Group ftp>
#    Download    25 k/s
#    LogFile        /var/log/sftp-server_ftp.log    #Change logfile
#    ExpireDate    "2007-02-28 18:31:01"
#</Group>

#<Group sftp_administrator>
#    IsAdmin        true        #can admin the server
#    VirtualChroot    false        #you must disable chroot to have a full support of admin
#    StayAtHome    true
#    IdleTimeOut    0
#</Group>

#<Group old_client>
#    SftpProtocol        3    #force protocol SFTP
#    DisableAccount        true    #disable account
#</Group>

#Rules only for group ftpnolimit
#<Group ftpnolimit>
#    Download        0    #0 = unlimited
#    IdleTimeOut        0    #no timeout
#    DirFakeUser        false    #show real user on file/directory
#    DirFakeGroup        false    #show real group on file/directory
#    DirFakeMode        0    #show real rights on file/directory
#    MaxReadFilesForUser    0    #0 = unlimited but still have the restriction MaxOpenFilesForUser
#</Group>

#<IpRange 192.168.0.1-192.168.0.5>
#    ByPassGlobalDownload    true    #bypass GlobalDownload restriction
#    ByPassGlobalUpload    true    #bypass GlobalUpload restriction
#    Download        0
#    DisableAccount        false    #enable account
#    IdleTimeOut        0    #disable timeout
#    LimitConnectionByIP    0    #no limit
#</IpRange>

#<Group trusted_users>
#    Shell        /bin/tcsh    #give a shell access to TRUSTED clients !!!
#</Group>

#<VirtualHost *:22> 
#    DirFakeUser    false    #show real user on file/directory
#    DirFakeGroup    false    #show real group on file/directory
#    DirFakeMode    0    #show real rights on file/directory
#    HideNoAccess    false
#    IgnoreHidden    false
#</VirtualHost>

#Include /etc/my_sftp_config_file    #include this valid configuration file

Include /etc/ssh/sftp_users/users

And

<User xxx>
Home        /home/www
ForceGroup     www-data
Shell         "/usr/sbin/chroot /home/www /bin/bash"
StayAtHome    true
</User>

Re: Chrooted shell

Hi,

You can't specify tag Shell like this... you can only specify the binary (no arguments) please use a script and set it as shell in MySecureShell smile

Re: Chrooted shell

I'll try. thanks

Re: Chrooted shell

This doesn't work with a script.
Is it restricted to binaries, or it can be a script?

Re: Chrooted shell

Hi,

There is no restriction... check your configuration file with "MySecureShell --configtest"

Re: Chrooted shell

Here is the kind of expected script to be run, extended from command restriction from ssh key:

#!/bin/sh
# usage:
# <User xxx>
# Home        /home/www
# ForceGroup     www-data
# Shell         <path to msshellchroot.sh>
# StayAtHome    true
# </User>
#
# Don't forget to chmod a+x msshellchroot.sh

if [ -z "${SSH_ORIGINAL_COMMAND}" ]; then
        if [ -z "$2" ]; then
            echo "This access can only execute commands via SSH remote calls"
            exit
        else
            SSH_ORIGINAL_COMMAND="$2"
        fi
fi

sudo chroot ~

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
git*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

Out of the various sudoer & co problems for the chroot command (MySecureShell should implement an option for virtualchroot the ssh shell as well as the sftp), it doesn't seem that MSS applies ssh commands transfered through remote calls (neither SSH_ORIGINAL_COMMAND nor $2).

Re: Chrooted shell

Hi,

You're rights MySecureShell doesn't pass $2 nor SSH_ORIGINAL_COMMAND...

I'll add this in next version...