Topic: VirtualChroot fails, Couldn't chroot to ...: Operation not permitted
My environment is Ubuntu 10.10 with MySecureShell 1.25 (installed from the http://mysecureshell.free.fr/repository … hp/ubuntu/ repository).
The server has apparmor installed (since it is installed by default), but I suspect that apparmor is not at fault here. I've tested with apparmor disabled (invoke-rc.d apparmor stop) and the same error occured when connecting to the server via SSH+SFTP+MySecureShell.
The complete error message from /var/log/sftp-server.log is:
2012-07-06 14:28:13 [17501][backup][myserver.example.com]Couldn't chroot to '/home/backup': Operation not permitted
sftp-verif doesn't find any problems:
################################################################################
MySecureShell Verification Tool
################################################################################
### Verifing file existance ###
/bin/MySecureShell [ OK ]
/usr/bin/sftp-who [ OK ]
/usr/bin/sftp-kill [ OK ]
/usr/bin/sftp-state [ OK ]
/usr/bin/sftp-admin [ OK ]
/usr/bin/sftp-verif [ OK ]
/usr/bin/sftp-user [ OK ]
### Verifing rights ###
Verifing file rights of /etc/ssh/sftp_config [ OK ]
Verifing file rights of /usr/bin/sftp-who [ OK ]
Verifing file rights of /usr/bin/sftp-verif [ OK ]
Verifing file rights of /usr/bin/sftp-user [ OK ]
Verifing file rights of /usr/bin/sftp-kill [ OK ]
Verifing file rights of /usr/bin/sftp-state [ OK ]
Verifing file rights of /usr/bin/sftp-admin [ OK ]
Verifing file rights of /bin/MySecureShell [ OK ]
### Verifing rotation logs ###
Rotation logs have been found [ OK ]
### Verifing server status ###
Verifing server status (ONLINE) [ OK ]
### Verifing server dependencies ###
Show only error(s) :
### Verifing server configuration ###
Show only error(s) :
Trying user: root
Checking user : backup
### All tests dones ###
If checking manually, MySecureShell's permissions seem to be alright:
$ ls -al /bin/MySecureShell
-rwsr-xr-x 1 root root 71496 2012-07-06 16:27 /bin/MySecureShell
I've downloaded the package source, modified SftpServer/SftpServer.c to log the UID (via getuid()) and EUID (via geteuid()) and unfortunately the following is logged:
2012-07-06 14:28:13 [17501] muzso debug, UID = 112, EUID = 112
Looking at the processes (while the SFTP client is connected) shows this:
$ ps faux
(...)
root 1124 0.0 0.1 5544 1032 ? Ss Jun29 0:00 /usr/sbin/sshd -D
(...)
root 23557 0.0 0.3 12672 3396 ? Ss 16:51 0:00 \_ sshd: backup [priv]
backup 23570 0.0 0.1 12672 1676 ? S 16:51 0:00 \_ sshd: backup@notty
backup 23571 0.0 0.2 7060 3056 ? SLs 16:51 0:00 \_ MySecureShell -c /usr/lib/openssh/sftp-server
The above of course doesn't show that anything would be wrong. In case of a Debian Squeeze server of mine VirtualChroot works just fine and the processes look quite the same:
root 9624 0.0 0.0 49176 1136 ? Ss Jun30 0:00 /usr/sbin/sshd
root 27171 0.1 0.0 72552 3284 ? Ss 16:56 0:00 \_ sshd: backup [priv]
backup 27189 0.0 0.0 72552 1616 ? S 16:56 0:00 | \_ sshd: backup@notty
backup 27190 0.0 0.0 30800 1932 ? Ss 16:56 0:00 | \_ MySecureShell -c /usr/lib/openssh/sftp-server
So something prevents the setuid bit put on /bin/MySecureShell to actually take effect on my Ubuntu server.
This might be apparmor, but I don't know how/why. When I stop apparmor (invoke-rc.d apparmor stop), all profiles are unloaded and (afaik) apparmor should not mess with any privileges anymore. My knowledge of apparmor is pretty slim, so it's still possible that apparmor is somehow interfering with MySecureShell. I'll try what happens if I completely remove the apparmor package and reboot. I'll come back with my findings.
In the meantime ... do you've any idea what might cause this problem ... apart from apparmor?