Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssh-sftp-server: ChrootDirectory error #10089

Closed
alazanjc opened this issue Sep 26, 2019 · 6 comments
Closed

openssh-sftp-server: ChrootDirectory error #10089

alazanjc opened this issue Sep 26, 2019 · 6 comments

Comments

@alazanjc
Copy link

alazanjc commented Sep 26, 2019
edited by BKPepe
Loading

MAINTAINER: @tripolar
Environment: openssh-sftp-server ver. 7.7p1-2
OpenWrt ver. 18.06.2 r7676-cddd7b4c77

Description: Apparently the use of the ChrootDirectory parameter is invalid

Hi, I have two devices with openwrt. The first one has Chaos Calmer version 15.05 and the second one has version 18.06.2.

In both, an sftp server is installed, in the version corresponding to each openwrt.

It is intended set a root directory to limit access to certain subdirectories of the file system using the ChrootDirectory parameter.

In version 18.06.2 the use of this parameter gives an error that I cannot solve. I can only use the server without ChrootDirectory, but therefore exposing the entire file system.

I include various configuration settings and the results obtained in each case.

**The Client**: Ubuntu 16.04.6 LTS

**Server 1**:
	OpenWrt Chaos Calmer 15.05
	openssh-sftp-server ver 7.1p2-1

	passwd:
		jc:*:1003:55:Juan Carlos:/JC:/bin/false
	group:
		ftp:x:55:
	sshd_config:
		Subsystem sftp internal-sftp
		Match group ftp
                    ChrootDirectory /mnt/DiscoAV
                   ForceCommand internal-sftp

	file system /:
		drwxr-xr-x    1 root     root             0 Apr 25 02:13 mnt
	file system /mnt:
		drwxr-xr-x    7 root     root          4096 Aug 11 17:53 DiscoAV
	file system /mnt/DiscoAV
		drwxr--r--    3 jc       ftp           4096 Sep 17 21:23 JC


$ sftp jc@device1
Connected to device1.
sftp> pwd
Remote working directory: /JC
sftp> 

This configuration works fine!!


Server 2:
	OpenWrt ver. 18.06.2 r7676-cddd7b4c77
	openssh-sftp-server	ver. 7.7p1-2

	passwd:
		jc:*:1003:55:Juan Carlos:/JC:/bin/false
	group:
		ftp:x:55:
	sshd_config:
		Subsystem sftp internal-sftp
		Match group ftp
                     ChrootDirectory /mnt/DiscoAV
                     ForceCommand internal-sftp

	file system /:
		drwxr-xr-x    1 root     root             0 Apr 25 02:13 mnt
	file system /mnt:
		drwxr-xr-x    7 root     root          4096 Aug 11 17:53 DiscoAV
	file system /mnt/DiscoAV
		drwxr--r--    3 jc       ftp           4096 Sep 17 21:23 JC

$ sftp jc@device2
Connected to device2.
Couldn't canonicalize: No such file or directory
Need cwd

**Error!!!**


I change the root directory in the passwd file:

	passwd:
		jc:*:1003:55:Juan Carlos:/mnt/DiscoAV:/bin/false

New attempt:

$ sftp jc@device2
Connected to device2.
Couldn't canonicalize: No such file or directory
Need cwd

**Error!!!**

I remove the ChrootDirectory parameter:

	sshd_config:
		Subsystem sftp internal-sftp
		Match group ftp
    #    	ChrootDirectory /mnt/DiscoAV
	        ForceCommand internal-sftp

And I try again:

$ sftp jc@device1
Connected to device1.
sftp> pwd
Remote working directory: /mnt/DiscoAV
sftp> 

**The connection is good, but the entire file system is exposed!!**

The error is reproduced with filezilla and winscp clients, so I rule out a problem in the Ubuntu client

If you need any other information, you just have to ask for it.
@neheb
Copy link
Contributor

neheb commented Jan 14, 2020

Is this still an isssue?

@alazanjc
Copy link
Author

Hi Rosen, I finally abandoned the sFTP option due to this problem and looked for other options.

The last time I was on the subject it was still not working properly.

In any case I see that in the repository of my openwrt version, the sFTP server version is the same.

@neheb
Copy link
Contributor

neheb commented Jan 14, 2020

It should be 8.1 now. Anyway, I will close this. I noticed that Chaos Calmer is being used. That's way out of date.

@neheb neheb closed this as completed Jan 14, 2020
@alazanjc
Copy link
Author

The version that fails is 18.06, the comments I make regarding version 15.05 are to indicate that in that, the behavior is correct.

In the repository of 18.06, the sFTP version that returns me is the one with the problem. I have verified that there is a new Openwrt version available (for less than a week). I have nothing to say about that version, it is very premature.

@neheb
Copy link
Contributor

neheb commented Jan 14, 2020

Googling the error reveals that it's also a problem elsewhere. Unfortunately, I don't think anyone will work on fixing it for 18.06 as 19.07 is out.

@orange47
Copy link

orange47 commented Jan 15, 2021
edited
Loading

I have the exact same problem with latest version ( currently OpenWrt 19.07.5 ).
openssh-client - 8.0p1-1
openssh-keygen - 8.0p1-1
openssh-server - 8.0p1-1
openssh-sftp-server - 8.0p1-1

sad, very sad indeed.
they say we should install realpath and bindmount '/proc/self/fd' but I couldn't:

https://forum.openwrt.org/t/openssh-sftp-server-chroot-fails-to-change-directory/44355

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@orange47 @neheb @alazanjc