Bananian

SOLVED: HOWTO chroot? fatal - bad ownership or modes for chroot

1 1606
Edited by herrmeier at Oct 08, 2016 09:43

Hi,

thank you for reading this and giving it a thought!

Objective/Target:
jail www-user into his home directory but enabling him to sftp/scp into his home-directory.

Problem:
I cannot connect wih ssh or sftp into the webusers home-directory:
  1. /var/log/auth.log
  2. fatal: bad ownership or modes for chroot directory
Copy the Code
Configuration:

PROBLEM FOUND: /home/chroot/webuser1 needs to belong to root and not just parent directories.



  1. sudo ls -la /home/chroot/webuser1
  2. [sudo] password for examplehostname:
  3. insgesamt 20
  4. drwxr-xr-x 2 webuser1 webuser1 4096 Okt  5 21:35 .
  5. drwxr-xr-x 3 root     root     4096 Okt  5 21:35 ..
  6. -rw-r--r-- 1 webuser1 webuser1  220 Okt  5 21:35 .bash_logout
  7. -rw-r--r-- 1 webuser1 webuser1 3392 Okt  5 21:35 .bashrc
  8. -rw-r--r-- 1 webuser1 webuser1  675 Okt  5 21:35 .profile
Copy the Code
  1. sudo id webuser1
  2. uid=100x(webuser1) gid=100x(webuser1) Gruppen=100x(webuser1),33(www-data),100y(sftpusers)
Copy the Code

  1. Port xx
  2. Port yyyy
  3. Port zzzzz
  4. Protocol 2
  5. HostKey /etc/ssh/ssh_host_rsa_key
  6. UsePrivilegeSeparation yes
  7. KeyRegenerationInterval 3600
  8. ServerKeyBits 768
  9. SyslogFacility AUTH
  10. LogLevel INFO
  11. LoginGraceTime 120
  12. PermitRootLogin no
  13. StrictModes yes
  14. RSAAuthentication yes
  15. PubkeyAuthentication yes
  16. IgnoreRhosts yes
  17. RhostsRSAAuthentication no
  18. HostbasedAuthentication no
  19. PermitEmptyPasswords no
  20. ChallengeResponseAuthentication no
  21. X11Forwarding yes
  22. X11DisplayOffset 10
  23. PrintMotd no
  24. PrintLastLog yes
  25. TCPKeepAlive yes
  26. AcceptEnv LANG LC_*
  27. Subsystem     sftp   internal-sftp
  28. UsePAM yes
  29. UseDNS no
  30. Ciphers aes256-ctr,aes128-ctr
  31. MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
  32. KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
  33. Match Group sftpusers
  34.      ChrootDirectory %h
  35.      X11Forwarding no
  36.      AllowTCPForwarding no
  37.      ForceCommand internal-sftp
Copy the Code
What I thought to be different from other systems is the following line:
  1. # Subsystem sftp /usr/lib/openssh/sftp-server
Copy the Code
Which I changed into:
  1. Subsystem     sftp   internal-sftp
Copy the Code
and commented out.
  1. $ cat /etc/passwd | grep "webuser1"
  2. webuser1:x:100x:100x:,,,:/home/chroot/webuser1:/bin/false
Copy the Code
I am really curious, what I am doing wrong. Any idea why I can't connect neither with ssh nor with sftp?
Thank your for your thoughts on this!


Good tutorial I found were:
https://linux.recipes/add-a-jailed-sftp-user-part-i/
https://linux.recipes/add-a-jailed-sftp-user-part-ii/
http://www.xlgps.com/article/389878.html


You have to log in before you can reply Login | Sign Up

Points Rules