'Re: rssh-forbidden command-revised all docs and forums. no help?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rssh-discuss
Subject:    Re: rssh-forbidden command-revised all docs and forums. no help?
From:       Éliás_Tamás_István <eliast () ond ! vein ! hu>
Date:       2004-08-10 16:36:57
Message-ID: 46095.193.6.32.98.1092155817.squirrel () 193 ! 6 ! 32 ! 98
[Download RAW message or body]

>Hy.
> Well, one suggestion is to try 2.1.1 instead.  There's a minor
Debian's distro contains the same, and I don't want to use that, (by the
way I have already tried that version) anyway I always compile
system-critical components from source. I have grsecurity installed. Maybe
that?
> rssh package...  You want to make sure you don't have that installed,
> as it likely would screw things up.
I did not install it, see the reason above.
>
>> I've enabled only one, per-user basis setting for rssh:
>> user=temp:022:00010:"/var/www"
>
> Interesting...  In your logs:
okay then, I post the full one. I tried once again from scratch, and I
have still the same problem. (maybe I need to set up a chroot environment
in /var/www? (with /var/www the root path?)) the /usr/libexec/sftp-server
is being run with the chrooted user privileges, instead of rssh?
Aug 10 17:44:17 kistestver rssh[28416]: setting umask to 022
Aug 10 17:50:46 kistestver rssh[21037]: allowing sftp to all users
Aug 10 17:50:46 kistestver rssh[21037]: setting umask to 022
Aug 10 17:50:46 kistestver rssh[21037]: line 49: configuring user temp
Aug 10 17:50:46 kistestver rssh[21037]: setting temp's umask to 011
Aug 10 17:50:46 kistestver rssh[21037]: allowing sftp to user temp
Aug 10 17:50:46 kistestver rssh[21037]: chrooting temp to /var/www
Aug 10 17:50:46 kistestver rssh[21037]: user temp attempted to execute
forbidden commands
Aug 10 17:50:46 kistestver rssh[21037]: command: /usr/libexec/sftp-server
> What happens if you run the following commands:
>
>  $ rssh -v
>  $ which rssh
kistestver:/home/eliast# rssh -v
rssh 2.2.1 (c) 2002-3 Derek D. Martin <rssh-discuss at lists dot
sourceforge dot net>
kistestver:/home/eliast# which rssh
/usr/local/bin/rssh
kistestver:/home/eliast# apt-get remove rssh
Reading Package Lists... Done
Building Dependency Tree... Done
Package rssh is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
kistestver:/home/eliast#
> My suggestion, if nothing reveals itself as the solution, is to make
> sure you've removed all traces of any existing installations of rssh,
I'm sure.
> and re-install.  Maybe that will help.
Not help. :(
my sftp-server has 100755 (octal permissions) root:root
Is it possible to somehow run strace on rssh? (while the remote login
happens, strace would create a logfile... I use strace not too often,
thus, I don't know if this can be done, so we could see why it can't open
what is there...)
I've already tried, what I have written on the beginning of this letter,
so I copied needed libs by sftp-server into the /var/www (of course, kept
dir sctructure). I've have a good script for that. I attach it, someone
might need.

lddcopy.sh:
#!/bin/sh

#####################################################################
#
# Initialize - handle command-line args, and set up variables and such.
#
# $1 is the directory to make the root of the chroot jail (required)
# $2 is the ELF binary that have to be checked (required)
# $3, if given, is the user who should own the jail (optional)
# $4, if given,  is the permissions on the directory (optional)
#

if [ -z "$1" ]; then
        echo "`basename $0`: error parsing command line" >&2
        echo "  You must specify a directory to use as the chroot jail." >&2
        exit 1
fi

jail_dir="$1"

if [ -n "$3" ]; then
        owner="$3"
fi

if [ -n "$4" ]; then
        perms="$4"
fi


#####################################################################
#
# copy to the jail
#

# now make the directory

if [ ! -d "$jail_dir" ]; then
        echo "Creating root jail directory."
        mkdir -p "$jail_dir"

        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error creating jail directory." >&2
                echo "Check permissions on parent directory." >&2
                exit 2
        fi
fi

if [ -n "$owner" -a `whoami` = "root" ]; then
        echo "Setting owner of jail."
        chown "$owner" "$jail_dir"
        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error changing owner of jail
directory." >&2
                exit 3
         fi
else
        echo -e "NOT changing owner of root jail. \c"
fi

if [ -n "$owner" -a `whoami` = "root" ]; then
        echo "Setting permissions of jail."
        chmod "$perms" "$jail_dir"
        if [ $? -ne 0 ]; then
                echo "  `basename $0`: error changing perms of jail
directory." >&2
                exit 3
         fi
else
        echo -e "NOT changing perms of root jail. \c"
        if [ `whoami` != "root" ]; then
                echo "You are not root."
        else
                echo
        fi
fi

#####################################################################
#
# identify and copy libraries needed in the jail
#

for prog in $2; do
        echo "Copying libraries for $prog."
        libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
        for lib in $libs; do
                mkdir -p "$jail_dir$(dirname $lib)"
                echo -e "\t$lib"
                cp "$lib" "$jail_dir$lib"
        done
done

echo Done.





-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
rssh-discuss mailing list
rssh-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rssh-discuss


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic