[Bug 2048] New: Make chrooted sftp more user friendly using bind mount (solution suggested)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Nov 13 05:09:33 EST 2012 

https://bugzilla.mindrot.org/show_bug.cgi?id=2048

          Priority: P5
            Bug ID: 2048
          Assignee: unassigned-bugs at mindrot.org
           Summary: Make chrooted sftp more user friendly using bind mount
                    (solution suggested)
          Severity: enhancement
    Classification: Unclassified
                OS: Linux
          Reporter: harviecz at gmail.com
          Hardware: All
            Status: NEW
           Version: 6.1p1
         Component: sftp-server
           Product: Portable OpenSSH

I'll be bit verbose, sorry.

There are lots of people running own shared hosting machines and they
are in need to suply some kind of remote acess to their clients. Most
of them are using FTP/FTPS, but i think that SFTP/SCP is much better,
more secure and less problematic. We all know that we can't make normal
Windows BFU see all system files and let him to search own home
directory in directory structure because this will often leave him
confused and he'll often call helpdesk and complain about it. That's
one of reasons why we have chroot support in OpenSSH. Other reason is
obvious: better security.

So this is typical configuration:

Subsystem       sftp    internal-sftp

Match Group sftpusers
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no


It has one big problem. For security reasons we cannot chroot into
directory that is not owned by root (or writable by user). There's
probably nothing we can do about this right now, but let's take a
deeper look and see if there are some workarounds which will prevent us
from modifying directory structure, chowning all homes to root (such
home is no longer "sweet home"), etc...

And guess what. I've came up with solution that enables OpenSSH to
securely isolate user without disabling writing to home directory!

I've implemented it as PoC pam_module (not very secure at this moment),
but i hope it can make it's way directly into OpenSSH. I'll tell you
more, but here is the source if you wish anyway:
https://github.com/Harvie/pam-ftpfuck/blob/master/src/mypam.c


So how it works?
It bind-mounts home directory of user into subdirectory of root-owned
directory created especially for this user...

so we're no longer chrooting into /home/user/ (which can be now owned
by root)
we'll rather chroot into /var/ssh-chroot/user/ (which is created on
demand and owned by root)
and it contains user owned directory /var/ssh-chroot/user/user/ which
is bind mount pointig to /home/user/

So after loging into SFTP server our client will only see root
containing single directory /user which seems to me quite user friendly
:-)

Of course we can create these bind-mounts by some cron-script, but it's
not nearly as elegant as when done directly on-demand by OpenSSH.


Other thoughts?
- Read-only bind mounts! (don't forget to check if RO option
successfully aplied)
- I am not sure if bind mounts are available on BSDs (never been using
BSD), maybe mount_null or some kind of symlinks can be used???

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list