<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The logins to the chroot can’t follow symlinks that point outside of the chroot. However, the application on the server CAN follow symlinks into the real path
of the chroot’ed directories. We use this for common accounts where we can’t tell who is logging in to drop files in the chroot. Those users logging in never see anything but the chroot but our application’s common directory contains symlinks back to those
real paths.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It confuses developers because if you make the chroot real path something like /secure/sftp/billybob then put a home under that the directory you need a symlink
to might be /secure/sftp/billybob/home/billybob but user billybob sees that only as /home/billybob when they login.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Loop mounts would probably work just as well but we’ve been doing the symlink thing for a long time and you see it as a link when traversing the common directory.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> ale-bounces@ale.org [mailto:ale-bounces@ale.org]
<b>On Behalf Of </b>Brian Mathis<br>
<b>Sent:</b> Friday, August 21, 2015 10:49 AM<br>
<b>To:</b> Atlanta Linux Enthusiasts<br>
<b>Subject:</b> Re: [ale] Need wacky chroot setup help<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Create directories owned by root for chrooted users in something like: /srv/sftp/$USER<o:p></o:p></p>
<div>
<p class="MsoNormal">Setup ssh to chroot those users into that directory<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Create a directory /srv/sftp/$USER/jobout<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Use a bind mount (mount -o bind) to mount /home/t1000/dept-fun-times to /srv/sftp/$USER/jobout for each user<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is the only way I know of since the chroot can't follow symlinks.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"MS Mincho"">❧</span> Brian Mathis<o:p></o:p></p>
</div>
<p class="MsoNormal">@orev<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On Fri, Aug 21, 2015 at 9:17 AM, James Sumners <<a href="mailto:james.sumners@gmail.com" target="_blank">james.sumners@gmail.com</a>> wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal">I have some craptastic software that allows users to submit background jobs that are executed by a common system account. Let's call that account 't1000'. This system supports a configuration where the end user's submitted job can be written
to a directory in their home directory, provided t1000's group is able to write to it. Otherwise, job output files get dumped in t1000's home directory. Further, I have departments with users that need to share a common job output directory.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So let's pretend I have users "foobar" and "bazbar" that need to submit jobs to a common output directory. Let's further assume I have the following file system layout:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">- /home/t1000/<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- /home/t1000/dept-fun-times/<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- /home/foobar/<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- /home/foobar/jobout/ => /home/t1000/dept-fun-times/<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">- /home/barbaz/<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- /home/barbaz/jobout/ => /home/t1000/dept-fun-times/<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Each user t1000, foobar, and barbaz are members of a group "vomit". Each "jobout" directory and the "dept-fun-times" directory have mode `0770`. Thus when either foobar or barbaz submit a job, that job's output will end up in `/home/t1000/dept-fun-times/`.
Any other user that submits a job will result in the job output going to `/home/t1000/`.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">All files in `/home/t1000/` and `/home/t1000/dept-fun-times/` are mode `0660`.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Now for the fun part:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I need foobar and barbaz to be able to ssh/sftp to the system and be "chrooted" to `/home/t1000/dept-fun-times/` such that they cannot change from that directory nor open any files outside of that directory.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">SSHD requires the destination chroot to (rightly) be a proper jail. As does the rssh shell (when chrooting). Bash's restricted mode is also not a solution.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Do you guys have any ideas how I can accomplish this goal?<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:#888888"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#888888">-- <o:p></o:p></span></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:#888888">James Sumners<br>
</span><a href="http://james.sumners.info/" target="_blank">http://james.sumners.info/</a><span style="color:#888888"> (technical profile)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><a href="http://jrfom.com/" target="_blank">http://jrfom.com/</a><span style="color:#888888"> (personal site)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><a href="http://haplo.bandcamp.com/" target="_blank">http://haplo.bandcamp.com/</a><span style="color:#888888"> (band page)<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>