openssh v5.0p1 chroot/sftp mac os x 10.4 errors



I've been attempting to set up a chroot jail for a group of sftp users on a Mac OS X 10.4.11 server. Unfortunately when any of the users login, they get kicked out with the following error in my /var/log/ secure.log:

"fatal: bad ownership or modes for chroot directory component "/""

Here are my configuration settings:

/etc/sshd_config
# override default of no subsystems
Subsystem sftp internal-sftp

Match Group webgroup
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

(note: I've also tried: ChrootDirectory /webhome/web)

Users are from an OpenDirectory Master. Shells are currently set to / bin/bash (no /bin/false as some write-ups suggest to use) and their home directories are set to /webhome/web.

Permissions and ownership on the chroot home (/webhome/web/) are:

$ ls -alG /webhome/
total 0
drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 ..
drwxr-xr-x 6 root wheel 204 Jul 7 11:32 web

Within web, users have access to write to different directories:

$ ls -alG /webhome/web/
total 8
drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 ..
-rw-r--r-- 1 root admin 7 Jul 2 15:48 index.html
drwxrwxr-x 3 user1 web1grp 102 Jul 7 12:07 site1
drwxrwxr-x 3 user2 web2grp 102 Jul 7 12:18 site2
drwxrwxr-x 2 user3 web3grp 68 Jul 7 11:32 site3

(note: web1grp, web2grp, web3grp are nested into webgroup)
(note: acls are used on the site directories to deny read access to specific groups)

Users not in the webgroup are able to login to the server with no problems.

From the documentation I've read, the permissions on /webhome and / webhome/web should be okay. I don't suspect the acl's as they are only set on the sub directories within web and not web itself. Also the documentation I've read states to chown the chroot home to root:root which is root:wheel (0:0) in Mac OS X.

Many thanks in advance...

Regards,

Luke



Relevant Pages

  • Re: disk image creation & restauration
    ... I have been running UNIX only since ... Furthermore, with chroot, you ... > the nfs file server. ... Installation of some security tools and software tools ...
    (comp.os.linux.networking)
  • Re: disk image creation & restauration
    ... I have been running UNIX only since ... Furthermore, with chroot, you ... > the nfs file server. ... Installation of some security tools and software tools ...
    (comp.os.linux.setup)
  • Re: SSH Problem
    ... Just an update on the ssh with keys issue I had. ... I run a sftp server which chroot users to their assigned ... That disabled the keys authentication I had running on my server. ... The public key and private key are typically stored in .ssh folder under ...
    (freebsd-hackers)
  • RE: Tcp-wrapper question !
    ... Subject: Tcp-wrapper question! ... if you want to limit you user you can chroot them so that they cant access ... like vsftpd which has a file that you enter users that you want to chroot it ... server or see files he/she shouln't see, ...
    (Security-Basics)
  • Re: [SLE] SPAM: MailScanner & Postfix
    ... Postfix daemons can be chroot when the corresponding flag (fifth ... but that server crashed completely. ...
    (SuSE)