Re: [Jailkit-dev] jk_chrootsh wants me to be the owner

[Olivier Sessink]

Gregor Dschung wrote:
> Hi,
> 
> I'm experimenting with jailkit and found an unexpected behavior:
> 
> Aug 25 17:25:16 vmw140 sshd[11295]: subsystem request for sftp
> Aug 25 17:25:16 vmw140 jk_chrootsh[11296]: path
> /storage/blub/viertertest/./storage is group writable
> Aug 25 17:25:16 vmw140 jk_chrootsh[11296]: path
> /storage/blub/viertertest/./storage is not owned by user 1009
> Aug 25 17:25:16 vmw140 jk_chrootsh[11296]: path
> /storage/blub/viertertest/./storage is not owned by group 1000
> Aug 25 17:25:16 vmw140 jk_chrootsh[11296]: abort, path
> /storage/blub/viertertest/./storage is not owned by 1009
> 
> I understand that the user should have some rights to his own homedir,
> but being the owner is a bit too much.
> Up to now, I'm using the internal chrooting capabilities of openssh to
> jail my users to their homedirs. But I can use this feature for sftp
> only and I'd like to provide rsync as well, so I have to switch the
> solution.
> Jailkit works really nice (a lot more comfortable than rssh or scponly,
> thanks for this nice tool :) ), but in my case, I have different users
> sharing the same homedir. So, I would have to set the owner for
> "/storage/blub/viertertest/./storage" to different users, which is not
> possible. OpenSSH contents itself with setting the rights with setfacl
> to the directories shared by different users, (e.g. setfacl -m
> u:1009:rwx,d:u:1009:rwx /storage/blub/viertertest/storage).
> 
> So it would be nice, if jk_chrootsh would check the acl-rights and not
> only the owner/group.

I'm thinking if there is any security implication if the user does not
own his homedir. For the user there obiously is, but for the system I
can't think of anything right now. So I guess it should be possible to
skip that test indeed.

Olivier