Man Page:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.
Explanation:
- All components of the pathname must be root-owned
# ls -ld /home/
drwxr-xr-x. 7 root root 74 Mar 5 15:13 /home/
# ls -ld /home/user01/
drwxr-xr-x. 4 root user01 91 Mar 5 15:13 /home/user01/
- Not writable by any other user or group
# ls -ld /home/
drwxr-xr-x. 7 root root 74 Mar 5 15:13 /home/
# ls -ld /home/user01/
drwxr-xr-x. 4 root user01 91 Mar 5 15:13 /home/user01/
Please note, only "root" can have "write" permission. Any other groups/users must NOT have write permission. Writing permissions may setup by ACL. e.g.
# setfacl -m u:user02:w /home/user01
# getfacl /home/user01
# file: user01/
# owner: root
# group: user01
user::rwx
user:user02:-w- # This will cause Chroot failed!!
group::r-x
mask::rwx
other::r-x
Actually sshd just checks the "group bits" but doesn't care about whether it is real group permissions or ACL mask.
# setfacl -m m::rwx user01
# getfacl user01/
# file: user01/
# owner: user01
# group: user01
user::rwx
group::r-x
mask::rwx
other::r-x
In this case, only the owner "user01" has writable permission to /home/user01. However, sshd home dir permission checking would fail due to the ACL's mask (rwx).
Actually sshd just checks the "group bits" but doesn't care about whether it is real group permissions or ACL mask.
# setfacl -m m::rwx user01
# getfacl user01/
# file: user01/
# owner: user01
# group: user01
user::rwx
group::r-x
mask::rwx
other::r-x
In this case, only the owner "user01" has writable permission to /home/user01. However, sshd home dir permission checking would fail due to the ACL's mask (rwx).
For more info about ACL, please refer to:
No comments:
Post a Comment