# scponly chroot

## Art Vandalay

i need to setup an ftp server of some sort and so i thought i'd go the secure way and use sftp via scponly.

the steps i followed were:

 *Quote:*   

> emerge net-misc/scponly-4.8-r4  USE="gftp logging sftp -passwd -quota -rsync -scp -subversion -unison -wildcards -winscp"

 

2. setup chroot by running 

 *Quote:*   

> emerge --config =net-misc/scponly-4.8-r4

 

3. create a dedicated user account "userx" as the chrooted user...in /etc/passwd i have:

 *Quote:*   

> ...
> 
> scponly:x:115:104:added by portage for scponly:/home/scponly//:/usr/sbin/scponlyc
> 
> userx:x:1008:104::/home/scponly//pub:/usr/sbin/scponlyc
> ...

 

4. in /etc/group i have:

 *Quote:*   

> ...
> 
> scponly:x:104:userx
> 
> 

 

now from another box if i run 

 *Quote:*   

> sftp userx@myserver

 

i can successfully connect and am then dumped into the appropriate home directory....ie /home/scponly/pub

but the only problem is that this user doesn't appear to be chrooted at all....ie if i issue a pwd command it shows the full path ie /home/scponly/pub

and also i can then cd / to root and browse the whole filesystem, which defeats the purpose.

anyone know why userx isn't being jailed in /home/scponly/pub ??

i also tried setting the home directory for userx to /home/scponly but that hasn't made any difference

oh and the permissions for the scponly and /scponly/pub are as follows...

 *Quote:*   

> ls -l /home/
> 
> drwxr-xr-x  7 root   root  168 Oct  8 18:26 scponly
> 
> 

 

 *Quote:*   

> ls -l /home/scponly/
> 
> drwxr-xr-x 2                     root    root            72 Oct  8 18:26 dev
> 
> drwxr-xr-x 2                     root    root           160 Oct  9 11:45 etc
> ...

 

there appears to be very little doco on scponly for gentoo and most forum posts on the subject are quite dated.

perhaps there is a better way out there for what i am trying to achive? if so, then i'm all ears....thanks

----------

## Letharion

Somewhere far back I have an abandoned question quite similar to this one.

I wish I could help, but I'm just gonna bump it and hope for the best.

----------

## Art Vandalay

Letharion,

what i ended up doing was unmerge scponly and go back to openssh, as openssh > 4.9 has built in chroot functionality for sftp

i followed this guide: http://www.minstrel.org.uk/papers/sftp/builtin/

but to be able to log in to my chroot environment, i had to change the shell for my user from /bin/false to /bin/bash as with a false shell it just does not work

surprisingly my test user *seems* to be chrooted and works as expected. also be sure that the directory path down to the user's home directory is owned and writable only by root.

would have been nice to get it working with scponly, but a chrooted sftp user is all i need. but yes, updated documentation is definitely lacking in this area.

see how you go

----------

