Thread with Key Informant Num.1
From Scponly wiki
Contents |
[edit] Email #1
Hello,
Online I found your instructions on loading scponlyc on a cygwin box. I found these instructions at: http://www.cygwin.com/ml/cygwin/2005-02/msg00384.html
I have a question about the following text, which I quote later:
Would it be ok to set: -o Administrator -g Users?
Why should I be concerned about the permissions?
-Krystian.
"
> During the install phase the script attempted to set some file
> permisissions as follows:
> ${INSTALL} -o 0 -g 0 scponly ${bindir}/scponly
> ${INSTALL} -o 0 -g 0 -m 0644 scponly.8 ${mandir}/man8/scponly.8
> ${INSTALL} -o 0 -g 0 -m 0644 debuglevel ${DEBUGFILE}
This depends on your UID setup in /etc/passwd and /etc/group.
IÂve best experiences giving UID 0 to root and GID 0 to the root group. If you donÂt have any user or group with those UID/GID, the install call will fail.
>
> I changed the make file to:
> ${INSTALL} -o SYSTEM -g SYSTEM scponly ${bindir}/scponly
> ${INSTALL} -o SYSTEM -g SYSTEM -m 0644 scponly.8
> ${mandir}/man8/scponly.8
> ${INSTALL} -o SYSTEM -g SYSTEM -m 0644 debuglevel ${DEBUGFILE} And it
> worked fine.
>
That should be ok. IÂd prefer to have root/root as the owner, but SYSTEM should work also.
"
[edit] Email #2
Krystian > Would it be ok to set: -o Administrator -g Users? The permissions have to match the effective permissions of the sshd daemon process, which is SYSTEM/SYSTEM on cygwin. If your sshd setup is different, then you need different permission settings. > Why should I be concerned about the permissions? Because you always should! Please use the mailing list for future communication, so others can benefit from problem solutions! Regards,
[edit] Email #3
Hi Krystian! First of all, sorry for answering late and thank´s a lot for contribution your work. Reading your HOWTO made me aware, that I used a much older version of scponly myself at the time when I did the postings that your found. Today, I don´t use scponly together with Cygwin anymore. Instead, I setup a small nas box with Debian where I use rssh. Reading your tutorial, I found one thing that I´d like to comment on: > 9. Update the groups file in ./bin > Goto the directory where scponly was compiled. Then: > $ mv groups /home/frog/bin First, you´ve two topics numbered 9, but that´s not the point. The reason that scponly brings it´s own groups executable is, that groups is still impelented as a shell script in many linux distributions. This would require you to have a shell in your chroot, which is not a good idea from a security point of view. Since Cygwin already provides a *real* groups executable (groups.exe), this step should simply be uncecessary. Another thing would be, that you copy an executable into the ./bin folder, but the executable does not have an .exe extension. So it should never be call. As you see, just one minor point. You did a real good job on this. Regards,
[edit] Email #4
> Hi Krystian! Hi, I'm sending a final version of the tutorial out to joe, so I'm just updating a few things: > > First of all, sorry for answering late and thank´s a lot for > contribution your work. > > Reading your HOWTO made me aware, that I used a much older version of > scponly myself at the time when I did the postings that your found. > Today, I don´t use scponly together with Cygwin anymore. Instead, I > setup a small nas box with Debian where I use rssh. > > Reading your tutorial, I found one thing that I´d like to comment on: > >> 9. Update the groups file in ./bin >> Goto the directory where scponly was compiled. Then: >> $ mv groups /home/frog/bin > > First, you´ve two topics numbered 9, but that´s not the point. Done. ;) > > The reason that scponly brings it´s own groups executable is, that > groups is still impelented as a shell script in many linux > distributions. This would require you to have a shell in your chroot, > which is not a good idea from a security point of view. > Since Cygwin already provides a *real* groups executable (groups.exe), > this step should simply be uncecessary. Another thing would be, that > you copy an executable into the ./bin folder, but the executable does > not have an .exe extension. So it should never be call. As I understand, and call me if I'm wrong on this, because I'm learning: The nice thing about moving our groups executable into the directory is that our groups executable is a dummy file- it provides no real information. The cygwin one actually does provide information- and perhaps information that we deem necessary to exclude. I don't want people knowing what groups exist on my computer- in my case, "None, root, Administrators, Users, Debugger Users". This information can be used to infer, perhaps, what distribution scponly is running under. "Administrators" and "Debugger Users", I assume, are very idiosyncratic to Windows. ;) > > As you see, just one minor point. You did a real good job on this. > > Regards,
[edit] Email #5
Hi Krystian! I think you misunderstood the role of the groups executable. Unix has a config file /etc/group that holds all groups defined in the system. This is also true for cygwin. If you want to hide some of your groups, you may simply remove them in your chrooted version of /etc/group. You may even skip the /etc/group file from the chroot. The only effect is, thay you only see the numeric group ids when browsing through the files with an sftp client. The groups executable (or /usr/bin/groups.exe in Cygwin) is a commandline tool that utilizes /etc/group to show a list of a groups in the system where the current user is a member of. Most sftp clients call the groups executable to get the member groups of the current user, instead of reading this information from /etc/group directly. Therefore, a groups executable is needed in the chroot. Many Unix and Linux flavours have a simple shell script as groups executable. To allow execution of that shell skript, you need a shell in your chroot too. Since this may be a security problem, the scponly distribution contains the source code to build a *real* groups executable, instead of using the original version of the distribution. But: Cygwin is somewhat advanced in this case, it already provides a *real* groups executable that is able to run without a shell. So you´ve two options: Rename the groups from the scponly distribution to groups.exe and use it as a replacement for Cygwin´s groups (doesn´t make too much sense to me), or use Cygwins groups executable. Hope this makes things more clear. Regards, Christian BTW: For an educated hacker/poweruser it is quite easy to find out, that your ssh server is run on a windows box. There are much more sophisticated approaches to do so, and those are much more difficult to prevent.
