Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    There's absolutely no useful documentation on "User - System: Copy files to home directory (chrooted scp)"

    Documentation
    1
    7
    639
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rcfaR
      rcfa
      last edited by rcfa

      In the manual section here:

      https://docs.netgate.com/pfsense/en/latest/usermanager/privileges.html#usermanager-privileges

      there is absolutely zero documentation on the privilege

      User - System: Copy files to home directory (chrooted scp)

      When looking at the Web UI "documentation" it only says:

      Warning: Manual chroot setup required, see /usr/local/etc/rc.d/scponlyc.

      If I look at the file, I get these voluminous instructions:

      # Add the following lines to /etc/rc.conf to enable scponly:
# scponlyc_enable (bool):		Set to "NO" by default.
#					Set it to "YES" to enable scponly
# scponlyc_shells (str):		Set to "/etc/shells" by default.
# scponlyc_passwd (str):		Set to "/etc/passwd" by default.

      Funnily enough, if I look at /etc/rc.conf I get this:

      # THIS FILE DOES NOTHING, DO NOT MAKE CONFIG CHANGES HERE

      Ah, great!

      So then I searched the forums, and all I could find were these two threads, both with ZERO answers:

      https://forum.netgate.com/topic/123939/privilege-user-system-copy-files-to-home-directory-chrooted-scp

      https://forum.netgate.com/topic/181276/add-user-and-enable-chroot-ssh-scp-access

      I'm trying to do something different than what's the goal of the people who started the above threads, but the lack of documentation is the same:

      https://forum.netgate.com/topic/185797/webroot-ftp-with-local-chrooted-user

      So, anyone PRETTY PLEASE!!!

      rcfaR 1 Reply Last reply Reply Quote 0
      • rcfaR rcfa referenced this topic on
      • rcfaR
        rcfa @rcfa
        last edited by rcfa

        @rcfa So, I suspect that

        # Add the following lines to /etc/rc.conf to enable scponly:

        is the first thing that's wrong.

        /etc/rc,conf seems to be an unused stub, while in reality /etc/defaults/rc.conf is being used, except for the latter starts with this warning:

        # This is rc.conf - a file full of useful variables that you can set
# to change the default startup behavior of your system.  You should
# not edit this file!  Put any overrides into one of the ${rc_conf_files}
# instead and you will be able to update these defaults later without
# spamming your local configuration information.
#
# The ${rc_conf_files} files should only contain values which override
# values set in this file.  This eases the upgrade path when defaults
# are changed and new features are added.

        which leads me to believe that what one really should do is to CREATE a new file in /usr/local/etc/rc.conf.d/ such as /usr/local/etc/rc.conf.d/scponly and add the lines

        # scponlyc_enable (bool):		Set to "NO" by default.
#					Set it to "YES" to enable scponly
# scponlyc_shells (str):		Set to "/etc/shells" by default.
# scponlyc_passwd (str):		Set to "/etc/passwd" by default.
scponlyc_enable="YES"

        to it. Does that sound right?

        Also, since /etc/shells doesn't list /usr/local/bin/scponly it would seem that it would have to be added there, otherwise it wouldn't be a valid login shell, right? (Which is another piece missing from the docs, if true!)
        That would mean, /etc/shells would look like this:

        #
# List of acceptable shells for chpass(1).
# ftpd(8) will not allow users to connect who are not using
# one of these shells.

/bin/sh
/bin/csh
/bin/tcsh
/usr/local/libexec/git-core/git-shell
/usr/local/bin/bash
/usr/local/bin/rbash
/usr/local/bin/scponly

        That's at least my current working hypothesis...

        rcfaR 1 Reply Last reply Reply Quote 0
        • rcfaR
          rcfa @rcfa
          last edited by

          @rcfa So, the rabit hole gets deeper. I get my testuser to be able to log in, just to be kicked out again...
          ...first reason: the /home/testuser folder wasn't owned by root, which for a chrooted environment seems to be a must. OK, fixed that.

          ...second reason: I now would have to set up a complete chroot environment, which is a PITA, and is even more of a PITA to back up and restore in the future....
          ...or I could simply add this to /etc/ssh/sshd_config

          Match User user
    ChrootDirectory /home/testuser
    ForceCommand internal-sftp

          but alas, I find this in /etc/ssh/sshd_config

          # This file is automatically generated at startup

          So this means, I can't put anything into that file without it getting overwritten instantly with each reboot, so that's not a solution. So it seems that the UI is missing some way to add user defined options to /etc/ssh/sshd_config

          Anyone got ideas?

          rcfaR 1 Reply Last reply Reply Quote 0
          • rcfaR
            rcfa @rcfa
            last edited by

            @rcfa So, looking at /etc/sshd I find this section:

            /* Apply package SSHDCond settings if config file exists */
if (file_exists("/etc/sshd_extra")) {
    $fdExtra = fopen("/etc/sshd_extra", 'r');
    $szExtra = fread($fdExtra, 1048576); // Read up to 1MB from extra file
    $sshconf .= $szExtra;
    fclose($fdExtra);
}

            which, if I interpret it correctly, means that the contents of a file /etc/sshd_extra is appended to /etc/ssh/sshd_config , if it exists, a thing easy enough to do, BUT...

            1. without UI this means very likely that what ever one puts into that file will not be backed up with the system configuration
            2. what's package " SSHDCond "? It doesn't improve matters, if I put things in /etc/sshd_extra but then some (what?) package potentially stomps on it...
            rcfaR 1 Reply Last reply Reply Quote 0
            • rcfaR
              rcfa @rcfa
              last edited by

              @rcfa Another issue: scponly requires that the home directory be owned by root, but of course, despite setting the user privilege to chrooted scp, it's not owned by root, but by the user. So no matter what, it seemingly has to manually changed to be owned by root...

              rcfaR 1 Reply Last reply Reply Quote 0
              • rcfaR
                rcfa @rcfa
                last edited by rcfa

                @rcfa So, I got things working, but as far as I'm concerned, it's a hack.
                It's not a hack from a BSD perspective, but from a pfSense perspective, because I'm not sure what exactly I'm overriding or what exactly might override me, when it's least expected; AND most importantly: I'm fairly sure none of these changes will get backed up.

                So here my steps:

                1. create a new user in the user manager, for my purposes I'll call the user acme as I started this whole exercise for the FTP webroot ACME certificate challenge...
                2. ensure the user isn't part of any of the special privileged groups (shouldn't be the case, but check anyway)
                3. Under "Effective Privileges" add ONLY User - System: Copy files to home directory (chrooted scp)
                4. chown root /home/acme
                5. *rm /home/acme/. **
                6. append the line /usr/local/bin/scponly to the bottom of /etc/shells
                7. create the file /etc/sshd_extra with the contents
                Match User acme
    ChrootDirectory %h
    ForceCommand internal-sftp
                1. create the file /usr/local/etc/rc.conf.d/scponly with the contents
                # scponlyc_enable (bool):		Set to "NO" by default.
#					Set it to "YES" to enable scponly
# scponlyc_shells (str):		Set to "/etc/shells" by default.
# scponlyc_passwd (str):		Set to "/etc/passwd" by default.
scponlyc_enable="YES"
                1. fix the permissions with chmod a+x /usr/local/etc/rc.conf.d/scponly
                2. reboot the system
                3. sftp acme@host.domain.tld
                4. Enjoy! (Until the initially mentioned concerns eat at your soul...)
                5. just kidding! pfSense, well meaningly, but completely sabotaging this approach, makes sure all user home folders have "the correct ownership" upon reboot, or so it seems. You reboot the machine, and even though you set /home/acme to be owned by root before, it's back to being owned by acme!
                6. So now, add a new crontab entry with time @reboot run by root and the following command:
                  /bin/sleep 300 && /bin/test -d /home/acme && /bin/test ! -O /home/acme && /usr/sbin/chown root /home/acme
                  This runs once after each reboot, with a 5 minute (300 seconds) delay, and checks if the home folder exists, isn't owned by the user running the current process (root), and if so, sets the ownership to root; this should prevent excessive writing, i.e. just periodically resetting ownership to root.
                7. Now you can enjoy! Can you?

                PS: If you don't like to interfere with the system, and let it do its user management thing, you can of course also do something else:

                1. create a new user in the user manager, for my purposes I'll call the user acme as I started this whole exercise for the FTP webroot ACME certificate challenge...
                2. ensure the user isn't part of any of the special privileged groups (shouldn't be the case, but check anyway)
                3. Under "Effective Privileges" add ONLY User - System: Copy files to home directory (chrooted scp)
                4. append the line /usr/local/bin/scponly to the bottom of /etc/shells
                5. mkdir /home/acme/sftproot
                6. chown root /home/acme/sftproot
                7. create the file /etc/sshd_extra with the contents
                Match User acme
    ChrootDirectory %h/sftproot
    ForceCommand internal-sftp
                1. create the file /usr/local/etc/rc.conf.d/scponly with the contents
                # scponlyc_enable (bool):		Set to "NO" by default.
#					Set it to "YES" to enable scponly
# scponlyc_shells (str):		Set to "/etc/shells" by default.
# scponlyc_passwd (str):		Set to "/etc/passwd" by default.
scponlyc_enable="YES"
                1. fix the permissions with chmod a+x /usr/local/etc/rc.conf.d/scponly
                2. reboot the system
                3. sftp acme@host.domain.tld
                4. Enjoy! (Until the initially mentioned concerns eat at your soul...)

                In either case you can read from the respective sftp root directories, to write anything, you'll need to create subfolders, which are then owned by acme user, and you can write/put into these directories, but not into the sftp root directory, regardless of which setup version you picked.

                1 Reply Last reply Reply Quote 0
                • rcfaR rcfa referenced this topic on
                • rcfaR rcfa referenced this topic on
                • rcfaR
                  rcfa
                  last edited by rcfa

                  I submitted a few related bug reports and enhancement requests, in case anyone is going to track this or suggest solutions:

                  https://redmine.pfsense.org/issues/15199
                  https://redmine.pfsense.org/issues/15200
                  https://redmine.pfsense.org/issues/15203
                  https://redmine.pfsense.org/issues/15209

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post