Scponly-full broken on default Lucid install?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
scponly (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: scponly-full
The package scponly-full that allows chrooted scponly access appears to be broken on Lucid server.
Versions
$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
$ apt-cache policy scponly-full
scponly-full:
Installed: 4.8-4
Candidate: 4.8-4
Version table:
*** 4.8-4 0
500 http://
100 /var/lib/
Steps To Reproduce
1) Download ubuntu-
2) Install vanilla installation using VM Workstation hands off installation / manual process
3) Log in and update to latest patches (sudo aptitude update ; sudo aptitude upgrade)
4) Install scponly-full package (sudo aptitude install scponly-full)
5) Set package up:
cd /usr/share/
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh
6) Create chrooted scp user:
sudo ./setup_chroot.sh
and select default options (username = "scponly", path="/
set a password
7) Attempt to scp a file into the newly created chrooted scponly user's incoming directory:
scp testfile scponly@
receive this error:
$ scp testfile scponly@
scponly@
unknown user 1001
lost connection
The above steps work as expected on Karmic with the latest patches if you build from the lucid source package:
sudo vi /etc/apt/sources
# Lucid sources for scponly-full
deb-src http://
sudo aptitude update
sudo apt-get build-dep scponly-full
sudo apt-get -b source -t lucid scponly-full
sudo aptitude purge scponly
sudo rm -rf /usr/share/
sudo dpkg -i scponly-
sudo dpkg-reconfigure -plow scponly-full
cd /usr/share/
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh
sudo ./setup_chroot.sh
Supporting Detail
Repeating step 7 whilst tailing /var/log/auth.log:
Oct 29 06:56:10 ubuntu sshd[23082]: Accepted password for scponly from 192.168.0.144 port 38968 ssh2
Oct 29 06:56:10 ubuntu sshd[23082]: pam_unix(
Oct 29 06:56:10 ubuntu scponly[23098]: running: /usr/bin/scp -t /incomin (username: scponly(1001), IP/port: 192.168.0.144 38968 22)
Oct 29 06:56:10 ubuntu sshd[23097]: Received disconnect from 192.168.0.144: 11: disconnected by user
Oct 29 06:56:10 ubuntu sshd[23082]: pam_unix(
No errors logged.
8) Tried increasing debug level from 0 to 2 on the server for scponly:
sudo vi /etc/scponly/
sudo /etc/init.d/ssh restart
Extra server log ouput:
sudo tail -f /var/log/auth.log
Oct 29 07:06:16 ubuntu sshd[1392]: Accepted password for scponly from 192.168.0.144 port 53769 ssh2
Oct 29 07:06:16 ubuntu sshd[1392]: pam_unix(
Oct 29 07:06:16 ubuntu scponly[1408]: chrooted binary in place, will chroot()
Oct 29 07:06:16 ubuntu scponly[1408]: 3 arguments in total.
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 0 is scponlyc
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 1 is -c
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 2 is scp -t /incoming
Oct 29 07:06:16 ubuntu scponly[1408]: opened log at LOG_AUTHPRIV, opts 0x00000029
Oct 29 07:06:16 ubuntu scponly[1408]: determined USER is "scponly" from environment
Oct 29 07:06:16 ubuntu scponly[1408]: retrieved home directory of "/home/scponly" for user "scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: chrooting to dir: "/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: chdiring to dir: "/"
Oct 29 07:06:16 ubuntu scponly[1408]: setting uid to 1001
Oct 29 07:06:16 ubuntu scponly[1408]: processing request: "scp -t /incoming"
Oct 29 07:06:16 ubuntu scponly[1408]: Using getopt processing for cmd /usr/bin/scp#012 (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: getopt processing returned 't' (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: Found "HOME" and setting it to "/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: Environment contains "HOME=/
Oct 29 07:06:16 ubuntu scponly[1408]: Looking for 'HOME=' in 'HOME=/
Oct 29 07:06:16 ubuntu scponly[1408]: 'HOME' env entry now reads 'HOME=/
Oct 29 07:06:16 ubuntu scponly[1408]: set non-chrooted HOME environment variable to /home/scponly (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: running: /usr/bin/scp -t /incoming (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: about to exec "/usr/bin/scp" (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu sshd[1407]: Received disconnect from 192.168.0.144: 11: disconnected by user
Oct 29 07:06:16 ubuntu sshd[1392]: pam_unix(
and client:
david@monolith:~$ scp testfile scponly@
scponly@
scponly[1408]: chrooted binary in place, will chroot()
scponly[1408]: 3 arguments in total.
scponly[1408]: arg 0 is scponlyc
scponly[1408]: arg 1 is -c
scponly[1408]: arg 2 is scp -t /incoming
scponly[1408]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[1408]: determined USER is "scponly" from environment
scponly[1408]: retrieved home directory of "/home/scponly" for user "scponly"
scponly[1408]: chrooting to dir: "/home/scponly"
scponly[1408]: chdiring to dir: "/"
scponly[1408]: setting uid to 1001
scponly[1408]: processing request: "scp -t /incoming"
scponly[1408]: Using getopt processing for cmd /usr/bin/scp
(username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: getopt processing returned 't' (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: Found "HOME" and setting it to "/home/scponly"
scponly[1408]: Environment contains "HOME=/
scponly[1408]: Looking for 'HOME=' in 'HOME=/
scponly[1408]: 'HOME' env entry now reads 'HOME=/
scponly[1408]: set non-chrooted HOME environment variable to /home/scponly (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: running: /usr/bin/scp -t /incoming (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: about to exec "/usr/bin/scp" (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
unknown user 1001
lost connection
So apparently no obviously useful extra information there.
The only potentially relevant existing information I could find on the net -> http://
it:
/home/scponly/etc$ ls -l
total 8
-rw-r--r-- 1 root root 639 2010-10-29 06:31 group
-rw-r--r-- 1 root root 54 2010-10-29 06:31 passwd
/home/scponly/etc$ more passwd
scponly:
And the user also exists in the Ubuntu host's master password file:
$ grep 1001 /etc/passwd
scponly:
$ grep 1001 /etc/group
scponly:x:1001:
and http://
Unless I'm doing something wrong, this seems to be a clearly reproducible bug that renders the scponly-full package unusable in the vanilla configuration on Lucid.
Changed in scponly (Ubuntu): | |
status: | New → Confirmed |
Potential fix that works for me:
david@ubuntu: /usr/share/ doc/scponly- full/setup_ chroot$ diff setup_chroot.sh setup_chroot. sh.orig
98,102d97
< /bin/ls /lib/libnss_files* > /dev/null 2>&1
< if [ $? -eq 0 ]; then
< LIB_LIST="$LIB_LIST /lib/libnss_files*"
< fi
<