FreeBSD 11.1: chroot users / provide pre-built binaries

Polytropon freebsd at
Thu Jun 28 05:05:26 UTC 2018

On Mon, 25 Jun 2018 19:45:02 +0200, Philipp Vlassakakis wrote:
> Scenario: I have a fileserver with several hundreds local users.
> Each user should be locked into his $HOME (so they can’t cd into
> any other user-directory, /root etc.), but can login via SSH,SFTP
> and upload files. 

This is commonly accomplished by setting the user directories
permissions to rwx/---/---. When group and others don't have
the x attribute (executable) on _directories_ they cannot be
changed into. For /root, this should be standard.

The typical permissions for new user directories are rwx/r-x/r-x
which allows changing into other people's directories and reading
them, which is what you want to prevent.

But you're saying "fileserver" and "login via SSH". On a
fileserver, you typically don't provide interactive logins.
Is this intended?

> Via ZFS exec,devices,setuid is set to „off", so they can't
> execute any self-uploaded binaries, except binaries, which
> are provided by me. (cp, mv, rm, rmdir, sh, touch, chgrp,
> groups, pwd etc.).

This can be done both with ZFS (easier due to datasets) or
regular mountpoints (requires /home to be a separate partition
that can get the -o noexec mount option). But sh (and whatever
you have set as $SHELL for the user) is a problem.

> The binaries are included via $PATH.

Make sure the users cannot change $PATH. This is tricky as
it is a variable that "advanced" users can add ~/bin or . to.
They can then execute a previously uploaded binary without
problems (even without the "advanced technique" of "./<name>").
For scripts, being able to execute them (after setting +x)
is not even needed - "sh <name>" is suffient and doesn't
require any execution permission.

> On the one hand I want to save space, so that the binairies
> don't have to be in every $HOME, 
> on the other hand the work is reduced if a binary needs to be
> updated.

If you want a set of "whitelisted binaries", i. e., a fixed
and defined set of binaries a user can call interactively,
you'll still be facing the problem mentioned above: The shell.
If you allow interactive logins, it's more or less GAME OVER
as the shell sadly has too much power. Sure, creating a
directory like /secbin (secure binaries), making copies of
the binaries you explicitely want to allow, and only have
PATH=/secbin could be a starting point, but as mentioned
above, this won't work.

The easiest way to prevent execution of any (!) programs is
to disallow interactive access. Tools like scp and sftp will
still work, but ssh won't. Setting $SHELL to /sbin/nologin
or /does/not/exist in /etc/passwd for those users will
prevent the use of ssh (without completely deactivating it
for the whole system), and still allow scp uploads.

But changing $PATH isn't sufficient. If the user has access
to /bin, /usr/bin or /usr/local/bin, he can manually call
binaries from there (via full path). This is where chroot
can help.

> Is there any simple way to lock users into their Home-Directory
> without editing sshd_config every time?

No _simple_ way I know of...

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list