From owner-freebsd-ports-bugs@FreeBSD.ORG  Tue Jan 16 18:40:26 2007
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3F6D816A4AB
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 16 Jan 2007 18:40:26 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 20EA213C441
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 16 Jan 2007 18:40:26 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l0GIePEu097511
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Tue, 16 Jan 2007 18:40:25 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l0GIePWm097510;
	Tue, 16 Jan 2007 18:40:25 GMT (envelope-from gnats)
Resent-Date: Tue, 16 Jan 2007 18:40:25 GMT
Resent-Message-Id: <200701161840.l0GIePWm097510@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Jim Long<list@museum.rain.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C789116A412
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 16 Jan 2007 18:38:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id B895C13C471
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 16 Jan 2007 18:38:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l0GIcW2v044520
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 16 Jan 2007 18:38:32 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l0GIcW07044519;
	Tue, 16 Jan 2007 18:38:32 GMT (envelope-from nobody)
Message-Id: <200701161838.l0GIcW07044519@www.freebsd.org>
Date: Tue, 16 Jan 2007 18:38:32 GMT
From: Jim Long<list@museum.rain.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.0
Cc: 
Subject: ports/108009: scponlyc sftp support doesn't work without minimal
	devfs in chroot dir
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2007 18:40:26 -0000


>Number:         108009
>Category:       ports
>Synopsis:       scponlyc sftp support doesn't work without minimal devfs in chroot dir
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 16 18:40:25 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Jim Long
>Release:        6.2-PRERELEASE
>Organization:
UmpquaNet.com
>Environment:
FreeBSD t30.museum.rain.com 6.2-STABLE FreeBSD 6.2-STABLE #0: Mon Jan 15 10:32:09 PST 2007     root@t30.museum.rain.com:/usr/obj/usr/src/sys/T30  i386

>Description:
I'm finding that recently-created scponlyc chroots do not provide a sufficient environment for /usr/libexec/sftp-server to run.  The sftp client symptom is just:

$ sftp user@www
Connecting to www...
Password:
Connection closed
$

The cause appears to be that recent versions of /usr/libexec/sftp-server will complain about of lack of access to /dev/null and exit, resulting in the closed connection witnessed by the remote client.

The solution appears to be to create a devfs in the scponlyc chroot.

To automatically create at boot time a devfs in the home directory of each user of scponlyc, I have chosen to put a script in /usr/local/etc/rc.d.

/usr/local/etc/rc.d/scponlyc.sh:

#!/bin/sh

ETCSHELLS="${ETCSHELLS:-/etc/shells}"
ETCPASSWD="${ETCPASSWD:-/etc/passwd}"

# script to create devfs filesystems at boot time for scponlyc
# chroot'ed users.  We will read ${ETCSHELLS} to determine
# where scponlyc is installed.  Then we'll iterate through
# each user in ${ETCPASSWD} to find users whose shell is set to
# scponlyc.  For each such user found, we will create a
# minimal devfs under ~/dev.


make_devfs() {
# $1 is the user name whose home directory needs a minimal
# devfs created.  If ~/dev exists, it will be deleted.

eval DEV="~$1/dev"
while /sbin/umount "${DEV}" 2>/dev/null; do :; done
rm -rf "${DEV}"
mkdir -p "${DEV}"
if /sbin/mount_devfs devfs "${DEV}"; then
  /sbin/devfs -m "${DEV}" rule -s 1 applyset && \
  /sbin/devfs -m "${DEV}" rule -s 2 applyset || \
    /sbin/umount "${DEV}" 2>/dev/null
fi

}


scponlyc_startup() {
# $1 is the path to the /etc/passwd file

grep "^[^#]*:.*:.*:.*:.*:.*:${SCPONLYC}$" < "$1" |
  /usr/bin/awk -F: {'print $1'} |
    while read USER; do
      make_devfs "${USER}"
    done

}


SCPONLYC=`/usr/bin/grep "/scponlyc$" ${ETCSHELLS} 2>/dev/null | /usr/bin/tail -1`

if [ "x${SCPONLYC}" = "x" ]; then
  echo scponlyc is not defined in ${ETCSHELLS} >&2
  exit 1
fi

case "$1" in
start)
        scponlyc_startup "${ETCPASSWD}"
        echo -n ' scponlyc'
        ;;
*)
        echo "Usage: `basename $0` start" >&2
        ;;
esac

exit 0

>How-To-Repeat:
Install shells/scponly with WITH_SCPONLY_CHROOT.

Run "cd /usr/local/share/examples/scponly/ && ./setup_chroot.sh"
to create an scponlyc user "test-user" and chroot homedir.

# sftp test-user@localhost
Connecting to localhost...
Password:
Connection closed


>Fix:
Install above script in /usr/local/etc/rc.d/scponlyc.sh.  Run "/usr/local/etc/rc.d/scponlyc.sh start"

# sftp test-user@localhost
Connecting to localhost...
Password:
sftp> ls
bin       dev       etc       incoming  lib       libexec   usr
sftp> quit

>Release-Note:
>Audit-Trail:
>Unformatted: