Find the answer to your Linux question:
Results 1 to 1 of 1
I have a rather frustrating problem and was hoping someone here might be able to help me out or point me in the right direction. My primary goal is a ...
  1. 12-16-2010 #1
    xmagusx
    xmagusx is offline
    Just Joined!
    Join Date
    Dec 2010
    Posts
    1

    SFTP and Samba conundrum

    I have a rather frustrating problem and was hoping someone here might be able to help me out or point me in the right direction.

    My primary goal is a secure way to only transfer files which authenticates against Active Directory and leaves users completely blind to one another. My secondary goal is that this not affect other services on the box so that it can continue to be remotely administered and other services installed should the need arise.

    Currently what I have in place is the following:
    Dell PowerEdge 2850
    Running VMWare ESXi 4.1
    Fedora 14 VM (minimal install w/X, fully updated)
    SELinux temporarily set to enforce 0
    Winbind authentication
    Smb.conf configured to use template shell = /sbin/nologin
    Sshd configured to use PAM and internal-sftp
    Chroot jail configured in sshd_config at /chroot
    --Match user root to have chrootdirectory set to /
    Oddjobsd in place for mkhomedir
    --Edit oddjobd-mkhomedir.conf to use "-u 0066" rather than "-u 0002"
    Ln -s /chroot/home/DOMAIN /home/DOMAIN
    Touch /.autorelabel; reboot

    The current result of which is that domain users can login just fine using sftp/scp, are denied access through ssh, have home directories created at /chroot/home/DOMAIN/username, and appear as though they are logged in at /home/DOMAIN/username, preventing exploration of anything outside of the jail.

    However, with SELinux set to enforce 0, users can still see one another's home directories, but with it set to enforce 1, new users cannot see their own directories. And while I would prefer SELinux to be enforcing, this system will be replacing a 2003 IIS FTP server, so the step forward in securing traffic is going to be significant either way.

    I have also explored restricting permissions to the /chroot/home/DOMAIN directory to 700 rather than 755, but that also prevents users from seeing their /chroot/home/DOMAIN/username directories.
    Edit: chmod 711 /chroot/home/DOMAIN allows for the access and blindness I require, but again only with SELinux not enforcing. So now I'm mainly looking for anyone who can point me in the right direction for getting that behaving a bit better.

    So currently, that's where I'm stuck -- between users not being blind to one another and users being blind to themselves. Any and all help will be appreciated.
    Edit: No longer stuck here, now stuck between SELinux being disabled and being unable to access home directories through the SFTP server.

    And yes, further security hardening will occur once this is complete (such as denying root login through ssh, etc), but for now functionality is prized over security.

    Thanks,
    Andrew
    Last edited by xmagusx; 12-16-2010 at 06:21 PM. Reason: Update with chmod effectiveness
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...