Found a bug using sftp

coaster · May 29, 2016, 1:19pm

first thanks for an excellant script it works great

i have found one little problem when using sftp as a user it gives access to the whole drive if you use port 4747 sftp you cant write to this but you can see everything that is on the drive

in ssh this is not possible as the user is locked into his directory but in sftp it isnt

any ideas how i can stop this

thanks guys

JMSolo · May 29, 2016, 2:00pm

The best way to handle this for now is to turn off the sftp option within lshell.

You can do this by way of /etc/lshell.conf. Change the line sftp : 1 to sftp : 0. Connections on port 5757 for FTP access are handled by TLS.

That is an unfortunate limitation with LShell. It creates a shelled bash environment but fails to do so with SFTP. I am actually looking into using jailkit rather than LShell… this way users have a true jailed shell and not a limited shell with a python ssh environment.

coaster · May 29, 2016, 2:12pm

thankyou for the quick reply JMSolo

i have just checked /etc/lshell.conf and it is set to sftp : 0 must be by default

ime blind with lshell never used it at all

JMSolo · May 29, 2016, 2:14pm

What version of QuickBox are you using?

coaster · May 29, 2016, 2:15pm

2.2.1 is the version installed

JMSolo · May 29, 2016, 2:33pm

Hmm, I wonder if for some reason the user didn’t get added to the proper shell.

Could you open the /etc/passwd file and see if the user has something like this:

_username_:x:1002:1002::/home/_username_:/bin/bash

If so, it will need to be changed to this:

_username_:x:1002:1002::/home/_username_:/usr/bin/lshell

No reboot needed, now try to connect with the user to SFTP.

coaster · May 29, 2016, 2:36pm

this is strange as there are no users in there

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nolog$
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:

i have added 2 users andrew and test

JMSolo · May 29, 2016, 2:38pm

What is your distro and release? That is unlike any behavior I have ever seen.

Could you provide me with your /root/.bashrc file. Rename it to bashrc.log and upload it here. There is nothing sensitive in the file… just some standard system commands. Something certainly isn’t adding up here.

If you are able to connect to the user and they have a connection to RTorrent, they should have an entry in that file. Do you see them by chance in /etc/htpasswd?

Try this also:

sudo -u test chsh -s /usr/bin/lshell

The password is prompting for that users password. Let me know if it returns some sort of error.

coaster · May 29, 2016, 3:11pm

hi

yes thay are in there

andrew:rutorrent:35f932527b910551b858190b7238a556
test:rutorrent:51841dc8eec8682e5222b954ec8940cf

.bashrc.log (16.0 KB)

[root@sd-78876]:(1.5Mb)~# sudo -u test chsh -s /usr/bin/lshell
Password:
chsh: PAM: Authentication failure

coaster · May 29, 2016, 3:13pm

there is nothing sensitive ias i will be reinstalling the server once i have this working ok with a fresh install i am using ubuntu 14.04 at onepanel.op

JMSolo · May 29, 2016, 3:30pm

What FTP client are you currently connecting with?

Also, your .bashrc looks good.

Could you try this out real quick… just copy it exactly

useradd -m -k /etc/skel/ qbtester -s /usr/bin/lshell
passwd qbtester

For the password, just place password or something simple.

Now check the /etc/passwd file to see if the user is there.
Then check the /home directory for the user qbtester .

coaster · May 29, 2016, 3:34pm

sorry for taking up your time here

the user has been created in the home directory and in the passwd file

JMSolo · May 29, 2016, 3:37pm

No worries… I tend to have time.

What happens now if you were to attempt connecting to that user via FTP and SFTP?

coaster · May 29, 2016, 3:39pm

i cant connect using sftp 4747 but i can connect using ftp 5757 yay thanks my friend

JMSolo · May 29, 2016, 3:45pm

Wonderful… and now since those two users are missing from the passwd file… you can do this to add them there manually. I will run some test against this on 14.04 later today (in all honesty it’s been neglected in the dawn of 16.04).

id -u test

That should output the UID of that user… do the same for your other user that is not in there.

Now that you have those UID’s… add them to the bottom of that /etc/passwd file.

_username_:x:UID:UID::/home/_username_:/usr/bin/lshell

Do that for both users, and be sure to change UID and username with the appropriate user/uid.

coaster · May 29, 2016, 3:46pm

ok thankyou very much for your help today

take care

warmest regards