Category: Linux

Technical Information Pertaining to Linux

chrooted sftp :: fatal: bad ownership or modes for chroot directory component

If you have setup sftp in chrooted mode and you are unable to log into the server

$ sftp [email protected]

[email protected]’s password:
Connection to abcd.com closed by remote host.
Couldn’t read packet: Connection reset by peer

have a look at the /var/log/secure log and if you find the below error

 sshd[19490]: fatal: bad ownership or modes for chroot directory component “/var/www/vhosts/abcd.com/httpdocs/”

Fix is as below

# chmod 755 /var/www/vhosts/abcd.com/httpdocs/

# chown root:root /var/www/vhosts/abcd.com/httpdocs/

Ensure that the entire path from / to /var/www/vhosts/abcd.com/httpdocs/ have ownership of root user and is not writable by group or any other user. This is certainly one of the limitations of chrooted sftp.

 

Configuring chroot(ed) sftp

OpenSSH versions since 4.8 supports chroot(ed) sftp.  This has been made possible by a new SFTP subsystem statically linked to sshd. There is no need to add any patches, but just needs few tweaks to the ssh configuration (/etc/ssh/sshd_config). This one step further to removing unsecure ftp service from the server.

Steps to Configure chrooted sftp

Open the sshd config file

# vi /etc/ssh/sshd_config 

find and comment the line

Subsystem sftp /usr/libexec/openssh/sftp-server

then add the below after the commented above line

Subsystem sftp internal-sftp

With this change, sftp can be chrooted. Now let us update the config with rules, according to which chrooting will happen.

Let us create a group to start with

#  groupadd sftpuser

Towards end of the config file /etc/ssh/sshd_config update the below configuration values

Match Group sftpuser
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

%h – means the home directory of the authenticated user and the authenticated user should below to the group sftpuser for the chrooting to happen. You may also use %u as in /var/www/vhosts/abcd.com/httpdocs/%u, where %u means username of the user.

The directory which is to be chrooted must be owned by root user with a permission of 700 or 755.

Checking the availability of SMTPS, POPS and IMAPS.

Open a linux shell execute the respective command; replace the hostname with the server IP/Hostname for which you want to check the avialability of secured mail ports.

POPS – port number 995

# openssl s_client -connect hostname:995

SMTPS – port number 465

# openssl s_client -connect hostname:465

IMAPS – port number 993

# openssl s_client -connect hostname:993

 

 

Manual PHP Compilation

Below steps would be more than enough to recompile php on stock centos/fedora machines. This would be best suited for servers with out any control panel. For ones with control panel, you need to first take the configure command from the phpinfo and then appended what is required.

Before proceeding, it is recommended that you have httpd-devel installed in your server.

# rpm -qa | grep httpd-devel

If the above doesn’t yield any result, ensure to install it using yum.

# yum install httpd-devel

Now let us start with the steps of PHP compilation.

# cd /usr/local/src

# tar -jxvf php-5.2.13.tar.bz2

# cd php-5.2.13

# ‘./configure’ ‘–prefix=/usr/local/php’ ‘–with-apxs2=/usr/sbin/apxs’ ‘–with-png-dir=/usr’ ‘–enable-gd-native-ttf’ ‘–without-gdbm’ ‘–with-gettext’ ‘–with-gmp’ ‘–with-iconv’ ‘–with-jpeg-dir=/usr’ ‘–with-openssl’ ‘–with-zlib’ ‘–enable-exif’ ‘–enable-ftp’ ‘–enable-magic-quotes’ ‘–enable-sockets’ ‘–enable-wddx’ ‘–with-kerberos’ ‘–enable-shmop’ ‘–enable-calendar’ ‘–with-libxml-dir=/usr’ ‘–enable-pcntl’ ‘–enable-mbstring=shared’ ‘–without-sqlite’ ‘–enable-mbregex’ ‘–with-gd’ ‘–enable-bcmath’ ‘–enable-dba’ ‘–with-xmlrpc’ ‘–with-mysql=/usr/bin/’ ‘–with-mysqli=/usr/bin/mysql_config’ ‘–enable-dom’ ‘–with-xsl’ ‘–enable-soap’ ‘–with-xsl=/usr’ ‘–enable-xmlreader’ ‘–enable-xmlwriter’ ‘–enable-pdo’ –with-pdo-mysql=/usr’ ‘–with-pdo-sqlite=/usr’ ‘–enable-json’ ‘–enable-zip’ ‘–with-pspell’ ‘–with-mhash=/usr’ ‘–with-tidy=/usr’ ‘–with-curl=/usr’ ‘–with-mcrypt=/usr’ ‘–enable-gd-native-ttf’ ‘–with-ttf’ ‘–with-t1lib=/usr’

You may get errors related to missing libraries in the above command. Those all are available in yum. Install the library and its devel package and execute the above command once again. Take an example of missing freetype library, below steps needs to be followed.

#yum search freetype

# yum install freetype.i386 freetype-devel.i386

And once the required library is installed go and execute the configure command string  again until all libraries required are installed and configure command creates required scripts and files to get ready for the next step of compilation.

# cat /proc/cpuinfo  | grep processor | wc -l

# make -j4 [4 is result from earlier command]

# cp .libs/libphp5.so  /etc/httpd/modules/

# make -j4 install [may have to update the httpd.conf file so as to remove the php module added again in it by this command]

And now, you have php compiled running on your server, which you may confirm using

# php -v