fedora core9下openssh自帶的sftp server的許可權問題
OS fedora core9
openssh openssh.i386 5.1p1-3.fc9
用自帶的sftp配置了一個伺服器用來給提供sftp服務.
通過chroot來實現jailed user, 這個目錄的許可權按說明設置為root:root
然後在下面建了一些子目錄希望user有上傳或者建立新文件夾的許可權,把子目錄都設成user:user 755
然後發現始終是Permission denied
經過檢查,發現在sftp提示符下打
ls -al
顯示的目錄文件的所有者和所有組都是user的uid和gid,而不是在shell下顯示出來的所有者名和所有組名.
很有可能是這個原因導致沒有許可權.
後來又試著把子目錄的許可權改成777,發現同樣不能建立新文件和目錄.
請問應該如何設置,才能讓openssh的sftp許可權正確?
多謝!
《解決方案》
發現是selinux的問題:
Summary:
SELinux is preventing sshd (sshd_t) "write" to ./IC (usr_t).
Detailed Description:
SELinux denied access requested by sshd. It is not expected that this access is
required by sshd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./AAA,
restorecon -v './AAA'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:usr_t:s0
Target Objects ./AAA [ dir ]
Source sshd
Source Path /usr/sbin/sshd
Port <Unknown>
Host Fedora-02
Source RPM Packages openssh-server-5.1p1-3.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-135.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name Fedora-02
Platform Linux Fedora-02 2.6.27.25-78.2.56.fc9.i686 #1
SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
Alert Count 13
First Seen Mon 29 Mar 2010 06:29:31 PM CST
Last Seen Mon 29 Mar 2010 08:39:51 PM CST
Local ID 409f3747-b5b4-47ed-97b9-8f6b6245089f
Line Numbers
Raw Audit Messages
node=Fedora-02 type=AVC msg=audit(1269866391.147:250): avc: denied { write } for pid=2899 comm="sshd" name="AAA" dev=sda1 ino=2367849 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir
node=Fedora-02 type=SYSCALL msg=audit(1269866391.147:250): arch=40000003 syscall=5 success=no exit=-13 a0=9820b8 a1=8241 a2=1a4 a3=8241 items=0 ppid=2898 pid=2899 auid=889 uid=889 gid=888 euid=889 suid=889 fsuid=889 egid=888 sgid=888 fsgid=888 tty=(none) ses=19 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
但是不知道要如何配置才能讓selinux允許sshd訪問..
不知道有沒有人做過?