sftp chroot with openssh ERROR : fatal: bad ownership or modes for chroot directory

If you’re playing with the excellent new ChrootDirectory and internal-sftp options in recent OpenSSH releases (such as 5.1 which is in Ubuntu 8.10 Intrepid), you may have hit an error like:

fatal: bad ownership or modes for chroot directory
You may also have searched on Google for what to do about it and come away with very little useful information.

Well no more! I did the same thing and got bored of reading mailing list posts, so read the source code instead. The relevant section is in session.c:

if (stat(component, &st) != 0)
fatal(“%s: stat(\”%s\”): %s”, __func__,
component, strerror(errno));
if (st.st_uid != 0 || (st.st_mode & 022) != 0)
fatal(“bad ownership or modes for chroot ”
“directory %s\”%s\””,
cp == NULL ? “” : “component “, component);
This is quite simple really, it’s stat()ing the directory specified for “ChrootDirectory” and all its parents up to / and checking that they are:

owned by root
not group or other writable
(it also checks they are actually directories, but I’m going to assume you’re not stupid enough to try and chroot into a file )
Note my emphesis that these checks apply to the chroot directory itself and its parents and /, so if you are chrooting users into /srv/chroot/ then you need to ensure that /, /srv and /srv/chroot are owned by root and not writable by the group (even if it’s root, bizarrely) or other users.

Adopted from : http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/

gdm error after while…..

ns2 ~ # /usr/bin/gdm

/usr/bin/gdm: error while loading shared libraries: libdirectfb-0.9.so.25: cannot open shared object file: No such file or directory

Revdep-rebuild should find out the problem for you, the most obvious reason whyit might not is if a previous run of revdep-rebuild did not complete and thetemporary files were still present.  Please try running “revdep-rebuild -i” toensure that the temporary files are cleaned out.  If you do this before trying to re-emerge totem-pl-parser, you can test whether it spots, it and then againwhether totem-pl-parser fixes the problem.

If after you’ve got the results the problem hasn’t been fixed, orrevdep-rebuild wasn’t correctly finding the issue, then please feel free to reopen this bug…  5:)

Squid3 on CentOS4

[root@ns99 ~]# wget http://ftp.riken.jp/Linux/fedora/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm
–02:00:53– http://ftp.riken.jp/Linux/fedora/releases/10/Fedora/source/SRPMS/squid-3.0.STABLE10-1.fc10.src.rpm
=> `squid-3.0.STABLE10-1.fc10.src.rpm’
Resolving ftp.riken.jp… 134.160.38.1
Connecting to ftp.riken.jp|134.160.38.1|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2,006,085 (1.9M) [application/x-wais-source]
100%[=============================>] 2,006,085 1.40M/s 02:00:54 (1.40 MB/s) –
`squid-3.0.STABLE10-1.fc10.src.rpm’ saved [2006085/2006085]
[root@ns99 ~]# rpm -ivh squid-3.0.STABLE10-1.fc10.src.rpm
warning: squid-3.0.STABLE10-1.fc10.src.rpm: V3 DSA signature: NOKEY, key ID 4ebfc273
1:squid warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
########################################### [100%]
warning: user mockbuild does not exist – using root
warning: group mockbuild does not exist – using root
[root@ns99 ~]# cd /usr/src/redhat/SPECS/
[root@ns99 SPECS]# rpmbuild –bb squid.spec
error: Failed build dependencies:
linuxdoc-tools is needed by squid-3.0.STABLE10-1.i386
[root@ns99 SPECS]# yum install linuxdoc-tools
Loading "fastestmirror" plugin
Setting up Install Process
Setting up repositories
Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Downloading header for linuxdoc-tools to pack into transaction set.
linuxdoc-tools-0.9.20-14. 100% |=========================| 27 kB 00:00
—> Package linuxdoc-tools.i386 0:0.9.20-14 set to be updated
–> Running transaction check Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
linuxdoc-tools i386 0.9.20-14 base 396 k Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 396 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): linuxdoc-tools-0.9 100% |=========================| 396 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: linuxdoc-tools ######################### [1/1]
Installed: linuxdoc-tools.i386 0:0.9.20-14
Complete!
[root@ns99 SPECS]# rpmbuild –bb squid.spec
[root@ns99 SPECS]# rpm -Uvh /usr/src/redhat/RPMS/i386/squid-3.0.STABLE10-1.i386.rpm

Rebuild apache rpm on Centos4

Download src rpm
http://ftp.riken.jp/Linux/centos/4.7/centosplus/SRPMS/
httpd-2.0.63-2.el4s1.centos.2.src.rpm

Install src rpm
ns2 ~ # rpm -ivh httpd-2.0.63-2.el4s1.centos.2.src.rpm
ns2 ~ # cd /usr/src/redhat/SPECS
ns2 SPECS # vim httpd.spec
%define contentdir /var/www -> %define contentdir /home
ns2 SPECS # rpmbuild -bb /usr/src/redhat/SPECS/httpd.spec
error: Failed build dependencies:
xmlto >= 0.0.11 is needed by httpd-2.0.63-2.el4s1.centos.2.i386
apr-devel >= 0.9.4-20 is needed by httpd-2.0.63-2.el4s1.centos.2.i386
apr-util-devel is needed by httpd-2.0.63-2.el4s1.centos.2.i386
distcache-devel is needed by httpd-2.0.63-2.el4s1.centos.2.i386
Install missing packages
ns2 SPECS # yum install xmlto apr-devel apr-util-devel distcache-devel
ns2 SPECS # rpmbuild -bb /usr/src/redhat/SPECS/httpd.spec
ns2 SPECS # cd ../RPMS
ns2 RPMS # rpm -ivh –force httpd-2.0.63-2.el4s1.centos.2.i386.rpm
ns2 ~ # /etc/init.d/httpd restart
ns2 ~ # suexec -V

Install Proftpd on gentoo

1, add “ftp” use flag to /etc/make.conf

ns2 ~ # emerge proftpd
ns2 ~ # cd /etc/proftpd
ns2 proftpd # cp proftpd.conf.distrib proftpd.conf
ns2 proftpd # vim proftpd.conf
ServerName “ProFTPD Default Installation” -> ServerName “ftp.ns2.example.local”
#DefaultRoot ~ -> comment out
if you like to enable root login: add
RootLogin on
change Server Identification: add
ServerIndent on  ” Ftp Server at …..”
ns2 proftpd # /etc/init.d/proftpd start && rc-update add proftpd default
ns2 etc # vim ftpusers
Comment out root 

install Apache2 + php5 + mysql on gentoo

Install apache2 with php, mysql and ssl

1, Modify /etc/make.conf
add those use flag : apache2 ssl pam xml xml2 pcre session unicode php mysql innodb berkdb

ns2 ~ # emerge apache mysql php
……… when it done
ns2 ~ # /usr/bin/mysql_install_db
ns2 ~ # /etc/init.d/apache restart && rc-update add apache default