Using CZCHKCMD and SFTP_ZOS_INITIAL_DIR together

A discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
Post Reply
Jadon
Posts: 9
Joined: Fri Sep 11, 2015 6:46 pm

Using CZCHKCMD and SFTP_ZOS_INITIAL_DIR together

Post by Jadon » Wed May 16, 2018 12:30 pm

We enabled the CZCHKCMD exit to force all SFTP users to stay within their home directory. However, there are a handful of users where we have placed customized sftp-server.rc files in their /u/userid/.ssh/ so they start out in another directory because their upload/download takes place there. As an example, we added to their custom sftp-server.rc:

Code: Select all

export SFTP_ZOS_INITIAL_DIR=/HR
Per the manual on http://dovetail.com/docs/sftp/config.ht ... ver_rc_all under the 'Sample user sftp-server.rc' file it says:

"The SFTP_ZOS_INITIAL_DIR environment variable can be used to override the home directory on the server. By default this is the user's USS home directory. If the string // or /-/ is supplied, the user's MVS top level qualifier is used. Otherwise an absolute path (USS or MVS dataset space) may be supplied."

Based on this we assumed that by setting SFTP_ZOS_INITIAL_DIR it would change both the initial directory and the home directory and thus effect the behavior of the exit. However, when we look at the session logs, we see CZCHKCMD is denying that new home directory.

Code: Select all

[46.653] debug3: initial zos directory requested: /HR/           
[46.653] debug1: request 256: sent names count 1                  
[48.959] debug3: Type: SSH2_FXP_REALPATH                          
[48.959] debug3: request 256: realpath                            
[48.959] realpath "/HR/."                                   
ZosUtil[F]: -> zos_opendir(XXXXXXX, "/HR")                                                             
ZosExitInterface[T]: -> checkCommandWithFileArg(LIST  /HR)                                              
ZosExitInterface[D]: -> checkSetFiletype(SEQ)                                                                 
ZosExitInterface[D]: <- checkSetFiletype(true (no change))                                                    
CZCHKCMD[T]: -> CZCHKCMD (HOMEBOX) (userid=USER12  , cmd=LIST    , in_args=/HR)                         
CZCHKCMD[F]: dir_type=HFS , dir=/u/user12, file_type=SEQ                                                      
CZCHKCMD[T]: home_dir: /u/user12/                                                                             
CZCHKCMD[T]: dest_dir: /HR                                                                              
CZCHKCMD[D]: '/HR' not in home directory, denying                                                       
CZCHKCMD[T]: <- CZCHKCMD (HOMEBOX) (1)           
Is this working as designed? We need the ability to have all the users kept in their home directory with the exception of a few as previously mentioned.

Alternatively, has anyone successfully been able to create a chroot jail with Co:Z SFTP server functions enabled? I've only been able to successfully setup ChrootDirectory while using internal-sftp method. A guide added to the manual on how to do this with Co:Z SFTP server would be nice - including what files should be placed within the new root directory for all Co:Z functions to work for an SFTP session.

Jadon
Posts: 9
Joined: Fri Sep 11, 2015 6:46 pm

Re: Using CZCHKCMD and SFTP_ZOS_INITIAL_DIR together

Post by Jadon » Thu May 24, 2018 1:14 am

After further testing, it appears that it just changes the initial directory and not the home directory. CZCHKCMD appears to get the home directory from the OMVS segment?

Given the above - Dovetail, what would be the better approach if you don't mind answering?

1) add reqexits=CZCHKCMD to the global/etc/ssh/cozsftp_server_config file under the default: section then in the $HOME/cozsftp_server_config user file for the userids we want to exempt from home directory lockdown, we add "Noreqexits" under the default: section or "reqexits=no"?

or:

2) Automate the creation of a $HOME/cozsftp_Server_config file for every user (only give them read and execute) and make it default reqexits=CZCHKCMD. Then, for the users who we don't want to lock in a home directory, we simply edit out the reqexits=CZCHKCMD.

I'm not able to get approach #1 to work. The manual says entries in the Default: section of the global cozsftp_server_config can be overridden by the default: section in the user $HOME/cozsftp_server_config but I don't see a way to unload the exit.

It would be nice to get some conditional options surrounding what Users/Groups the exit applies to?

Post Reply