Restricted shell rush "invalid uid" error

Question

I am setting up a new local account on a Debian buster server. The account name is "auto-upload". The entry in /etc/passwd looks like this:

auto-upload:x:1060:1060:auto-upload:/home/auto-upload:/usr/sbin/rush

As you can see I am attempting to use the "rush" restricted shell (version 1.8) with this account. The rush configuration file is

debug 1

rule default
  acct on
  limits t10r20
  umask 002
  env - USER LOGNAME HOME PATH
  fall-through

rule scp-to-debrepo
  command ^scp (-v )?-t( --)? /srv/repos/?
  set[0] /usr/bin/scp
  match[$] ! /\.\.
  transform[$] s,^/incoming/,,
  chroot /srv/repos
  chdir /srv/repos

When I attempt to scp a file to that account I see this in the server logs:

2021-12-03T12:20:25.240111-08:00 myserver rush[22679]: debug level set to 1
2021-12-03T12:20:25.240755-08:00 myserver rush[22679]: Serving request "scp -t /srv/repos/basic/incoming" for auto-upload by rule default
2021-12-03T12:20:25.240971-08:00 myserver rush[22679]: Serving request "scp -t /srv/repos/basic/incoming" for auto-upload by rule scp-to-debrepo
2021-12-03T12:20:25.254718-08:00 myserver rush[22679]: invalid uid 1060
2021-12-03T12:20:30.257645-08:00 myserver sshd[22678]: Received disconnect from 192.168.225.188 port 45518:11: disconnected by user

Why is it telling me "invalid uid 1060" and how do I fix this?

Does `1060` have an entry in `/etc/shadow`? Is `1060` unique in `/etc/{passwd,shadow}`? What does `/etc/nsswitch.conf` say? — waltinator, Dec 03 '21 at 23:26
Hello muru, did you manage to get rid of this error? I'm facing exactly the same problem... — VirgileD, Mar 04 '22 at 12:43

h1kkan · Answer 1 · 2023-01-23T15:14:46.860

I didn't managed out how exactly invalid uid error linked to the real issue reason, but for sure identified that it caused by chroot option misconfiguration - config example provided on man page (and mentioned in your question) wouldn't work by default

As per said on rush man page for chroot config option - we'll need to have binaries under chroot directory, other way user simply wouldn't have access to them

Config param chroot /srv/repos means that /srv/repos directory will be treated as /, so you will need to have scp binary under /srv/repos/usr/bin/scp path or it wouldn't work and will throw invalid uid error

rule: chroot dir

Change the root directory to that specified in dir. This directory will be used for file names beginning with ‘/’. ...

The directory dir must be properly set up to execute the commands. For example, the following rule defines execution of sftp-server in an environment chrooted to the user’s home directory:
rule sftp
  match $program ~ "^.*/sftp-server"
  set [0] = "bin/sftp-server"
  chroot "~"
For this to work, each user’s home must contain the directory bin with a copy of sftp-server in it, as well as all directories and files that are needed for executing it, in particular lib.

@virgiled maybe my answer will help you too :) – h1kkan Jan 23 '23 at 14:43 — h1kkan, Jan 23 '23 at 14:43

Restricted shell rush "invalid uid" error

1 Answers1