Chroot user to an existing folder witch parent owner isn´t root
The OpenSSH sshd_config documentation is pretty clear about the requirements for the chroot directory. The restriction applies any time the ChrootDirectory directive is used:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root- owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.
The normal way to get what you want is to use bind mounts. Create a directory to serve as the chroot. You can put this directory anywhere, as long as it and its parent directories meet sshd's requirements. Then identify the directories which the user should have access to, and create a directory within the chroot area to represent each of these. Then use bind mounts (search for "bind" on that page) to mount each of these directories on their respective mountpoints. You'd do something like the following:
# mkdir /var/jail
# mkdir /var/jail/www
# mount -o bind /var/www /var/jail/www # Make /var/www accessible within the jail
Related videos on Youtube
ikerib
Updated on September 18, 2022Comments
-
ikerib almost 2 years
We have moodle installed on our company and due to big SCORM packages + slow conection + proxy, I usually upload them with SFTP with my root user.
Now, I want to give users a way to upload files by their own to this moodle folder, how can I do that? I can not change destination folder ownership because it´s moodle´s folder...
I followed this instructions from (http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/). I see that when it conects gets this error:
fatal: bad ownership or modes for chroot directory component "/home/"
I think the problem is that the folder owner (and parents) is 'moodlegureak':
[root@localhost repository]# ls -la total 940 drwxrws--- 4 apache moodlegureak 4096 abr 10 2013 . drwxrws--- 13 moodlegureak moodlegureak 4096 abr 28 07:18 .. drwxr-xr-x 3 root moodlegureak 4096 abr 9 12:15 Archivo
this is my /etc/passwd:
ftpmoodle:x:507:507::/home/moodlegureak/moodledata/repository/Archivos:/sbin/nologin
And this my /etc/ssh/sshd_config
Subsystem sftp internal-sftp Match Group sftpusers ChrootDirectory /home/moodlegureak/moodledata/repository/Archivos ForceCommand internal-sftp AllowTCPForwarding no
I followeed these steps:
1. Create a New Group Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system. # groupadd sftpusers 2. Create Users (or Modify Existing User) Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH. The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access). # useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser # passwd guestuser Verify that the user got created properly. # grep guestuser /etc/passwd guestuser:x:500:500::/incoming:/sbin/nologin If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following: # usermod -g sftpusers -d /incoming -s /sbin/nologin john On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list. 3. Setup sftp-server Subsystem in sshd_config You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server). Modify the the /etc/ssh/sshd_config file and comment out the following line: #Subsystem sftp /usr/libexec/openssh/sftp-server Next, add the following line to the /etc/ssh/sshd_config file Subsystem sftp internal-sftp # grep sftp /etc/ssh/sshd_config #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp 4. Specify Chroot Directory for a Group You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config # tail /etc/ssh/sshd_config Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp In the above: Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john. ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file. 5. Create sftp Home Directory Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory). # mkdir /sftp Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment. # mkdir /sftp/guestuser So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot. So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files. # mkdir /sftp/guestuser/incoming 6. Setup Appropriate Permission For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above. Set the owenership to the user, and group to the sftpusers group as shown below. # chown guestuser:sftpusers /sftp/guestuser/incoming The permission will look like the following for the incoming directory. # ls -ld /sftp/guestuser/incoming drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming The permission will look like the following for the /sftp/guestuser directory # ls -ld /sftp/guestuser drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser # ls -ld /sftp drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp 7. Restart sshd and Test Chroot SFTP Restart sshd: # service sshd restart
-
faker about 9 yearsCan you add the output of
namei -l /home/moodlegureak/moodledata/repository/Archivos
to your question? -
peterh about 9 yearsThere is a trivial patch for openssh which solves your problem. If you want I dig it out.
-
-
leonheess almost 4 yearsRESTART RESETS ALL MOUNTS!!
-
Kishan K over 3 years@leonheess never heard of
fstab
it seems?