Chrooted SFTP user - Write permission denied even for owner

centos sftp chroot permissions

11,196

Solution 1

I think you need to enable some selinux bool, for more information about a selinux bools of a service, you can type from your shell man sftpd_selinux

 [root@worktux ~]# getsebool -a | grep sftp
 sftpd_anon_write --> off
 sftpd_enable_homedirs --> off
 sftpd_full_access --> off
 sftpd_write_ssh_home --> off

Solution 2

The exact one that has to be enabled is:

setsebool -P ssh_chroot_rw_homedirs on

I struggled with that for 2 days before I got that!!

11,196

Author by

chaplean

Updated on September 18, 2022

Comments

chaplean almost 2 years
On CentOS release 6.5 (Final) I created a restricted user test1
```
useradd -s /bin/false test1
```
and configured ssd_config as following
```
Subsystem sftp internal-sftp

Match User test1
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
```
defined home directory for user test1
```
usermod -d /usr/local/tomcat/webapps/ROOT
```
then
```
chown root:root /usr/local/tomcat/webapps/ROOT
chown test1:test1 -R /usr/local/tomcat/webapps/ROOT/*
chmod 755 -R /usr/local/tomcat/webapps/ROOT/*
```
restarted sshd and tried to log into sftp
```
# sftp test1@localhost
Connecting to localhost...
test1@localhost's password:

sftp> ls -la
drwxr-xr-x    9 0        0            4096 Feb 16 08:20 .
drwxr-xr-x    9 0        0            4096 Feb 16 08:20 ..
drwxr-sr-x    2 500      501          4096 Feb  6 10:37 META-INF
drwxr-sr-x    6 500      501          4096 Feb 12 14:07 WEB-INF
drwxr-sr-x    2 500      501          4096 Feb 16 08:13 css
drwxr-xr-x    2 500      501          4096 Feb 16 08:27 home
drwxr-sr-x    3 500      501          4096 Feb 12 14:13 images
drwxr-sr-x    2 500      501          4096 Feb 16 00:37 js

sftp> mkdir css/test
Couldn't create directory: Permission denied
```
I have tried almost everything but still can not figure out why the owner of directory does not have write permission?
- Halfgaar over 10 years
  
  Did you check your logs? Chrooting poses some restrictions on the entire path the home dir is located in, and I suspect something like that is going on. Although, it appears you did make the home dir root owned, as you should. Edit:, however, it's not chgrp'ed test1 and group writable.
- chaplean over 10 years
  
  set -l VERBOSE in config and log shows the following: Feb 16 13:25:39 IZ kernel: type=1400 audit(1392542739.494:72): avc: denied { write } for pid=11048 comm="sshd" name="css" dev=dm-0 ino=1843649 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir
- chaplean over 10 years
  
  I tried even chmod 777, still nothing
- Halfgaar over 10 years
  
  What if you su --shell /bin/bash - test1 and then try to write there?
- chaplean over 10 years
  
  The problem is when I write something under "su test1" everything is ok, but inside sftp is not
chaplean over 10 years

Thank you! It was selinux again. Typing echo 0 > /selinux/enforce temporarily solved the problem.