Chrooted SFTP user - Write permission denied even for owner
11,196
Solution 1
I think you need to enable some selinux bool, for more information about a selinux bools of a service, you can type from your shell man sftpd_selinux
[root@worktux ~]# getsebool -a | grep sftp
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
Solution 2
The exact one that has to be enabled is:
setsebool -P ssh_chroot_rw_homedirs on
I struggled with that for 2 days before I got that!!
Author by
chaplean
Updated on September 18, 2022Comments
-
chaplean almost 2 years
On CentOS release 6.5 (Final) I created a restricted user test1
useradd -s /bin/false test1
and configured ssd_config as following
Subsystem sftp internal-sftp Match User test1 ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
defined home directory for user test1
usermod -d /usr/local/tomcat/webapps/ROOT
then
chown root:root /usr/local/tomcat/webapps/ROOT chown test1:test1 -R /usr/local/tomcat/webapps/ROOT/* chmod 755 -R /usr/local/tomcat/webapps/ROOT/*
restarted sshd and tried to log into sftp
# sftp test1@localhost Connecting to localhost... test1@localhost's password: sftp> ls -la drwxr-xr-x 9 0 0 4096 Feb 16 08:20 . drwxr-xr-x 9 0 0 4096 Feb 16 08:20 .. drwxr-sr-x 2 500 501 4096 Feb 6 10:37 META-INF drwxr-sr-x 6 500 501 4096 Feb 12 14:07 WEB-INF drwxr-sr-x 2 500 501 4096 Feb 16 08:13 css drwxr-xr-x 2 500 501 4096 Feb 16 08:27 home drwxr-sr-x 3 500 501 4096 Feb 12 14:13 images drwxr-sr-x 2 500 501 4096 Feb 16 00:37 js sftp> mkdir css/test Couldn't create directory: Permission denied
I have tried almost everything but still can not figure out why the owner of directory does not have write permission?
-
Halfgaar over 10 yearsDid you check your logs? Chrooting poses some restrictions on the entire path the home dir is located in, and I suspect something like that is going on. Although, it appears you did make the home dir root owned, as you should. Edit:, however, it's not chgrp'ed test1 and group writable.
-
chaplean over 10 yearsset -l VERBOSE in config and log shows the following: Feb 16 13:25:39 IZ kernel: type=1400 audit(1392542739.494:72): avc: denied { write } for pid=11048 comm="sshd" name="css" dev=dm-0 ino=1843649 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir
-
chaplean over 10 yearsI tried even chmod 777, still nothing
-
Halfgaar over 10 yearsWhat if you
su --shell /bin/bash - test1
and then try to write there? -
chaplean over 10 yearsThe problem is when I write something under "su test1" everything is ok, but inside sftp is not
-
-
chaplean over 10 yearsThank you! It was selinux again. Typing
echo 0 > /selinux/enforce
temporarily solved the problem.