Chrooted SFTP user write permissions

linux ssh centos sftp
30,082

Solution 1

I have same settings on our server. We use same config of SSHD. Users' home directories are owned by root and within them there are folders documents and public_html owned by respective users. Users then login using SFTP and write into those folders (not directly into home). As SSH is not allowed for them, it perfectly works. You can adjust which directories will be created for new users in /etc/skel/ (at least in openSUSE, I'm not so familiar with other distros).

Another possibility would be ACL (openSUSE documentation) - it can add write permission for respective user for his home directory.

Solution 2

We've found a workaround recently that goes like this:

/etc/ssh/sshd_config:

...

Subsystem sftp internal-sftp

Match Group sftponly
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

directory permissions:

root@server:~ # chown root:root /home
root@server:~ # chmod 111 /home
root@server:~ # chmod 700 /home/*

Now /home satisfies the requirements for ChrootDirectory and can't be listed by restricted users, but sftponly users will not be able to log in if their home directories are set up as usual (/home/$LOGNAME): under the chrooted environment their home directories aren't inside /home but directly under root (/).

workaround 1

Set restricted users' homes to how they appear under chroot:

root@server:~ # usermod -d /username username

caveate 1

If any of the unrestricted users or some administration script uses bash's tilde expansion like ~username it will expand to /username now, which isn't what is meant.

Also the admin that creates sftponly users has to remember to use non-default home. Solveable with a script. Which the admin has to remember to use.

workaround 2

This is an alternative to the previous one that we ended up using:

root@server:~ # ln -s . /home/home

That is create a symlink inside /home to its own dirname. Now under chroot /home/username points to the same directory as without chroot. For restricted user logged in with sftp it would appear as /username. This directory is writable to its owner (restricted user). Restricted user can't list its parent or home directories of any of the siblings by name.

The only thing special about an sftponly user is its participation in the sftponly group. We found it easier to deal with than the workaround 1.

caveates 2

  1. You can't have user named 'home' with a home directory /home/home
  2. You have to be careful with scripts that traverse /home hierarchy and follow symlinks.

Solution 3

You need to create a structure inside the user's home directory, like in and out dirs. Those dirs should be owned by the user and there he will be able to put and get files.

Share:
30,082
Adionditsak
Author by

Adionditsak

Anders Aarvik http://dk.linkedin.com/pub/anders-aarvik/26/133/47b/

Updated on September 18, 2022

Comments

  • Adionditsak
    Adionditsak over 1 year

    I have a setup with sftp only users:

    Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

    I get the following message in my secure.log:

    fatal: bad ownership or modes for chroot directory

    With the match keyword there comes some security stuff with it... the directories need to be owned by root, and the directories need to be chmod 755 (drwxr-xr-x). So it makes it impossible for a user to have write permissions to the folders, if it is only writable to the user root and set to ben non-writable for groups due to ssh's security.

    Someone know about a good work around?

    • yorkshiredev
      yorkshiredev almost 10 years
      Do the chrooted users own their ChrootDirectory ? Can they access it ?
  • Blatant
    Blatant over 7 years
    Hi artm or any other readers, I know this is an old post but could you help me understand workaround 2 please? I have a user (ftpuser) that needs to be jailed to their home directory (/home/ftpuser/), this I can acheive but /home/ftpuser has to have 755 of course. I need the ftpuser to be able to create files nad folders in their home directory. what symlink do I need to create, and what value should my ChrootDirectory have please?
  • Paul
    Paul over 6 years
    For me, on Debian Jessie (8.10), setting an ACL on the user's home does not work. When the user tries to login with SFTP, they get packet_write_wait: Connection to 10.0.0.42 port 22: Broken pipe

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

sshfs is failing with "remote host has disconnected"
Server unexpectedly closed network connection (sftp + putty)
SSH problems - server unexpectedly closed network connection
Chroot user to an existing folder witch parent owner isn´t root
A proper way to create a chrooted SSH on CentOS 7
chrooting user causes "connection closed" message when using sftp
Rename file while using SFTP to append date
SFTP failing with "Match Group" clause
SSH Login doesn't work using a key Without Password?
-bash-4.2$ for command line?