How to lock down SFTP user?
The ChrootDirectory
directive expects that the chroot directory be owned by root
, and not writable by anybody else. So you cannot jail a user to a directory and allow the user permission to write to that directory. You can:
Chroot to home, upload to upload/
The first set of commands you tried are correct for this:
sudo chown root /home/james
sudo chmod go-w /home/james
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwX /home/james/upload
However, the option in sshd_config
would be:
Match Group sshusers
ChrootDirectory %h
ForceCommand internal-sftp
(%h
is replaced by the home directory of the user being authenticated, equivalent to /home/%u
for most cases.)
In addition, to limit the visibility of folders in /home/james
, and restrict write permission there, use the recursive options for chown
and chmod
in the first command for /home/james
, and remove read
permissions. The modified set would look like:
sudo chown root /home/james -R
sudo chmod go-rwx /home/james -R # Disallow traversing any directory in home
sudo chmod go+x /home/james # Allow traversing this directory
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwx /home/james/upload
Now the user should only be able to access /home/james/upload
, or /upload
.
Chroot to upload, upload to upload/some_directory
Pretty much the same as above, replacing /home/james/
with /home/james/upload
, and /home/james/upload
with /home/james/upload/some_directory
. No particular gains.
Change the home directory of james
to /upload
The usual behaviour of ChrootDirectory is: "After the chroot, sshd(8) changes the working directory to the user's home directory."
So we change james
's home directory:
usermod -d /upload user
Then set the ChrootDirectory
to /home/%u
. Use the same restrictions in the first option.
Related videos on Youtube
![meda](https://i.stack.imgur.com/ARiD0.gif?s=256&g=1)
Comments
-
meda almost 2 years
I really need some help, I have been trying to jail a user using
ubuntu
.Thing to note:
-
james
is the user -
sshusers
is the group -
/home/james/upload/
is the directory where I wish to lock user
sshd_config:
AllowGroups sshusers Match Group sshusers ChrootDirectory /home/%u/upload/ ForceCommand internal-sftp
I followed an answer on askubuntu , here are my commands
sudo chown root /home/james sudo chmod go-w /home/james sudo mkdir /home/james/upload sudo chown james:sshusers /home/james/upload sudo chmod ug+rwX /home/james/upload
Problem:
I get this error
Error: Network error: Software caused connection abort Error: Could not connect to server
I investigated in the logs, and I found this:
fatal: bad ownership or modes for chroot directory component "/home/james/upload/"
But if I run the following commands
sudo chown root /home/james/upload sudo chmod go-w /home/james/upload
It works perfect , user can connect, folder is locked BUT cannot drop files in the directory
Status: Listing directory / Status: Directory listing successful Status: Starting upload of C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm Command: put "C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm" "test" Error: /test: open for write: permission denied Error: File transfer failed
Please advice, I have search google so much all the links are purple now (visited
:P
)I'm using filezilla client to test
SFTP
. -
-
meda almost 10 yearsthis make sense, but how would the users manage to change directory to upload ? I have seen linux servers that would restrict you to a folder just by logging in?
-
muru almost 10 years@meda The usual behaviour of
ChrootDirectory
is: "After the chroot, sshd(8) changes the working directory to the user's home directory." So say you have/some/dir/chroot/home/james
, and you setChrootDirectory
to/some/dir/chroot
, it will change the directory to the home folder, relative to that:/some/dir/chroot/home/james
. That's probably how those servers do it. -
muru almost 10 years@meda see update.
-
meda almost 10 yearsThis clarifies a lot @muru, I cant try it now , but I get back to u thanks a lot
-
meda almost 10 yearsall I need to do is restrict a user to an folder where he can upload folder, I dont know why this is so hard. can you re adapt your answer to achieve this ?
-
muru almost 10 years@meda I am not around a PC now. I'll test it out with FileZilla and update when I am.
-
meda almost 10 yearsok no problem, I went to the office just to try your suggestion, so take your time and let me know when u get a chance