How to lock down SFTP user?

permissions ssh sftp chown
5,226

The ChrootDirectory directive expects that the chroot directory be owned by root, and not writable by anybody else. So you cannot jail a user to a directory and allow the user permission to write to that directory. You can:

Chroot to home, upload to upload/

The first set of commands you tried are correct for this:

sudo chown root /home/james
sudo chmod go-w /home/james
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwX /home/james/upload

However, the option in sshd_config would be:

Match Group sshusers
    ChrootDirectory %h
    ForceCommand internal-sftp

(%h is replaced by the home directory of the user being authenticated, equivalent to /home/%u for most cases.) In addition, to limit the visibility of folders in /home/james, and restrict write permission there, use the recursive options for chown and chmod in the first command for /home/james, and remove read permissions. The modified set would look like:

sudo chown root /home/james -R 
sudo chmod go-rwx /home/james -R  # Disallow traversing any directory in home 
sudo chmod go+x /home/james       # Allow traversing this directory
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwx /home/james/upload

Now the user should only be able to access /home/james/upload, or /upload.

Chroot to upload, upload to upload/some_directory

Pretty much the same as above, replacing /home/james/ with /home/james/upload, and /home/james/upload with /home/james/upload/some_directory. No particular gains.

Change the home directory of james to /upload

The usual behaviour of ChrootDirectory is: "After the chroot, sshd(8) changes the working directory to the user's home directory." So we change james's home directory:

usermod -d /upload  user

Then set the ChrootDirectory to /home/%u. Use the same restrictions in the first option.

Share:
5,226

Related videos on Youtube

meda
Author by

meda

Updated on September 18, 2022

Comments

  • meda
    meda almost 2 years

    I really need some help, I have been trying to jail a user using ubuntu.

    Thing to note:

    1. james is the user
    2. sshusers is the group
    3. /home/james/upload/ is the directory where I wish to lock user

    sshd_config:

    AllowGroups sshusers 

Match Group sshusers
    ChrootDirectory /home/%u/upload/
    ForceCommand internal-sftp

    I followed an answer on askubuntu , here are my commands 

    sudo chown root /home/james
sudo chmod go-w /home/james
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwX /home/james/upload

    Problem:

    I get this error

    Error:  Network error: Software caused connection abort
Error:  Could not connect to server

    I investigated in the logs, and I found this:

    fatal: bad ownership or modes for chroot directory component "/home/james/upload/"

    But if I run the following commands

    sudo chown root /home/james/upload
sudo chmod go-w /home/james/upload

    It works perfect , user can connect, folder is locked BUT cannot drop files in the directory

    Status: Listing directory /
Status: Directory listing successful
Status: Starting upload of C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm
Command:    put "C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm" "test"
Error:  /test: open for write: permission denied
Error:  File transfer failed

    Please advice, I have search google so much all the links are purple now (visited :P)

    I'm using filezilla client to test SFTP.

  • meda
    meda almost 10 years
    this make sense, but how would the users manage to change directory to upload ? I have seen linux servers that would restrict you to a folder just by logging in?
  • muru
    muru almost 10 years
    @meda The usual behaviour of ChrootDirectory is: "After the chroot, sshd(8) changes the working directory to the user's home directory." So say you have /some/dir/chroot/home/james, and you set ChrootDirectory to /some/dir/chroot, it will change the directory to the home folder, relative to that: /some/dir/chroot/home/james. That's probably how those servers do it.
  • muru
    muru almost 10 years
    @meda see update.
  • meda
    meda almost 10 years
    This clarifies a lot @muru, I cant try it now , but I get back to u thanks a lot
  • meda
    meda almost 10 years
    all I need to do is restrict a user to an folder where he can upload folder, I dont know why this is so hard. can you re adapt your answer to achieve this ?
  • muru
    muru almost 10 years
    @meda I am not around a PC now. I'll test it out with FileZilla and update when I am.
  • meda
    meda almost 10 years
    ok no problem, I went to the office just to try your suggestion, so take your time and let me know when u get a chance

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I allow a user sudo/root on SFTP?
How to create a SFTP (SSH) User with extremely limited permissions
Locking down SFTP user in cygwin
Can't sftp into server Permission denied, please try again
CopSSH SFTP -- limit users access to their home directory only
SFTP permission denied but SSH works fine
SFTP user can't edit or create files
Proper setup of user permissions for OpenSSH on Windows?
How do I set default permissions for SFTP for an Ubuntu Server?
How to get full control of umask/PAM/permissions?