[prev in list] [next in list] [prev in thread] [next in thread]
List: secure-shell
Subject: Re: Sftp Chroot and directory permissions within Chroot
From: Martin Spinassi <martins.listz () gmail ! com>
Date: 2009-01-29 20:04:37
Message-ID: 1233259477.2872.266.camel () kr0sty ! livra ! local
[Download RAW message or body]
On Wed, 2009-01-28 at 15:18 -0600, Walton, Bryan K wrote:
> On Fri, Jan 23, 2009 at 11:29:27AM -0200, Martin Spinassi wrote:
> > On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote:
> > > I've got a chrooted SFTP setup that, for the most part, is working as
> > > designed. I have the following in my sshd config file:
> > >
> > > Match group sftponly
> > > ChrootDirectory /var/chroot/sftp
> > > X11Forwarding no
> > > AllowTcpForwarding no
> > > ForceCommand internal-sftp
> > >
> > > I have sftp accounts set up as such:
> > >
> > > user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
> > > user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash
> > >
> > > The problem I'm having is that when user1 (for example) establishes an
> > > sftp session, they can issue the following commands:
> > >
> > > shell:~$ sftp user1@sftp_machine
> > > Connecting to sftp_machine...
> > > user1@sftp_machine's password:
> > > sftp> pwd
> > > Remote working directory: /user1
> > > sftp> cd ..
> > > sftp> ls
> > > user1 user2
> > > sftp> cd user2
> > > sftp> pwd
> > > Remote working directory: /user2
> > > sftp> ls
> > > Couldn't get handle: Permission denied
> > > sftp>
> > >
> >
> > Try this:
> >
> > at sshd_config
> >
> > Match group sftponly
> > ChrootDirectory /var/chroot/sftp/%u
> > X11Forwarding no
> > AllowTcpForwarding no
> > ForceCommand internal-sftp
> >
> > at /etc/passwd
> >
> > user1:x:1002:1004:SFTP Account,,,:/:/bin/true
> > user2:x:1002:1004:SFTP Account2,,,:/:/bin/true
> >
> >
> > This is the way I've it, and works for me.
>
> Hi Martin,
>
> Thanks for your email. Regarding your setup, does your setup require
> the ownership of the user's directory to be root:root? According to the
> documentation, everything in the ChrootDirectory must be owned by root:
>
> " This path, and all its components, must be root-owned directories that
> are not writable by any other user or group." -- from the man page for
> sshd_config.
>
> If so, how do your users write to their directory?
>
> Thanks,
> Bryan Walton
Hi Bryan,
The root of sftp path is owned by root, and sub-directories owned by
users.
/home/sftpusers is owned by root:root
/home/sftpusers/user1 is owned by user1:user1
/home/sftpusers/user2 is owned by user2:user2
Hope it helps.
Cheers
MartÃn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic