I've been attempting to set up a chroot jail for a group of sftp users
on a Mac OS X 10.4.11 server. Unfortunately when any of the users
login, they get kicked out with the following error in my /var/log/
secure.log:
"fatal: bad ownership or modes for chroot directory component "/""
Here are my configuration settings:
/etc/sshd_config
# override default of no subsystems
Subsystem sftp internal-sftp
Match Group webgroup
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
(note: I've also tried: ChrootDirectory /webhome/web)
Users are from an OpenDirectory Master. Shells are currently set to /
bin/bash (no /bin/false as some write-ups suggest to use) and their
home directories are set to /webhome/web.
Permissions and ownership on the chroot home (/webhome/web/) are:
$ ls -alG /webhome/
total 0
drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 ..
drwxr-xr-x 6 root wheel 204 Jul 7 11:32 web
Within web, users have access to write to different directories:
$ ls -alG /webhome/web/
total 8
drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 ..
-rw-r--r-- 1 root admin 7 Jul 2 15:48 index.html
drwxrwxr-x 3 user1 web1grp 102 Jul 7 12:07 site1
drwxrwxr-x 3 user2 web2grp 102 Jul 7 12:18 site2
drwxrwxr-x 2 user3 web3grp 68 Jul 7 11:32 site3
(note: web1grp, web2grp, web3grp are nested into webgroup)
(note: acls are used on the site directories to deny read access to
specific groups)
Users not in the webgroup are able to login to the server with no
problems.
From the documentation I've read, the permissions on /webhome and /
webhome/web should be okay. I don't suspect the acl's as they are
only set on the sub directories within web and not web itself. Also
the documentation I've read states to chown the chroot home to
root:root which is root:wheel (0:0) in Mac OS X.
Many thanks in advance...
Regards,
Luke
