Sftp Chroot and directory permissions within Chroot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've got a chrooted SFTP setup that, for the most part, is working as
designed.  I have the following in my sshd config file:

Match group sftponly 
        ChrootDirectory /var/chroot/sftp
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

The permissions on /var/chroot/sftp are:

drwxr-xr-x 16 root root   4096 2009-01-21 11:32 var
drwxr-xr-x  4 root root   4096 2009-01-20 09:45 chroot
drwxr-xr-x  7 root root     99 2009-01-22 09:47 sftp

I have sftp accounts set up as such:

user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash

The chroot itself is working fine.  When these accounts sftp, they are
placed in to the directory path /var/chroot/sftp/account_name where they
are able to successfully upload and download.  Furthermore, they are
successfully jailed inside /var/chroot/sftp.

I have the permissions set on the home directories as such:
drwxr-x--- 2 user1  root  6 2009-01-21 15:58 user1 
drwxr-x--- 2 user2  root 21 2009-01-21 15:54 user2 

The problem I'm having is that when user1 (for example) establishes an
sftp session, they can issue the following commands:

shell:~$ sftp user1@sftp_machine
Connecting to sftp_machine...
user1@sftp_machine's password: 
sftp> pwd
Remote working directory: /user1
sftp> cd ..
sftp> ls
user1    user2   
sftp> cd user2 
sftp> pwd
Remote working directory: /user2
sftp> ls
Couldn't get handle: Permission denied
sftp> 

Now, thankfully, the 750 permissions are preventing the user from
getting a listing of the contents of the second user's directory.  But
why is the first user allowed to enter the second user's directory?

One more thing, this is not just happening with user1.  It is possible
with all of the sftp accounts on this machine.  Also, if I change the
home directory permissions from 750 to 700, the problem persists.

Finally, I should add that, if pertinent, this machine is running Debian
Lenny and is running Debian's package of openssh -- version 5.1p1

Can anybody explain what I am doing wrong?

Thanks,
Bryan
 

-- 
Bryan K. Walton				 Division of Physiologic Imaging
Systems Administrator		University of Iowa Hospitals and Clinics
[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux