On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote: > I've got a chrooted SFTP setup that, for the most part, is working as > designed. I have the following in my sshd config file: > > Match group sftponly > ChrootDirectory /var/chroot/sftp > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > > The permissions on /var/chroot/sftp are: > > drwxr-xr-x 16 root root 4096 2009-01-21 11:32 var > drwxr-xr-x 4 root root 4096 2009-01-20 09:45 chroot > drwxr-xr-x 7 root root 99 2009-01-22 09:47 sftp > > I have sftp accounts set up as such: > > user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash > user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash > > The chroot itself is working fine. When these accounts sftp, they are > placed in to the directory path /var/chroot/sftp/account_name where they > are able to successfully upload and download. Furthermore, they are > successfully jailed inside /var/chroot/sftp. > > I have the permissions set on the home directories as such: > drwxr-x--- 2 user1 root 6 2009-01-21 15:58 user1 > drwxr-x--- 2 user2 root 21 2009-01-21 15:54 user2 > > The problem I'm having is that when user1 (for example) establishes an > sftp session, they can issue the following commands: > > shell:~$ sftp user1@sftp_machine > Connecting to sftp_machine... > user1@sftp_machine's password: > sftp> pwd > Remote working directory: /user1 > sftp> cd .. > sftp> ls > user1 user2 > sftp> cd user2 > sftp> pwd > Remote working directory: /user2 > sftp> ls > Couldn't get handle: Permission denied > sftp> > > Now, thankfully, the 750 permissions are preventing the user from > getting a listing of the contents of the second user's directory. But > why is the first user allowed to enter the second user's directory? > > One more thing, this is not just happening with user1. It is possible > with all of the sftp accounts on this machine. Also, if I change the > home directory permissions from 750 to 700, the problem persists. > > Finally, I should add that, if pertinent, this machine is running Debian > Lenny and is running Debian's package of openssh -- version 5.1p1 > > Can anybody explain what I am doing wrong? > > Thanks, > Bryan > Try this: at sshd_config Match group sftponly ChrootDirectory /var/chroot/sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp at /etc/passwd user1:x:1002:1004:SFTP Account,,,:/:/bin/true user2:x:1002:1004:SFTP Account2,,,:/:/bin/true This is the way I've it, and works for me. Cheers. Martín