On Fri, Jan 23, 2009 at 11:29:27AM -0200, Martin Spinassi wrote: > On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote: > > I've got a chrooted SFTP setup that, for the most part, is working as > > designed. I have the following in my sshd config file: > > > > Match group sftponly > > ChrootDirectory /var/chroot/sftp > > X11Forwarding no > > AllowTcpForwarding no > > ForceCommand internal-sftp > > > > I have sftp accounts set up as such: > > > > user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash > > user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash > > > > The problem I'm having is that when user1 (for example) establishes an > > sftp session, they can issue the following commands: > > > > shell:~$ sftp user1@sftp_machine > > Connecting to sftp_machine... > > user1@sftp_machine's password: > > sftp> pwd > > Remote working directory: /user1 > > sftp> cd .. > > sftp> ls > > user1 user2 > > sftp> cd user2 > > sftp> pwd > > Remote working directory: /user2 > > sftp> ls > > Couldn't get handle: Permission denied > > sftp> > > > > Try this: > > at sshd_config > > Match group sftponly > ChrootDirectory /var/chroot/sftp/%u > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > > at /etc/passwd > > user1:x:1002:1004:SFTP Account,,,:/:/bin/true > user2:x:1002:1004:SFTP Account2,,,:/:/bin/true > > > This is the way I've it, and works for me. Hi Martin, Thanks for your email. Regarding your setup, does your setup require the ownership of the user's directory to be root:root? According to the documentation, everything in the ChrootDirectory must be owned by root: " This path, and all its components, must be root-owned directories that are not writable by any other user or group." -- from the man page for sshd_config. If so, how do your users write to their directory? Thanks, Bryan Walton
