Re: Sftp Chroot and directory permissions within Chroot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 23, 2009 at 11:29:27AM -0200, Martin Spinassi wrote:
> On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote:
> > I've got a chrooted SFTP setup that, for the most part, is working as
> > designed.  I have the following in my sshd config file:
> > 
> > Match group sftponly 
> >         ChrootDirectory /var/chroot/sftp
> >         X11Forwarding no
> >         AllowTcpForwarding no
> >         ForceCommand internal-sftp
> > 
> > I have sftp accounts set up as such:
> > 
> > user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
> > user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash
> > 
> > The problem I'm having is that when user1 (for example) establishes an
> > sftp session, they can issue the following commands:
> > 
> > shell:~$ sftp user1@sftp_machine
> > Connecting to sftp_machine...
> > user1@sftp_machine's password: 
> > sftp> pwd
> > Remote working directory: /user1
> > sftp> cd ..
> > sftp> ls
> > user1    user2   
> > sftp> cd user2 
> > sftp> pwd
> > Remote working directory: /user2
> > sftp> ls
> > Couldn't get handle: Permission denied
> > sftp> 
> > 
> 
> Try this:
> 
> at sshd_config
> 
> Match group sftponly 
>         ChrootDirectory /var/chroot/sftp/%u
>         X11Forwarding no
>         AllowTcpForwarding no
>         ForceCommand internal-sftp
> 
> at /etc/passwd
> 
> user1:x:1002:1004:SFTP Account,,,:/:/bin/true
> user2:x:1002:1004:SFTP Account2,,,:/:/bin/true
> 
> 
> This is the way I've it, and works for me.

Hi Martin,

Thanks for your email.  Regarding your setup, does your setup require
the ownership of the user's directory to be root:root?  According to the
documentation, everything in the ChrootDirectory must be owned by root:

" This path, and all its components, must be root-owned directories that
are not writable by any other user or group."  -- from the man page for
sshd_config.

If so, how do your users write to their directory?

Thanks,
Bryan Walton


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux