On Wed, 2009-01-28 at 15:18 -0600, Walton, Bryan K wrote: > On Fri, Jan 23, 2009 at 11:29:27AM -0200, Martin Spinassi wrote: > > On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote: > > > I've got a chrooted SFTP setup that, for the most part, is working as > > > designed. I have the following in my sshd config file: > > > > > > Match group sftponly > > > ChrootDirectory /var/chroot/sftp > > > X11Forwarding no > > > AllowTcpForwarding no > > > ForceCommand internal-sftp > > > > > > I have sftp accounts set up as such: > > > > > > user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash > > > user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash > > > > > > The problem I'm having is that when user1 (for example) establishes an > > > sftp session, they can issue the following commands: > > > > > > shell:~$ sftp user1@sftp_machine > > > Connecting to sftp_machine... > > > user1@sftp_machine's password: > > > sftp> pwd > > > Remote working directory: /user1 > > > sftp> cd .. > > > sftp> ls > > > user1 user2 > > > sftp> cd user2 > > > sftp> pwd > > > Remote working directory: /user2 > > > sftp> ls > > > Couldn't get handle: Permission denied > > > sftp> > > > > > > > Try this: > > > > at sshd_config > > > > Match group sftponly > > ChrootDirectory /var/chroot/sftp/%u > > X11Forwarding no > > AllowTcpForwarding no > > ForceCommand internal-sftp > > > > at /etc/passwd > > > > user1:x:1002:1004:SFTP Account,,,:/:/bin/true > > user2:x:1002:1004:SFTP Account2,,,:/:/bin/true > > > > > > This is the way I've it, and works for me. > > Hi Martin, > > Thanks for your email. Regarding your setup, does your setup require > the ownership of the user's directory to be root:root? According to the > documentation, everything in the ChrootDirectory must be owned by root: > > " This path, and all its components, must be root-owned directories that > are not writable by any other user or group." -- from the man page for > sshd_config. > > If so, how do your users write to their directory? > > Thanks, > Bryan Walton Hi Bryan, The root of sftp path is owned by root, and sub-directories owned by users. /home/sftpusers is owned by root:root /home/sftpusers/user1 is owned by user1:user1 /home/sftpusers/user2 is owned by user2:user2 Hope it helps. Cheers Martín
