On 05/01/15 09:35, Markus Rosjat wrote:
> well I got it running to a point were my user got loged in to his home dir.
> he is now chrooted to /var/sftp because this one is owned by root and
> not writeable for others.
> still can jump from home dir (well it's not really this home)
> /var/sftp/testsftp to the root (which is the actual home)/var/sftp
> is there something I can do to prevent this last no go ?
>
The way I have done this is something like:
sftpusers/mary/homedir
(root) (root) (mary)
ChrootDirectory /sftpusers/%u
Homedirectory for user "mary" (and all other sftpusers) is /homedir.
So, sftp locks up the chroot in /home/mary, and the user is dropped into
/homedir by default, which is actually /home/mary/homedir. Now, they
can read and write in their default directory (not their root), they can
chdir back out of their RW directory, but see nothing else, as there is
nothing to see.
Another way to do it, almost simpler, is /home/mary/home/mary
Now /home/mary is owned by root, /home/mary/home/mary is owned by Mary.
The chroot is /home/mary, and the default directory becomes
/home/mary within the chroot. "almost simpler". though I admit if I
saw this on a machine without understanding why, I'd think unpleasant
things about the administrator. :)
Nick.
> Am 01.05.2015 um 15:15 schrieb Nick Holland:
>> On 05/01/15 07:07, Markus Rosjat wrote:
>>> hi there,
>>>
>>> I just do some testing with sftp access and I stumbled about some things
>>> I dont get.
>>>
>>> if I use the chroot I would asume the user cant browse to the root dir
>>> but it seems he can.
>>> Do I get the whole chroot thing wrong here ?
>> You get the idea, but you aren't implementing it right, and thus the
>> chroot isn't working.
> since I want my user to have full acces to his home I use the following
> setup in sshd_config
>
> Match Group sftpuser
> ChrootDirectory /var/sftp
> ForceCommand internal-sftp -d %u
> AllowTCPForwarding no
> X11Forwarding no
>
>>> I set sshd up to just use key auth and gave the user a nologin because I
>>> just want him to use sftp. Ichecked it with a shell so I know the key
>>> gets accepted but with the nologin and sftp I cant log in.
>>> So it seems the statement "we dont need a shell for sftp" is not working.
>> are you using "internal-sftp"?
> yes
>>> I used a diffrent home dir for the sftp users and applied suggested
>>> permissions and ownership but it doesnt seems to work
>>>
>>> /var/sftp <- root:sftpuser 0100
> changed that to root:wheel 0711
>>> /var/sftp/testuser <- testuser:sftpuser 0750
>> and I presume "testuser" is your login name?
> yeah like I said I like to give the user full access to his home the
> group permission may be removed if it works without
>> man sshd_config
>> search for "ChrootDirectory.
>>
>> At session startup sshd(8) checks that all
>> components of the pathname are root-owned directories which are
>> not writable by any other user or group.
>>
>> You aren't doing that.
> no I just tell ssh that the home is the directory above and move the
> user to his real home
>> Yes, that looks strange. Your SFTP user's home dir they will be
>> chrooted in has to be owned by ... ROOT! AND they can't have
>> permissions there! ("Who's home is this anyway??")
> someone who dont need to live in the real home ;)
>>
>> Now...inside that directory, you can create writable directories.
>>
>> There is a reason for this (of course) -- you don't want your chroot
>> user creating a /etc and /dev et al. directories which could be
>> influencing other chroot'ed applications.
>>
>> Nick.
