Server: Ubuntu 12.04 LTS
I am using openSSH and have created an SFTP user called bob who belongs to group sftponly. I have chrooted bob to his home directory which is /usr/share/nginx/www/bob/.
bob is able to SFTP onto the server and view is home directory, however he is unable to edit the files in his directory. I have run chown -R bob /usr/share/nginx/www/bob/* to make bob the owner of his files yet he is still unable to edit them.
Why would this be?
Answer
To properly chroot an sftponly group member, you need to set this options in /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /srv/chroot/%u
ForceCommand internal-sftp
It is a requirement that the home directory, and the directories all the way up to the root of the system, of chrooted users must belong to root:root
Given the following values for a user:
$ id user001
uid=1003(user001) gid=1003(user001) groups=1006(sftponly)
$ grep user001 /etc/passwd
user001:x:1003:1003::/input:/sbin/nologin
You need a directory structure like this one:
$ tree /srv/chroot
/srv/chroot
├── user001
│ └── input
Because user001's HOME directory is evaluated after the chroot call, he/she lands in the input directory, where write permissions are valid:
$ ls -lrtd /srv/chroot/user001/input
drwxrwx--- 2 user001 sftponly 4.0K Apr 07 17:55 /srv/chroot/user001/input
No comments:
Post a Comment