3

I know there are other questions like this and I already read some of them. But it didnt fix my problem. I want to create a user that has sftp access to his home directory only and is not allowed to see files/folders above this directory. He also should be able to run shell commands in this directory. (starting a node process for example)

The sftp access is working so far. The user is restricted to his home directory and can edit/delete files.

I tried to create a symlink sudo ln -s /bin/bash /bin/rbash and it says file already existing, so I set the user shell to sudo usermod -s /bin/rbash user but if the user logs in via shh it shows the Ubuntu welcome text and then /bin/rbash: No such file or directory. The same happens if I set the shell to bash.

My sshd_conf looks like this now:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Match group sftp
        ChrootDirectory /home/userdirectory
        AllowTcpForwarding no
#       ForceCommand internal-sftp

I also tried to create a symbolic link from /bin/bash to /home/userdirectory/bin/bash but then when the user logs in via ssh it says Too many symbolic links.

I copied /bin/bash to /home/userdirectory/bin/bash and it says no such file or directory.

omnomnom
  • 171
  • You also need to copy all libraries that bash uses. – muru Aug 20 '18 at 08:16
  • Can you give an example? And shouldn't it just work with the symbolic link? I'm fairly new to linux btw. – omnomnom Aug 20 '18 at 08:26
  • Within the chroot, /home/userdirectory/bin/bash is /bin/bash - you have a symbolic link pointing to itself. No files outside the chroot are accessible or even visible (which is the point), and that includes any shared library files that bash needs. See https://askubuntu.com/a/112590/158442 https://unix.stackexchange.com/a/9854/70524 – muru Aug 20 '18 at 08:33
  • that worked. I copied all neccessary files and have a (restricted?) shell now on the user account. If you put your comments into an answer I will mark it as the answer. Thank you! – omnomnom Aug 20 '18 at 09:22
  • It would be better if you could post an answer showing what you had to do. I haven't done this in ages. – muru Aug 20 '18 at 09:25

1 Answers1

2

I solved this by copying /bin/bash to /home/userdirectory/bin/bash.

After that I listed required libraries with

ldd /bin/bash

and copied them all to their appropriate directorys under the chroot /home/userdirectory.

If you want to have further commands in the shell you have to copy them from /bin to /home/userdirectory/bin also and add their libraries.

omnomnom
  • 171