146

I want to give a client access to my server, but I want to limit those users to their home directories. I will bind-mount in any files I want them to be able to see.

I've created a user called bob and added him to a new group called sftponly. They have a home directory at /home/bob. I've changed their shell to /bin/false to stop SSH logins. Here is their /etc/passwd line:

bob:x:1001:1002::/home/bob:/bin/false

I've also changed the /etc/ssh/sshd_config to include the following:

Match Group sftponly
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no

When I try to log in as them, here's what I see 

$ sftp bob@server
bob@server's password: 
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

If I comment out the ChrootDirectory line I can SFTP in but then they have free rein over the server. I have found that ChrootDirectory /home works, but it still gives them access to any home directory. I have explicitly tried ChrootDirectory /home/bob but that doesn't work either.

What am I doing wrong? How can I limit bob to /home/bob/?

----EDIT-----

Okay so I just had a look at /var/log/auth.log and saw this:

May  9 14:45:48 nj sshd[5074]: pam_unix(sshd:session): session opened for user bob by (uid=0)
May  9 14:45:48 nj sshd[5091]: fatal: bad ownership or modes for chroot directory component "/home/bob/"
May  9 14:45:48 nj sshd[5074]: pam_unix(sshd:session): session closed for user bob

I'm not entirely sure what's going on there, but it suggests something is wrong with the user directory. Here is the ls -h /home output:

drwxr-xr-x 26 oli      oli      4096 2012-01-19 17:19 oli
drwxr-xr-x  3 bob      bob      4096 2012-05-09 14:11 bob
rm-vanda
  • 3,176
Oli
  • 293,335

5 Answers5

143

All this pain is thanks to several security issues as described here. Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writable
sudo chown bob:sftponly /home/bob/writable
sudo chmod ug+rwX /home/bob/writable

And bam, you can log in and write in /writable.

hennr
  • 203
  • 2
  • 5
Oli
  • 293,335
  • 4
    Thank you really useful. Two problems though. 1.) Even though I can't write, I can still browse the whole filesystem. 2.) Changing shell to /bin/false prevents SFTP completely. Am I doing something wrong? – kim3er Jun 07 '12 at 15:30
  • 2
    Thank you! Many other articles on this topic miss this detail, and some make it so the server cannot accept ssh connections (which kind of sucks when you're on EC2 and ... that's the only way). – Tom Harrison Jr Sep 25 '12 at 22:56
  • @kim3er did you set your user's group to sftponly? If you don't, the ssh server won't match and chroot it. Try "usermod sftponly $USER". Also, /bin/false just removes SSH access. If you want a chrooted user to have ssh access there are more steps you'll need to take. – Evan Plaice Apr 26 '13 at 17:47
  • 4
    kim3er: this is because you need to set the user's shell to /sbin/nologin -- /bin/false disables any sort of access. –  May 29 '13 at 21:09
  • 11
    I'd also like to note that all folders that lead to your chroot folder should be owned by root. In this example, /home should also be owned by root. – Shiki Oct 08 '13 at 10:18
  • 4
    On 14.04, I also had to change the Subsystem sftp /usr/lib/openssh/sftp-server line to Subsystem sftp internal-sftp -f AUTH -l VERBOSE before this worked. – partofthething Sep 23 '15 at 01:44
  • This was the best description of this issue that I've found after about an hour spent trying and then Googling. – Kelderic Jan 25 '18 at 17:40
  • 1
    So it means there is no way of chrooting a user in a writeable directory : you have to have a subfolder with write permissions ? – baramuse Nov 05 '18 at 11:35
  • 2
    @baramuse you could then "move" the user to the writable directory after login by using ForceCommand internal-sftp -d /writable in /etc/ssh/sshd_config. They would still be able to browse back up to the read-only chroot dir though. Source – warbi Oct 09 '19 at 10:54
  • This is how you add the user bob to the group sftponly: adduser bob sftponly – rubo77 Mar 03 '20 at 14:15
  • Once you are done, you can bind other directories into the home folder of the jail user with mkdir /home/bob/localdir/; mount --bind /original/path /home/bob/localdir/ – rubo77 Mar 03 '20 at 14:16
  • Not sure, but it feels like this answer is missing chmod 750 /home/bob, as bob still needs read permission after connecting, otherwise he won't see anything if ChrootDirectory /home/%u is set. – Torxed Apr 26 '20 at 22:48
66

To chroot an SFTP directory, you must

  1. Create a user and force root to be owner of it

    sudo mkdir /home/john
useradd -d /home/john -M -N -g users john
sudo chown root:root /home/john
sudo chmod 755 /home/john

  2. Change the subsystem location on /etc/ssh/sshd_config:

    #Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

    and create a user section at the end of the file (ssh can die respawning if placed after Subsystem line):

    Match User john
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no
rubo77
  • 32,486
josircg
  • 1,239
  • 4
    this doesn't seem to work. in your example, the user john is locked to the /home/john directory. you have granted 755 permissions to the directory. so the owner has read(4), write(2) and execute(1), and the group has read(4) and execute(1). you've also set the owner and group as root, so john belongs to other. he also has read and execute (4+1=5) then.

    so you've locked john into a directory where he has no write privileges. how to fix this? changing privileges to 757 or even 777 breaks the login. changing the group or owner to john also breaks login.

     – Daniel Sep 03 '16 at 06:41
  • also to note: in /etc/ssh/sshd_config the configs are read in order. So if you have a rule for users in General and you want to overwrite one of them, just place the user-specific rule on top. – rwenz3l Apr 03 '17 at 10:10
  • I want to chroot an SFTP directory in some other user's home folder. I have userx at /home/userx/sftproot/uploads and sftpuser at /home/sftpuse. I have set chroot at /home/usex/sftproot to be owned by root:root and chmod 755. The /home/usex/sftproot/uploads is chown-ed by sftpuser:sftpuser. I get the same error as the initial question above. Does the chroot and all parent folders need to be owned by root:root in order for sftp to work? – Primoz Rome Sep 01 '17 at 07:04
  • 1
    +1 for %h............. – leonheess Apr 03 '20 at 09:34
  • how do you add john's password? – user1034912 Sep 08 '20 at 13:24
  • @user1034912 "john" is a regular linux user. sudo passwd john – josircg Sep 08 '20 at 15:51
9

I spent the whole day trying to get a network share on my raspberry. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share.

And here is how I got it working:

First I created a user:

sudo useradd netdrive

Then edited /etc/passwd and made sure it has /bin/false for the user so the line was:

netdrive:x:1001:1004:Net Drive User,,,:/home/netdrive:/bin/false

I edited /etc/ssh/sshd_config to include:

Match User netdrive
  ChrootDirectory /home/netdrive
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Changed home directory owner and permissions:

sudo chown root:root /home/netdrive/
sudo chmod 755 /home/netdrive/

Ok so after all this I was able to connect using sshfs but in read only mode. What I had to do to get a writable folder:

sudo mkdir -p /home/netdrive/home/netdrive/
sudo chown netdrive:netdrive /home/netdrive/home/netdrive/
sudo chmod 755 /home/netdrive/home/netdrive/

That was it, it worked without any further changes. Note that I have only writable permissions to the user, not to the group as many other solutions online. I was able to create/delete/edit/rename files/folders without problems.

When accessing using sshfs with the netdrive user because of chroot configuration I would only see things stored inside server's /home/netdrive/ directory, perfect. The repeated /home/netdrive/home/netdrive/ directory structure is what made it work for me in having a clean chroot ssh writable solution.

Now I am going to explain below the problems I had:

You should probably not execute the following paragraphs:

After looking at the above solutions (and many others on the net which even used acl (access control lists)) I was still not able to get it working because what I did next was:

The following did NOT work for me:

sudo mkdir /home/netdrive/writable/
sudo chown netdrive:netdrive /home/netdrive/writable/
sudo chmod 755 /home/netdrive/writable/

Because the netdrive user was still not able to write in that /home/netdrive/writable/ directory despite owning the folder and having the permissions. Then I did: sudo chmod 775 /home/netdrive/writable/ And now I could create a directory and delete it but I was not able to edit it because it was being created without group writable permissions. Here from what I saw on the net people use acl to fix it. But I was not happy with that since it I had to install acl, then configure mount points, etc. Also I have no idea why I would need group permission to write to a folder owned by the same user.

It seems that for some reason creating /home/netdrive/home/netdrive and giving ownership to the last netdrive folder I was able to make everything work without messing with group permissions.

mihai.ile
  • 101
2

I followed this article but it didnt work. It started working after I made this change (suggested in above answers):

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Plus made the root ownable home directory under which I had user writable sub directory (as described above).

The new and useful thing I want to add with this answer is that you can simplify the configuration simply by specifying %h as user home directory:

ChrootDirectory %h

I have discovered it thanks to this link.

user109764
  • 481
0

I created a script from @Oli's answer:

#!/bin/bash

1. adds a user to the group sftponly, which have only access to their home directory


2. creates a writable folder in the users home directory


3. mounts a folder into the users home directory with bind


see https://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes


if [ "$1" == "" ]; then
  echo "usage: $0 [username] [path to share] [local foldername]"
  exit 0
fi
U=$1


if [ "$2" == "" ]; then
  echo "no 2. param path to share given (without trailing slash)"
  exit 0
fi
PATH_TO_SHARE="$2"


if [ "$3" == "" ]; then
  echo "no 3. param local foldername given"
  exit 0
fi
LOCAL_FOLDER_NAME="$3"


set -ex


adduser $U
adduser $U sftponly
sudo chown root /home/$U
sudo chmod go-w /home/$U
sudo mkdir /home/$U/writable
sudo chown $U:sftponly /home/$U/writable
sudo chmod ug+rwX /home/$U/writable
mkdir -p "/home/$U/$LOCAL_FOLDER_NAME/"
mount --bind "$PATH_TO_SHARE/" "/home/$U/$LOCAL_FOLDER_NAME/"


echo "$PATH_TO_SHARE/ /home/$U/$LOCAL_FOLDER_NAME/ none defaults,bind 0 0">>/etc/fstab
rubo77
  • 32,486