2

I really need some help, I have been trying to jail a user using ubuntu.

Thing to note:

  1. james is the user
  2. sshusers is the group
  3. /home/james/upload/ is the directory where I wish to lock user

sshd_config:

AllowGroups sshusers 

Match Group sshusers
    ChrootDirectory /home/%u/upload/
    ForceCommand internal-sftp

I followed an answer on askubuntu , here are my commands 

sudo chown root /home/james
sudo chmod go-w /home/james
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwX /home/james/upload

Problem:

I get this error

Error:  Network error: Software caused connection abort
Error:  Could not connect to server

I investigated in the logs, and I found this:

fatal: bad ownership or modes for chroot directory component "/home/james/upload/"

But if I run the following commands

sudo chown root /home/james/upload
sudo chmod go-w /home/james/upload

It works perfect , user can connect, folder is locked BUT cannot drop files in the directory

Status: Listing directory /
Status: Directory listing successful
Status: Starting upload of C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm
Command:    put "C:\Users\Program\AppData\Local\Temp\fz3temp-1\empty_file_yq744zm" "test"
Error:  /test: open for write: permission denied
Error:  File transfer failed

Please advice, I have search google so much all the links are purple now (visited :P)

I'm using filezilla client to test SFTP.

Community
  • 1
meda
  • 151

2 Answers2

4

The ChrootDirectory directive expects that the chroot directory be owned by root, and not writable by anybody else. So you cannot jail a user to a directory and allow the user permission to write to that directory. You can:

Chroot to home, upload to upload/

The first set of commands you tried are correct for this:

sudo chown root /home/james
sudo chmod go-w /home/james
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwX /home/james/upload

However, the option in sshd_config would be:

Match Group sshusers
    ChrootDirectory %h
    ForceCommand internal-sftp

(%h is replaced by the home directory of the user being authenticated, equivalent to /home/%u for most cases.) In addition, to limit the visibility of folders in /home/james, and restrict write permission there, use the recursive options for chown and chmod in the first command for /home/james, and remove read permissions. The modified set would look like:

sudo chown root /home/james -R 
sudo chmod go-rwx /home/james -R  # Disallow traversing any directory in home 
sudo chmod go+x /home/james       # Allow traversing this directory
sudo mkdir /home/james/upload
sudo chown james:sshusers /home/james/upload
sudo chmod ug+rwx /home/james/upload

Now the user should only be able to access /home/james/upload, or /upload.

Chroot to upload, upload to upload/some_directory

Pretty much the same as above, replacing /home/james/ with /home/james/upload, and /home/james/upload with /home/james/upload/some_directory. No particular gains.

Change the home directory of james to /upload

The usual behaviour of ChrootDirectory is: "After the chroot, sshd(8) changes the working directory to the user's home directory." So we change james's home directory:

usermod -d /upload  user

Then set the ChrootDirectory to /home/%u. Use the same restrictions in the first option.

muru
  • 197,895
  • 55
  • 485
  • 740
  • this make sense, but how would the users manage to change directory to upload ? I have seen linux servers that would restrict you to a folder just by logging in? – meda Sep 20 '14 at 03:03
  • @meda The usual behaviour of ChrootDirectory is: "After the chroot, sshd(8) changes the working directory to the user's home directory." So say you have /some/dir/chroot/home/james, and you set ChrootDirectory to /some/dir/chroot, it will change the directory to the home folder, relative to that: /some/dir/chroot/home/james. That's probably how those servers do it. – muru Sep 20 '14 at 03:07
  • @meda see update. – muru Sep 20 '14 at 03:11
  • This clarifies a lot @muru, I cant try it now , but I get back to u thanks a lot – meda Sep 20 '14 at 03:24
  • unfortunately I get the same result – meda Sep 20 '14 at 18:39
  • all I need to do is restrict a user to an folder where he can upload folder, I dont know why this is so hard. can you re adapt your answer to achieve this ? – meda Sep 20 '14 at 19:00
  • Ok Now I manage to connect to the right folder, by passing upload name to the command, but how can I do it directly – meda Sep 20 '14 at 19:40
  • @meda I am not around a PC now. I'll test it out with FileZilla and update when I am. – muru Sep 20 '14 at 19:41
  • ok no problem, I went to the office just to try your suggestion, so take your time and let me know when u get a chance – meda Sep 20 '14 at 19:42
0

The built-in sftp chroot mechanism in OpenSSH requires that the chroot directory be owned by root (and not writable by users). This could be a pain if the directory is an SMB/CIFS share for example, where you'd have to do bind mount.

One of the more flexible solution would be to use MySecureShell (http://mysecureshell.readthedocs.io/en/latest/)

apt install mysecureshell

It works without any modification to your default OpenSSH settings. All you need to do is make your SFTP user login shell to mysecureshell, and it will take care of the ACL/virtual chroot for you. See the documentation for details,

For example, once you have installed MySecureShell, you can then add an SFTP user (restricted to their home directory) as below,

sudo useradd -m -d /home/sftpuser01 --shell /usr/bin/mysecureshell sftpuser01

From the above, the user 'sftpuser01' will get virtual chrooted to '/home/sftpuser01' in SFTP session.

It also provide a lot of flexible options to control ACL, group etc by configuring '/etc/ssh/sftp-config'. Please refer to http://mysecureshell.readthedocs.io/en/latest/configuration.html for details.

TL-Aiyor
  • 66