How do I use ChrootDirectory to limit user access to directories?
I'm running a LAMP server on a linode360 and all are going pretty well.
For now I have only 3 sites migrated, and all of them belongs to me. But I want to move some other sites of my customers pretty soon.
So I dont want that any user (using SFTP only, ftpd not installed) can access to any path rather than their entire home directory ( i.e. /home/user1 ).
I Googled this topic and I found a lot of info, but all is pretty old
I found http://www.minstrel.org.uk/papers/sftp/builtin/
I have added this to /etc/ssh/sshd_config
# Use the following line to *replace* any existing 'Subsystem' line
Subsystem sftp internal-sftp
# These lines must appear at the *end* of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
And after make these changes to existing user:
usermod -G sftponly user1
usermod -s /bin/false user1
The second part is working fine, now the user1 can only do SFTP, and cant access to SSH shell.
But the first part is not working as expected
If I deactived the ChrootDirectory %h line, then the user can connect again to SFTP, but cant access to other users home too
Please, can someone help me?
By the way, I'm using Debian 5.0 as deployed by Linode and openssh from Debian repository.
5 Replies
And now the user can connect to SFTP, but cant access to ANY directory, neither his /home/user directory…
I can only see the directory tree for / (but cant access to any directory in it).
And when trying to access to his website I get a "Forbidden. You don't have permission to access / on this server." access error
Please, any help would be very apprecited…
I was aware about that topic, but is about using the scponly method that I dont want to use because of the risk that can be.
Finally I found the problem with the ssh_config method…
If I change
ChrootDirectory %h
to
ChrootDirectory /home
I get this working
But I cant change that directory to the user home (i.e. /home/user1), I dont know why
Can someone help PLEASE?
> Important (OpenSSH tests for this condition): ensure their home directory is owned by root, and is not writable by any other user or group. This must also be the case for each directory in the path up to the root of your system.
> One difference to note between this solution and my original one is that since users no longer own their home directory, they will be unable to create new files and directories directly within it. In my environment, this is not a problem, as I set up their top-level directories for them in any case.
Thesethreads
1- The ChrootDirectory has to refer to the parent directory of the one you want to lock people into. If you want your user to only have access to /var/foo/bar, then you need to set
ChrootDirectory /var/foo
2- Permissions must be set correctly on all the parent folders. Bad ownership will cause the login to get denied. In the above example, /var/foo should be owned root:root.
If you find the login is failing, always check /var/log/auth.log. The reason, for example bad directory ownership, will usually be in there.