How do I use ChrootDirectory to limit user access to directories?

Hi!

I'm running a LAMP server on a linode360 and all are going pretty well.

For now I have only 3 sites migrated, and all of them belongs to me. But I want to move some other sites of my customers pretty soon.

So I dont want that any user (using SFTP only, ftpd not installed) can access to any path rather than their entire home directory ( i.e. /home/user1 ).

I Googled this topic and I found a lot of info, but all is pretty old :( and not sure about what method can be more secure (i.e. when doing reconfigure for scponly it says that can be a root exploit hole!).

I found http://www.minstrel.org.uk/papers/sftp/builtin/ and I think that this will be a good and easy method. So I did the following:

I have added this to /etc/ssh/sshd_config

# Use the following line to *replace* any existing 'Subsystem' line
Subsystem       sftp    internal-sftp

# These lines must appear at the *end* of sshd_config
Match Group sftponly
        ChrootDirectory %h
        ForceCommand internal-sftp
    AllowTcpForwarding no

And after make these changes to existing user:

usermod -G sftponly user1

usermod -s /bin/false user1

The second part is working fine, now the user1 can only do SFTP, and cant access to SSH shell.

But the first part is not working as expected :( because the ChrootDirectory %h directive makes the user being disconnected from SFTP :( I tried with /home/%u but still the same.

If I deactived the ChrootDirectory %h line, then the user can connect again to SFTP, but cant access to other users home too :(

Please, can someone help me?

By the way, I'm using Debian 5.0 as deployed by Linode and openssh from Debian repository.

5 Replies

Ok… I followed this other article: ~~[http://www.debian-administration.org/article/OpenSSHSFTPchrootwithChrootDirectory" target="blank">](http://www.debian-administration.org/ar … tDirectory">http://www.debian-administration.org/article/OpenSSHSFTPchrootwith_ChrootDirectory](

And now the user can connect to SFTP, but cant access to ANY directory, neither his /home/user directory…

I can only see the directory tree for / (but cant access to any directory in it).

And when trying to access to his website I get a "Forbidden. You don't have permission to access / on this server." access error :(

Please, any help would be very apprecited…

Have a look at this topic if an alternate method feels sufficient to you.

http://www.linode.com/forums/viewtopic.php?t=4408

Thank you very much for your reply melon.

I was aware about that topic, but is about using the scponly method that I dont want to use because of the risk that can be.

Finally I found the problem with the ssh_config method…

If I change

ChrootDirectory %h

to

ChrootDirectory /home

I get this working :)

But I cant change that directory to the user home (i.e. /home/user1), I dont know why :(

Can someone help PLEASE?

Did you do the following from http://www.minstrel.org.uk/papers/sftp/builtin/ ? > Important (OpenSSH tests for this condition): ensure their home directory is owned by root, and is not writable by any other user or group. This must also be the case for each directory in the path up to the root of your system. > One difference to note between this solution and my original one is that since users no longer own their home directory, they will be unable to create new files and directories directly within it. In my environment, this is not a problem, as I set up their top-level directories for them in any case. These threads give some explanation for this requirement.

I'm using ChrootDirectory successfully, but there are a couple quirks to getting it right:

1- The ChrootDirectory has to refer to the parent directory of the one you want to lock people into. If you want your user to only have access to /var/foo/bar, then you need to set

ChrootDirectory /var/foo

2- Permissions must be set correctly on all the parent folders. Bad ownership will cause the login to get denied. In the above example, /var/foo should be owned root:root.

If you find the login is failing, always check /var/log/auth.log. The reason, for example bad directory ownership, will usually be in there.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct