chroot jail for sftp

Can anyone point me to a how-to for a recent version of Linux (such as Opensuse 11.x) to do this? The ones I’ve been running across online are all older, and require that you install a “jail” application to do this. I know that the newest version of Linux don’t require this, but I’m fuzzy on the details.

I’ve already got one user set so that he can ONLY use sftp, but I’d like to jail him into his /home directory as well.

Thanks in advance …

I am still learning, but I use vsftpd for FTP and there is a command entered into the vsftpd.conf file that does that:

chroot_local_user=YES

I hope this helps.

I assume you mean sftp over ssh. To construct a chroot jail requires a specially hacked version of sftp. It can’t be done with the stock version. You can find any of a number of patches on the net that will do this. That was the situation when I looked it it about a couple of years ago. Perhaps the ssh people have introduced this feature since I looked, that I can’t say.

Yes, I was referring to the stock version of OpenSSH that ships with Opensuse. We don’t use “standard” FTP in any form.

Thanks. I’ll keep looking. The (minor) difficulty is that I have to be able to do all of this via ssh, because the server

You can substitute a different sftp server without messing with the ssh server since sftp is an add-on system.

For security and complexity reasons, I’d prefer not to do that. My source on that is O’Reilly’s “Building Secure Servers With Linux.” :slight_smile: (Plus, personal opinion, I admit it.)

I did yet still another Google search. This fellow:

HOWTO: chroot SFTP (only) - Index

… says that starting with OpenSSH 4.9, the capability to chroot is built in to the subsystem. I tried to follow the instructions for “OpenSSH versions 4.9 Upwards” (link near the bottom of the page), but I’ve missed something. The user can’t login at all. I’m getting this in the logs:

sshd[785]: fatal: bad ownership or modes for chroot directory “/home/[dirname]”

… so I’m running that down. This guy says that the directory must be owned by root, and that the user can’t write to it(!), which won’t do what I want, anyway. But I think he’s on the right track. If I get it working, I’ll post back here. This is fun. :slight_smile:

PS - for anyone here who might have a suggestion, I should have said that I’m using Opensuse 11.0 on this server. The installed OpenSSH package is 5.0p1.

Thanks for link. It’s good to know that this facility is in the openssh package now. It would do what I want because the users on the server I manage are not allowed to have an interactive shell anyway. I’ll use it when those servers are upgraded.

Perhaps you could give the user a normal login and a sftp only login whose $HOME is owned by root?

I thought that’s what he meant, but after re-reading his how-to, I don’t think so. Otherwise, it makes no sense. I think I also missed the “chmod” on the sftp-server binary. This guy also warns that he hasn’t tried this with the pre-packaged SSH’s that come with Linux distros; he always builds from source and installs himself.

What makes me nervous is that the server is actually across the country in another city. I’ll have to do everything by ssh(!) or VNC. If I get something wrong, when I restart sshd, I could be hosed. I’m going to wait until tomorrow to experiment again. Someone will be on-site at the server’s location then.

Hi,

Just an idea: Try to make /home to the chroot dir. That’s owned by root and users can’t write to it. So maybe the user has write access when he changes to his dir. The other dirs you can protect by chmod 700 if you need that.

hth

Erik

Thanks, Erik, but I GOT IT. As it turns out, there’s a nice link to an Opensuse page here:

Database error - openSUSE

… that essentially details what “Minstrel” talks about in the link posted earlier, but specifically for Opensuse distros. All distros now have at least OpenSSH 4.8, which support built-in chroot jailing for sftp.

The secret is that you have to actually change the owner of the /home/username directory to root. Then they can write in any directories that you have created for them (in this case, of course, public_html), but nowhere else. They are jailed, too; they can’t “cd” to anything up past that directory.

There’s a typo on that page: it has


export USERNAME="username";
chown root.root /home/$USERNAME;
usermod -d / $USERNAME;
adduser $USERNAME sftponly;

That third line should instead be,


usermod -d /home/$USERNAME;

… and now it works as intended. Beautiful!!!

:slight_smile:

This sounds like exactly what I needed a chroot sftp user for. The users in question have only access to a subtree of /srv/www and their home directory is set there. They are not allowed a ssh account anyway. So these would not be normal users in my case.

This is exactly what we needed, too. We have a user on our Webserver who will be maintaining a special section of our site. We want them to have access to that, with the ability to actually do things without our intervention or assistance, but without being able to touch or see anything else.

Oops. Try that one more time …


usermod -d /home/$USERNAME $USERNAME;