sftp chroot

jorgeraimundo · September 16, 2009, 5:01pm

Hello all!

I have the following chroot config for ssh/sftp:

Match Group sftpchroot
        ChrootDirectory /home
        ForceCommand internal-sftp
        AllowTcpForwarding no

Whenever I make an sftp login with a user that belongs to the sftpchroot group the folder shown is /home instead of /home/$USER as expected.

How can I change this…

Best regards,
Jorge

Akoellh · September 16, 2009, 5:10pm

jorgeraimundo:

Hello all!

I have the following chroot config for ssh/sftp:
Match Group sftpchroot
        ChrootDirectory /home
        ForceCommand internal-sftp
        AllowTcpForwarding no

Try replacing “/home” with “%h”.

user · September 16, 2009, 5:21pm

jorgeraimundo wrote:

> I have the following chroot config for ssh/sftp:
>
> Code:
> --------------------
> Match Group sftpchroot
> ChrootDirectory /home
> ForceCommand internal-sftp
> AllowTcpForwarding no
> --------------------
>
>
> Whenever I make an sftp login with a user that belongs to the
> sftpchroot group the folder shown is /home instead of /home/$USER as
> expected.
>
> How can I change this…

Test it with:

ChrootDirectory /home/%u

Greetings,

–
Camaleón

jorgeraimundo · September 16, 2009, 5:58pm

Hi!

Thank you both for replying!

I’ve tried with ChrootDirectory /home/%u or ChrootDirectory %h which is the same, but that poses a problem.

If I chroot directly to the user’s home I’ll have to chown /home/$USER to root:root, otherwise the chroot won’t be successful.
But if I do that, then the user will not be able to do anything in /home/$USER. And unless it has already some folders inside that belong to him, he won’t be able to do a single thing.

Therefore I set ChrootDirectory /home and the user umask to 077 so that no one can peek on the other’s home.

Like this the user is able to fully use it’s home, it’s still able to go up one level and see which folders exist (not elegant) but it’s freedom ends there.

Everything would be almost perfect if it went directly to /home/$USER instead of /home.

Thank you for your time.

Best regards,
Jorge

knurpht · September 16, 2009, 8:45pm

I’ve read this and I still don’t understand what you’re trying to achieve. My ftp users all chroot to a /blabla/ftp/%u, which makes them have their own little dropbox on my server. They cannot look into eachother’s folders. Nor explore the system.

jorgeraimundo · September 17, 2009, 10:53am

My ftp users all chroot to a /blabla/ftp/%u

My ftp users too. I have no problem chrooting ftp to /home/%u.
It’s with SFTP that I’m having a bit of trouble.
If I tell sftp to chroot to /home/%u, I’ll have to chown root:root all the /home/%u folders. And that’s not nice for the users because it limits their actions on their own homes.

Hope I made myself clear.

Best regards,
Jorge