7

I just created a new user friend on my server, the goal is to give SFTP access to a friend of mine, so that he can host his website there.

I noticed that when connecting the server by SFTP with user friend, the default folder is /home/friend/, but you can easily go out of /home/friend/ and visit all files in read access on the server, such as /home/anotheruser/website2/config.php! I don't want this.

I was told to put this user in "jailed / isolated mode", so, at the end of my default sshd_config:

... Subsystem sftp /usr/lib/openssh/sftp-server

... I added this:

Match User friend ChrootDirectory /home/friend ForceCommand internal-sftp

and did service sshd restart.

Then I could not connect anymore the server at all by SFTP with user friend, oops! I also tried by replacing Subsystem ... by Subsystem sftp internal-sftp but the result was the same: friend cannot connect the server anymore via SFTP.

Question:

How to to isolate user friend so that he cannot go out of his home /home/friend/ via SFTP/SSH?

Note: I already read How to Restrict SFTP Users to Home Directories Using chroot Jail, How can I chroot sftp-only SSH users into their homes? , etc.

Improve this question
1
  • Did you check the log files? Commented Jan 10, 2020 at 7:18

3 Answers 3

Reset to default
5
+50

Not sure what OS you are using but I use the link below when I have to configure jailed SFTP users. It is a really good tutorial on how to configure a jailed SFTP user.

https://access.redhat.com/solutions/2399571

I would then mount bind whichever directory to the chroot directory you want to give your friend access to.

Improve this answer
2
  • Wonderful, it works! Commented Jun 17, 2020 at 10:20
  • There's still a problem: if you follow this tutorial, at the end the SFTP is indeed isolated but you can still access the whole filesystem by using PHP... unix.stackexchange.com/questions/593415/… Any idea about that @HeysusEscobar? Commented Jun 17, 2020 at 15:14
4

Working solution

This is inspired by the tutorial How to configure an sftp server with restricted chroot users with ssh keys mentioned in @HeysusEscobar's answer.

Do this from root:

useradd friend # NB: this doesn't create a home dir, see https://askubuntu.com/q/374870 passwd friend # set the password groupadd sftpusers mkdir /sftp mkdir /sftp/friend # this is where he'll be chrooted mkdir /sftp/friend/home # his home directory mkdir /sftp/friend/www # for websites usermod -aG sftpusers friend # aG for append group chown friend:sftpusers /sftp/friend/home/ chown friend:sftpusers /sftp/friend/www/ usermod -d /sftp/friend/home friend # set as his home directory

Add this to /etc/ssh/sshd_config:

# Subsystem sftp /usr/lib/openssh/sftp-server # you'll probably need to comment this line Subsystem sftp internal-sftp -d /home Match Group sftpusers ChrootDirectory /sftp/%u

and do service sshd restart. That's all!

Note that:

  • other users can still ssh, so it did not modify anything for other users
  • user friend cannot ssh
  • user friend can connect via sftp

PS: if you want to make friend's website available to internet, you can add this to Apache config:

<VirtualHost *:80> ServerName friend.example.com DocumentRoot /sftp/friend/www php_admin_value "open_basedir" "/sftp/friend" <Directory /> AllowOverride All Require all granted </Directory> </VirtualHost>

Site-note: even with open_basedir above, can't friend still go out of his chrooted-environment with PHP or run malicious code having impact on the whole filesystem? Linked question: A chrooted/isolated SFTP user can still visit the whole filesystem with PHP

Old (half-working only) solution

Replacing ChrootDirectory /home/friend by ChrootDirectory /home helped, according to documentation:

ChrootDirectory: Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root- owned directories that are not writable by any other user or group.

With this, user friend can connect to SFTP again; cannot go out of /home/; but can still visit /home/anotheruser/..., which is unwanted!

Improve this answer
-2

You could keep the modifications to your .sshd_config file and use chmod -R 700 /home/anotheruser to restrict access to anotheruser's home from anyone else, including friend. You could modify the chmod value if this is too strict, but that is what I personally was looking for in my question here. (Sorry for posting this as another answer, I don't have enough reputation to add this as a comment to your answer)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.