Results 1 to 3 of 3

Thread: Chroot sftp users. In case your folder to chroot is not /home/user

  1. #1
    Join Date
    Feb 2017
    Beans
    8

    Chroot sftp users. In case your folder to chroot is not /home/user

    Hi all! Posting this because I wish someone has done the same when I struggled with this seemingly simple task.
    Hope this helps someone.

    TASK

    - Let’s say we are in need to have a sftp access to our server for a certain user.

    - Let’s also say we need the user we are giving access to to be limited to his/her folder without any way of browsing the system, let alone modify and or execute anywhere besides the user’s folder.

Let’s also assume that the folder we are creating for the user is not simply /home/user, but like in my case is located on a separate volume in a far away folder. All the tutorials on internet I’ve found were using /home/user as the user’s folder. And it took my dumb ass several hours to figure out why my user WOULDN’T get access to the folder I needed him to - that is because NO ONE mentioned that the chain of ownership and permissions needed for chrooting an sftp user has to start ALL THE WAY from the /

    - I also needed this user to have the least amount of folders to click on before he/she could be able to upload/download. At the same time, from my side, I needed a uniform way to create folders so that I’d know where to upload the content (also I already had a huge FTP (before I made it into a sftp connected system) archive from a previous install, that I was reluctant to completely scratch and start over. To make my life easier I simply added ONE folder to each existing user folders with the same name to respect the permission/ownership necessity for chrooting sftp users. Surely I had to move all the existing content to the new additional folder, but since I used MOVE command instead of COPY - it was very fast despite the amount of files and folders inside each user's "homes".

    If you are like me - this is the answer:

    - we have a user john
    - he needs to be allowed via sftp and chrooted to a folder that is locally /mnt/sdb1/POK/FTP/john/john/
 <--- there is a reason there are 2 "john" folders - read on


    SOLUTION

    1. Create a user:
    1.sudo useradd john
    2. sudo passwd john
    3. sudo usermod -d /home/john john (home directory)


    2. Create a folder for future ftp access:
    1. In case of a long chain of folders, create a double folder name at the end of the chain: /mnt/sdb1/POK/FTP/john/john/useable_folder (read/write is the last one in the chain)
    2. Make sure that every single folder in the chain EXCEPT /useable_folder are set the following way:
    1. owned by root (sudo chown root:root /mnt, sudo chown root:root /mnt/sbd and so on all the way to the /mnt/sdb1/POK/FTP/john/john)
    2. set permissions to all of the above folders to 0755 (sudo chmod 0755 /mnt)
    3. set /useable_folder to be owned by john (sudo chown john:john /mnt/sdb1/POK/FTP/john/john/useable_folder)
    4. set /useable folder permissions to 0777 (sudo chmod 0777 -R /mnt/sdb1/POK/FTP/john/john/useable_folder)
 - or whatever other permissions you want - that will be the folder your user can manipulate in.

    3. open /etc/ssh/sshd.config in nano :
    1. Do this modification (uncomment the second line) : 




    Code:
    #Subsystem sftp /usr/lib/openssh/sftp-server

    Subsystem sftp internal-sftp

    2. Add the following lines to the end of file:




    Code:
    Match user john
  
    ChrootDirectory /mnt/sdb1/POK/FTP/john/john/
  
    ForceCommand internal-sftp
  
    AllowTcpForwarding no

    4. Save the file and exit and restart sshd (sudo systemctl restart sshd)


    5. Optional: you can set what kind of access your sftp user has to the server. Initially, it is /bin/bash or /bin/sh which allows for the user to ssh to the server with his credentials. For security reasons if you need to limit this user ONLY to sftp connections without an option for a ssh login, add this to /etc/passwd file instead of /bin/bash or /bin/sh at the end of the line with users credentials:

/usr/libexec/openssh/sftp-server

Don’t forget to restart the sshd after this.

If you get any errors on login through FileZilla - first make sure it is connecting via sftp (you can set it in the preferences, or you can type full address in the address field —> sftp://10.20.30.40) , next thing to check is the correct owner and permission on the entire chain of folders from / to the /useable_folder. I’ve had to double check it a few times, because some of the attributes wouldn’t stick.
    Last edited by kaynemo2; January 19th, 2023 at 12:55 PM.

  2. #2
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: Chroot sftp users. In case your folder to chroot is not /home/user

    @kaynemo2, I've moved this post from Networking & Wireless to the Tutorials section. I've also removed the now-superflous solved and tutorial tags from the thread title.

    Thank you for your interest, but please see our Tutorials Guidelines: https://ubuntuforums.org/showthread.php?t=2143602

    In particular:

    Tutorials should be supported.
    You are expected to offer support for your tutorial, within practical limits. If you fail to respond to requests for help or clarification within a reasonable time, or fail to update your tutorial, the thread will be closed or removed.
    Ubuntu 22.04 Desktop Guide - Ubuntu 24.04 Desktop Guide - Forum Guide to BBCode - Using BBCode code tags

    Member: Not Canonical Team

    If you need help with your forum account, such as SSO login issues, username changes, etc, the correct place to contact an admin is here. Please do not PM me about these matters unless you have been asked to - unsolicited PMs concerning forum accounts will be ignored.

  3. #3
    Join Date
    Feb 2017
    Beans
    8

    Re: Chroot sftp users. In case your folder to chroot is not /home/user

    Thanks. I was just trying to help, actually.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •