sftp user with ChrootDirectory

Latest response

Dear All

I have succesfully created a number of sftponly users with:
"ChrootDirectory /app/%u" option in sshd_config file.
So under /app there are the home dirs such as:
/app/user1, /app/user2 etc etc.
permissions on /app and /app/user* are as expected (root:root and 755).
So far so good and everything is working perfectly.

Here is the tricky part when Application owners want rear/write permissions under /app for user lets say "thomas" who belongs to group "fincance"..actualy they are asking to "chown thomas:finance /app"

If i apply this then sftponly ownership rules are violated....

Any idead how can i bypass this rule? or implement such a request solution?

Note that using another directory for either sftp or "thomas" user is not an option, /app must be used....

Many thanks in advance.

D.A

DA
Log in to join the conversation

Responses

MK Guru 1972 points
14 December 2017 3:55 PM

You might have to implement an alternate directory tree for chroot jails, like I've sometimes done.

First, create a set of directories for the chrooted users, like /jail/user1/user1, /jail/user2/user2. In those paths, /jail/user1, /jail/user2 etc will be the root of the actual chroot jail, and will be owned by root.

Set sshd_config ChrootDirectory and make sure sshd is using internal SFTP:

ChrootDirectory /jail/%u
Subsystem sftp internal-sftp

Then, mount --bind the actual home directories from their original location to the chroot tree:

# mount --bind /app/user1 /jail/user1/user1
# mount --bind /app/user2 /jail/user2/user2
etc.

In /etc/fstab syntax, this should look like:

/app/user1  /jail/user1/user1  none bind 0 0
/app/user2 /jail/user2/user2 none bind 0 0

Within each chroot jail, create a symbolic link exactly like this:

# ln -s . /jail/user1/app
# ln -s . /jail/user2/app
etc.

This will create a set of links that will look like this:

# ls -l /jail/user1
drwxr-xr-x 2 root root 4096 Dec 14 17:22 user1/
lrwxrwxrwx 1 root root    1 Dec 14 17:22 app -> ./

This link makes the user home directory specification in /etc/passwd valid both within & without the chroot.

Outside the chroot, the user home directories are /app/user1 etc. just as before.

Within the chroot /jail/user1, pathname /app/user1 will also be valid: it will refer to (/jail/user1)/app/user1 through the symlink, which is equivalent to (/jail/user1)/./user1 which will be just (/jail/user1)/user1 which is exactly what we need. This will serve two purposes: it will allow the SFTP server to log the chrooted users correctly to their home directory, and if the user1 wants, s/he can refer to /app/user1 directory exactly like in un-chrooted case... except that "the rest of the filesystem" just won't exist for him/her inside the chroot.

Optional (although often highly desirable): if you can arrange for a syslog /dev/log socket within the chroot, you can make SFTP log any file transfer commands used within the chroot. To do that, you'll need to create a /dev directory within each chroot:

# mkdir /jail/user1/dev
# mkdir /jail/user2/dev
etc.

Then you can either configure the syslog daemon to create an extra syslog socket to each jail, or alternatively make the main syslog socket visible within each jail using mount --bind:

# touch /jail/user1/dev/log
# touch /jail/user2/dev/log
# mount --bind /dev/log /jail/user1/dev/log
# mount --bind /dev/log /jail/user2/dev/log
etc.

Why the touch commands? Well, just like you'll need a directory as a mountpoint for a filesystem or a bind-mounted directory, for bind-mounting a single file you'll need an existing file as a mount point.

Again, in /etc/fstab syntax these bind-mounts will look like this:

/dev/log /jail/user1/dev/log none bind 0 0
/dev/log /jail/user2/dev/log none bind 0 0

Finally, you can increase the log level of the SFTP server in /etc/ssh/sshd_config:

Subsystem sftp internal-sftp -l INFO
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.