Providing SFTP access to non-users

Run ls -l in the directory where your files are stored and you'll see something like

-rw-r–r-- 1 user group 1196189 Dec 13 07:38 filename

the first rw means the user has read/write access, the other r's mean the group and everyone else has read access, what you will want to do is either set the group bit to read write or other bit to read write (depending on how restrictive you want to be).

use chmod g+w filename to set the group write bit or chmod o+w to set the other bit writable.

Hi Volantis,

I just wnt through the same discovery process. You have to make root the owner of the jailed chroot, and then the user the owner of the recursive directories. So I did the following

chown root:root /srv/www/domain1.tld

chown root:root /srv/www/domain2.tld

and so on for each domain. Then, I did

chown user1:user1 /srv/www/domain1.tld/*

chown user2:user2 /srv/www/domain2.tld/*

After all this is done, they will be able to write to any subfolder within their jailed chroot (/srv/www/domain.tld/public_html for example), but they will not be able to write directly to the root folder. So you would need to create any new subfolders directly off the root directory for the user.

Now if you're going to have a single user managing multiple domain folders, take a look at rsk's last post from my thread, which is pretty clever, you would just need to ensure the wwwroot for those domains are updated properly in the vhost file(s): http://www.linode.com/forums/viewtopic.php?t=6359

Uf, I don't get this, this is what I need but I can't get it to work.

First of all http://library.linode.com/security/sftp-jails/ it says:

Restart OpenSSH as follows:

/etc/init.d/ssh restart

but it's not working, I can't naviged to inid.d folder

cd init.d is not working, I can't get into that folder.

Then in this tutorial it doesn't says, but I guess I have to add user, just don't know can I do it when I log in linode admin interface, or do I have to do it from command line?

Ah, this is so complicated for me, and I really need to get this thing to work, please help :(

Ok, so I'm able to create user, and user can login with FileZilla using SFTP. User logs directly where it's suppose to, to the right domain that I want, BUT he can then navigate up, he can see all other sites on the server and all other files.

How can I prevent him from seeing other files on the server?

@AndrijaM:

Ok, so I'm able to create user, and user can login with FileZilla using SFTP. User logs directly where it's suppose to, to the right domain that I want, BUT he can then navigate up, he can see all other sites on the server and all other files.

How can I prevent him from seeing other files on the server?
I managed a similar solution via scponly. It has a script for creating the chroot environment, and it's working nice for me.

Melon, I'm not sure what you're trying to say… what should I do to make this work?

@AndrijaM:

Melon, I'm not sure what you're trying to say… what should I do to make this work?
Sorry for giving an incomplete suggestion. I thought you're looking for a solution to allow your users to log in via SFTP and restrict them into their home directory via chroot/jail.

I managed to do this via the scponly package. The package provides two shells: scponly and scponlyc - the latter being a chrooted sftp-only shell. The deb package has a setupchroot.sh script which by default is in /usr/share/doc/scponly/setupchroot in Ubuntu. The shell script will create the user, sets up the home directory and installs a minimal chroot environment for that particular user. I found this method absolutely fine for me, however your mileage may vary.

If this is not what you want to achieve, I may have misread something, and burn my post after reading :)

Melon, thanks, thats exactly what I need to do:

to allow user to log in via SFTP and restrict them into their home directory… (I don't know what chroot/jail is, I need easiest way to make this work )

just don't know how :)

I installed scponly package. How do I start that script?

And btw setupchroot.sh is setupchroot.sh.gz

@AndrijaM:

Melon, thanks, thats exactly what I need to do:

to allow user to log in via SFTP and restrict them into their home directory… (I don't know what chroot/jail is, I need easiest way to make this work )

just don't know how :)

I installed scponly package. How do I start that script?

And btw setupchroot.sh is setupchroot.sh.gz
A chroot or jail environment means that a user or process is restricted to its own directory and cannot see the entire filesystem.

If the setup_chroot.sh script is gzipped, you need to uncompress it first.

Go to the directory where your setup_chroot.sh.gz file is, then run:

sudo gunzip setup_chroot.sh.gz

If the script is not executable, change permissions (e.g.: sudo chmod 755 setup_chroot.sh)

After that you can run the script via root (sudo ./setup_chroot.sh) which will ask for a username, home directory, name of the writable dir (default is 'incoming') and you can set the password for the new user.

If everything goes fine, your system will have a user that can only login to an scp/sftp enabled shell and cannot change directory outside its home.

You are advised to plan the filesystem layout for your websites, for example:

domain1.com and domain2.com for user 'john':

virtual host roots:

/srv/www/john/domain1.com/public

/srv/www/john/domain2.com/public

john's home is:

/srv/www/john

Then either set the public folders' permissions to something that john is able to write, or change the folder's ownership to john's.

I hope this is clear and simple enough.

One additional note: I usually create a user group named 'sftponly' and put these chrooted users to this group and set this group in sshd_config:

Match group sftponly
    PasswordAuthentication yes
    PubkeyAuthentication no

If I want my users to use only key-based logins I switch the the yes/no values in the config above.

Thanks Melon, I'm fighting this on two sides, two different roads, opened another thread here, but still no luck.

This is what I get:

/bin/grep: config.h: No such file or directory

your scponly build is not configured for chrooted operation.

please reconfigure as follows, then rebuild and reinstall:

./configure –enable-chrooted-binary (… other options)

It seems that your config.h is missing from where the script searches for.

I just checked my files and there is a config.h file in the same directory as the setup_chroot.sh script. I suppose this config.h file needs to be in the same directory as the script.

However this is Ubuntu 8.04 other distros or versions might have placed this elsewhere.

No, it's in the same /usr/share/doc/scponly/setupchroot directory, config.h and setupchroot.sh are only two files there, something else is wrong, I guess config.h needs to be changed…

Your error message said that the script could not open config.h with the grep command so I suppose you did not run the script from its directory. Please check.

This is what I run:

sudo /usr/share/doc/scponly/setupchroot/setupchroot.sh from root.

Is this the correct command or I'm missing something?

I did: sudo chmod 755 setup_chroot.sh before and that went well..

@AndrijaM:

This is what I run:

sudo /usr/share/doc/scponly/setupchroot/setupchroot.sh from root. …
That is, if you don't change to the directory before running the script, it will not be able to open config.h. Try this:

$ cd /usr/share/doc/scponly/setup_chroot
$ sudo ./setup_chroot.sh

Nothing again :(

I did $ cd /usr/share/doc/scponly/setup_chroot

and from there sudo setup_chroot.sh with and without ./ and now says

sudo: setup_chroot.sh: command not found

@AndrijaM:

Nothing again :(

I did $ cd /usr/share/doc/scponly/setup_chroot

and from there sudo setup_chroot.sh with and without ./ and now says

sudo: setup_chroot.sh: command not found
eeer… I hope you entered the commands without the '/r> sign ;) My bad if those characters confused you.

Also check if setupchroot.sh has executable permissions (e.g. sudo chmod 755 setupchroot.sh if not)

Edit: just retracted my alternative suggestions.

Yes, without $ :D

setup_chroot.sh was 644 but I chmod it to 755 before.

But what's this ./ that you wrote sudo ./setup_chroot.sh

If i'm already in the right directory do I have to type ./ ?

I really don't get this, I know I'm in the right directory, when I type dir it list two files: config.h and setupchroot.sh so everything is there, just sudo setupchroot.sh says: command not found??

Am I misspelling the command somehow?

If you run an executable without any path in the filename, the file being executed has to reside in a directory defined in your PATH environment variable. If you specify the path ./ before the filename (which means the current directory) it will not search the file in PATH (/bin, /usr/bin, etc.)

Alternatively you can run the script like this:

sudo sh setup_chroot.sh

This method does not require you to set the script as executable.

I hope this will finally resolve your issue.

Melon, thanks a lot for helping me out.

sudo sh setup_chroot.sh

that was a winner :)

I was able to start the script, created a user, all went fine, BUT again I'm on the same position as in this thread, user is able to browse all server, he can go up, and see all other sites and file up to the top.

Plus, now I see, I can't write files anywhere on the server, I can only download files, I can't write even in the users home dir :(

As a slightly different perspective - when i wanted a similar file transfer lock down in the past for remote updates to web content, I ended up using something other than openssh, in large part since I had an additional desire of not wanting the transfer accounts to have to exist on the system as actual users, so I could maintain them independently.

I found vsftpd to be very straight forward. It supports virtual accounts, so you can set up a PAM source that purely does authentication, easy to lock down accessible directories per user, and can configure such transfers to all use a single system account, like www-data, for file ownership. But it does mean that your clients will need to support FTPS rather than SFTP. Many transfer clients do, but it could be an issue.

Another alternative is proftpd, which is a bit more extensive, but can also support SFTP, in additional to multiple source options (including a SQL database) for virtual accounts.

In my case I mostly went with vsftpd after comparing the two since it had a simpler configuration to set up for my specific purposes, but I didn't have any particular issues with proftpd, so would have used it if I needed any of its features.

– David

@david

thank you for your suggestion, I'm kind of newbie so it would be difficult for me to do what you said.

Luckily, I found an easyer solution

http://forum.linode.com/viewtopic.php?t=6437

@melon

thanks a lot :)