Am 01.05.2015 um 15:36 schrieb Markus Rosjat:
well I got it running to a point were my user got loged in to his
home dir.
he is now chrooted to /var/sftp because this one is owned by root and
not writeable for others.
still can jump from home dir (well it's not really this home)
/var/sftp/testsftp to the root (which is the actual home)/var/sftp
is there something I can do to prevent this last no go ?
okay if I revoke the read permission on /var/sftp it seems to work as I
expect it
so here is the setup if someone is interested:
sshd_config:
- no password auth
- key auth
- sftp is internal-sftp
- match rule for group , see below
Filesystem:
- home owned by root:wheel 0711
- the user dir under home user:sftpuser 0750 (maybe later just 0700)
Am 01.05.2015 um 15:15 schrieb Nick Holland:
On 05/01/15 07:07, Markus Rosjat wrote:
hi there,
I just do some testing with sftp access and I stumbled about some
things
I dont get.
if I use the chroot I would asume the user cant browse to the root dir
but it seems he can.
Do I get the whole chroot thing wrong here ?
You get the idea, but you aren't implementing it right, and thus the
chroot isn't working.
since I want my user to have full acces to his home I use the
following setup in sshd_config
Match Group sftpuser
ChrootDirectory /var/sftp
ForceCommand internal-sftp -d %u
AllowTCPForwarding no
X11Forwarding no
I set sshd up to just use key auth and gave the user a nologin
because I
just want him to use sftp. Ichecked it with a shell so I know the key
gets accepted but with the nologin and sftp I cant log in.
So it seems the statement "we dont need a shell for sftp" is not
working.
are you using "internal-sftp"?
yes
I used a diffrent home dir for the sftp users and applied suggested
permissions and ownership but it doesnt seems to work
/var/sftp <- root:sftpuser 0100
changed that to root:wheel 0711
/var/sftp/testuser <- testuser:sftpuser 0750
and I presume "testuser" is your login name?
yeah like I said I like to give the user full access to his home the
group permission may be removed if it works without
man sshd_config
search for "ChrootDirectory.
At session startup sshd(8) checks that all
components of the pathname are root-owned directories which are
not writable by any other user or group.
You aren't doing that.
no I just tell ssh that the home is the directory above and move the
user to his real home
Yes, that looks strange. Your SFTP user's home dir they will be
chrooted in has to be owned by ... ROOT! AND they can't have
permissions there! ("Who's home is this anyway??")
someone who dont need to live in the real home ;)
Now...inside that directory, you can create writable directories.
There is a reason for this (of course) -- you don't want your chroot
user creating a /etc and /dev et al. directories which could be
influencing other chroot'ed applications.
Nick.
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
print it, think about your responsibility and commitment to the ENVIRONMENT
