Re: Solved? permissions, httpd with sftp chroot directory

[Chris Bennett]

On Wed, Sep 19, 2018 at 02:59:42PM -0700, Chris Bennett wrote:
> OK, I think I have this right now
> 
> Files in /etc/mtree show proper owner:group mode everywhere.
> Files inside of httpd chroot have same as outside.
> Added an sftp chroot directory inside of httpd chroot for external user.
> Thus they can upload and download, but do the work elsewhere. Nologin.
> Right now, these directories for individual websites have ownership
> of root:daemon, is that correct?
> 

Seems to be all OK, except that I had to create a subdir in order to get
everything right with sftp chroot. I'm OK with that.
I'll look through the threads I didn't read but saw to learn more.

:-)
Chris Bennett

Solved? permissions, httpd with sftp chroot directory

[Chris Bennett]

OK, I think I have this right now

Files in /etc/mtree show proper owner:group mode everywhere.
Files inside of httpd chroot have same as outside.
Added an sftp chroot directory inside of httpd chroot for external user.
Thus they can upload and download, but do the work elsewhere. Nologin.
Right now, these directories for individual websites have ownership
of root:daemon, is that correct?

Thanks,
Chris Bennett

Re: sftp chroot

[Markus Rosjat]

thanks for the info, the read only would be rw but it's at least worth 
looking at even its hackish :-P


But I also figured, since I dont need a shell for these users I can 
simply force them in a sftp chroot somewere else but this is something I 
have to refine more though


on my testmachine I have a kinda weird setup right now:

 - normal system user with home in /home/username
 - forced in a chroot with sshd_config somewere in 
/var/www/htdocs/chrootdir


I have to wait an see if this is a solution to go with but then again as 
long as it does what it is supose to do I'm okay with it.


So lets wait for the crybabies to complain about all the things they 
can't do without asking for permission first.


Regards

MArkus


Am 14.06.2017 um 20:53 schrieb Ville Valkonen:

On 14 June 2017 at 11:33, Markus Rosjat <ros...@ghweb.de> wrote:

Hi there,

I want to build an sftp environment where the user is chrooted to his home
dir. So far so good but then again the user might need access to a webserver
resource like /var/www/htdocs/some_dir

As far as I understand a symlink doesnt work in the chroot setup and Im not
quiet sure how to achieve this.

I could simply make /var/www/htdocs/some_dir the home dir of the user but Im
not sure if this is the recommended way.

so once again adivce  is helpful :)

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
print it, think about your responsibility and commitment to the ENVIRONMENT



Hi,

here's the NFS solution you were after:
$ grep 127.0.0.1 /etc/exports
/home/store/music -ro -mapall=extuser1 127.0.0.1
/home/store/not_sorted -ro -mapall=extuser1 127.0.0.1

and chroot /home/$user as usual. Now the extuser1 has an read only
access to certain shares.

Hackish? Definitely. Use at your own risk.

--
Regards,
Ville



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: sftp chroot

[Ville Valkonen]

On 14 June 2017 at 11:33, Markus Rosjat  wrote:
> Hi there,
>
> I want to build an sftp environment where the user is chrooted to his home
> dir. So far so good but then again the user might need access to a webserver
> resource like /var/www/htdocs/some_dir
>
> As far as I understand a symlink doesnt work in the chroot setup and Im not
> quiet sure how to achieve this.
>
> I could simply make /var/www/htdocs/some_dir the home dir of the user but Im
> not sure if this is the recommended way.
>
> so once again adivce  is helpful :)
>
> regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
> print it, think about your responsibility and commitment to the ENVIRONMENT
>

Hi,

here's the NFS solution you were after:
$ grep 127.0.0.1 /etc/exports
/home/store/music -ro -mapall=extuser1 127.0.0.1
/home/store/not_sorted -ro -mapall=extuser1 127.0.0.1

and chroot /home/$user as usual. Now the extuser1 has an read only
access to certain shares.

Hackish? Definitely. Use at your own risk.

--
Regards,
Ville

Re: sftp chroot

[Todd]

Have a look at the book https://www.michaelwlucas.com/tools/relayd

Chapter 7 addresses this exact scenario


On Wed, Jun 14, 2017 at 3:33 AM, Markus Rosjat  wrote:

> Hi there,
>
> I want to build an sftp environment where the user is chrooted to his home
> dir. So far so good but then again the user might need access to a
> webserver resource like /var/www/htdocs/some_dir
>
> As far as I understand a symlink doesnt work in the chroot setup and Im
> not quiet sure how to achieve this.
>
> I could simply make /var/www/htdocs/some_dir the home dir of the user but
> Im not sure if this is the recommended way.
>
> so once again adivce  is helpful :)
>
> regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
>

Re: sftp chroot

[Markus Rosjat]

Am 14.06.2017 um 16:31 schrieb Chris M:

Some hosts chroot users into a specific web dir because they have multiple
vhosts on the same server, and they dont want all sftp or ssh users to be
able to browse into other vhosts, even to look around. They might also want
to give developers access to specific subdirs without seeing the entire
vhost root.




Yes this is the aim here, the user has no shell at all. He gets access 
to the webcontent folder only.




I am running SFTP-only chroot file exchange server where a very small
group of users have the access to the same chroot without full shell
access for the purpose of sharing/exchanging data.



I want to seperate every user, no peaking up the ladder  :)


I could imagine situation in which it is desirable to give users
chrooted SFTP-only access to their web data. It seems to me that one
could create virtual host per user and give them sftp-only access to the
root directory of their virtual server.



they will all get virtual hosts  in httpd  and get there sftp root set 
to the root of the virtual host.



Somebody help me. What would be other good use case scenarios for
chrooted sftp-only user access?


Annoying colleagues without a wheel :-p  ... just kinding

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: sftp chroot

[Chris M]

Some hosts chroot users into a specific web dir because they have multiple
vhosts on the same server, and they dont want all sftp or ssh users to be
able to browse into other vhosts, even to look around. They might also want
to give developers access to specific subdirs without seeing the entire
vhost root.



On Wed, Jun 14, 2017 at 9:22 AM Predrag Punosevac 
wrote:

> Markus Rosjat wrote:
>
> > Am 14.06.2017 um 13:42 schrieb Jiri B:
> > > On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote:
> > >> Je 2017-06-14 13:02, Bryan Harris skribis:
> > >>> On Linux I have mounted another fs inside the user's home folder (it
> > is
> > >>> mounted twice).  I don't know if OpenBSD has that feature.
> > >>>
> > >>
> > >> This is not possible on OpenBSD, mount will tell "device is busy".
> > >>
> > >> On linux you should use mount --bind to bind a folder on another
> > instead
> > >> of mounting twice the mountpoint. FreeBSD has mount_nullfs to do
> > exactly
> > >> the same thing as --bind, but OpenBSD doesn't have any of this.
> > >
> > > Do you build a shell server or you just want to give SFTP access
> > > to users' web data?
> > >
> > > If the latter, why don't you just chroot them directly into their
> > > user dir inside web root? Or, just define their home to be inside
> > > web chroot...
> > >
> > > j.
> > >
> >
> > like I stated bevor I know I can simply give them there webcontent
> > folder as home and chroot this for sftp but then again how to handle the
> >
>
> I am with Jiri on this one. You completely lost me. What problem are you
> trying to solve?
>
> I am running SFTP-only chroot file exchange server where a very small
> group of users have the access to the same chroot without full shell
> access for the purpose of sharing/exchanging data.
>
> I could imagine situation in which it is desirable to give users
> chrooted SFTP-only access to their web data. It seems to me that one
> could create virtual host per user and give them sftp-only access to the
> root directory of their virtual server.
>
> Somebody help me. What would be other good use case scenarios for
> chrooted sftp-only user access?
>
> Best,
> Predrag
>
>
>
>
> > .ssh or other . folders and files? I read somthing about placing it
> > outside the home dir and define the location over sshd_config but not
> > sure if this is proper solution.
>
> --
There's no place like 127.0.0.1

Re: sftp chroot

[Predrag Punosevac]

Markus Rosjat wrote:

> Am 14.06.2017 um 13:42 schrieb Jiri B:
> > On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote:
> >> Je 2017-06-14 13:02, Bryan Harris skribis:
> >>> On Linux I have mounted another fs inside the user's home folder (it
> is
> >>> mounted twice).  I don't know if OpenBSD has that feature.
> >>>
> >>
> >> This is not possible on OpenBSD, mount will tell "device is busy".
> >>
> >> On linux you should use mount --bind to bind a folder on another
> instead
> >> of mounting twice the mountpoint. FreeBSD has mount_nullfs to do
> exactly
> >> the same thing as --bind, but OpenBSD doesn't have any of this.
> > 
> > Do you build a shell server or you just want to give SFTP access
> > to users' web data?
> > 
> > If the latter, why don't you just chroot them directly into their
> > user dir inside web root? Or, just define their home to be inside
> > web chroot...
> > 
> > j.
> > 
> 
> like I stated bevor I know I can simply give them there webcontent 
> folder as home and chroot this for sftp but then again how to handle the
> 

I am with Jiri on this one. You completely lost me. What problem are you
trying to solve?

I am running SFTP-only chroot file exchange server where a very small
group of users have the access to the same chroot without full shell
access for the purpose of sharing/exchanging data.

I could imagine situation in which it is desirable to give users
chrooted SFTP-only access to their web data. It seems to me that one
could create virtual host per user and give them sftp-only access to the
root directory of their virtual server.

Somebody help me. What would be other good use case scenarios for
chrooted sftp-only user access?

Best,
Predrag




> .ssh or other . folders and files? I read somthing about placing it 
> outside the home dir and define the location over sshd_config but not 
> sure if this is proper solution.

Re: sftp chroot

[Chris M]

You could do it like this:

Say you have /www/sites/, make a subdir /files/html, and another for
/html which is a symlink to files/html:

/www/sites/www.somedomain.com
/www/sites/www.somedomain.com/files/html
/www/sites/www.somedomain.com/html -> files/html

Mount /www/sites/www.somedomain.com to /home/

Point document root for that domain/vhost to /www/sites/somedomain.com/html.
Graceful restart apache.


If you only want the chroot user to have access to a subdir inside of html,
then just mount the subdir to their home folder

On Wed, Jun 14, 2017 at 9:06 AM Markus Rosjat  wrote:

>
>
> Am 14.06.2017 um 15:53 schrieb Markus Rosjat:
> >
> >
> > Am 14.06.2017 um 13:42 schrieb Jiri B:
> >> On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote:
> >>> Je 2017-06-14 13:02, Bryan Harris skribis:
>  On Linux I have mounted another fs inside the user's home folder (it
> is
>  mounted twice).  I don't know if OpenBSD has that feature.
> 
> >>>
> >>> This is not possible on OpenBSD, mount will tell "device is busy".
> >>>
> >>> On linux you should use mount --bind to bind a folder on another
> instead
> >>> of mounting twice the mountpoint. FreeBSD has mount_nullfs to do
> exactly
> >>> the same thing as --bind, but OpenBSD doesn't have any of this.
> >>
> >> Do you build a shell server or you just want to give SFTP access
> >> to users' web data?
> >>
> >> If the latter, why don't you just chroot them directly into their
> >> user dir inside web root? Or, just define their home to be inside
> >> web chroot...
> >>
> >> j.
> >>
> >
> > like I stated bevor I know I can simply give them there webcontent
> > folder as home and chroot this for sftp but then again how to handle the
> > .ssh or other . folders and files? I read somthing about placing it
> > outside the home dir and define the location over sshd_config but not
> > sure if this is proper solution.
> >
> >
>
> okay I tried to set the chroot in the sshd_config to the www dir of the
> user and it seems to work so far. Since this is a dev machine it's okay
> for now. So there is still time to sort out the kinks
> --
> Markus Rosjatfon: +49 351 8107223 <+49%20351%208107223>mail:
> ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220 <+49%20351%208107220>   fax: +49 351 8107227
> <+49%20351%208107227>
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>
> --
There's no place like 127.0.0.1

Re: sftp chroot

[Markus Rosjat]

Am 14.06.2017 um 15:53 schrieb Markus Rosjat:



Am 14.06.2017 um 13:42 schrieb Jiri B:

On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote:

Je 2017-06-14 13:02, Bryan Harris skribis:

On Linux I have mounted another fs inside the user's home folder (it is
mounted twice).  I don't know if OpenBSD has that feature.



This is not possible on OpenBSD, mount will tell "device is busy".

On linux you should use mount --bind to bind a folder on another instead
of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly
the same thing as --bind, but OpenBSD doesn't have any of this.


Do you build a shell server or you just want to give SFTP access
to users' web data?

If the latter, why don't you just chroot them directly into their
user dir inside web root? Or, just define their home to be inside
web chroot...

j.



like I stated bevor I know I can simply give them there webcontent 
folder as home and chroot this for sftp but then again how to handle the 
.ssh or other . folders and files? I read somthing about placing it 
outside the home dir and define the location over sshd_config but not 
sure if this is proper solution.





okay I tried to set the chroot in the sshd_config to the www dir of the 
user and it seems to work so far. Since this is a dev machine it's okay 
for now. So there is still time to sort out the kinks

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: sftp chroot

[Markus Rosjat]

Am 14.06.2017 um 13:42 schrieb Jiri B:

On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote:

Je 2017-06-14 13:02, Bryan Harris skribis:

On Linux I have mounted another fs inside the user's home folder (it is
mounted twice).  I don't know if OpenBSD has that feature.



This is not possible on OpenBSD, mount will tell "device is busy".

On linux you should use mount --bind to bind a folder on another instead
of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly
the same thing as --bind, but OpenBSD doesn't have any of this.


Do you build a shell server or you just want to give SFTP access
to users' web data?

If the latter, why don't you just chroot them directly into their
user dir inside web root? Or, just define their home to be inside
web chroot...

j.



like I stated bevor I know I can simply give them there webcontent 
folder as home and chroot this for sftp but then again how to handle the 
.ssh or other . folders and files? I read somthing about placing it 
outside the home dir and define the location over sshd_config but not 
sure if this is proper solution.



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: sftp chroot

[Jiri B]

On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote:
> Je 2017-06-14 13:02, Bryan Harris skribis:
> >On Linux I have mounted another fs inside the user's home folder (it is
> >mounted twice).  I don't know if OpenBSD has that feature.
> >
> 
> This is not possible on OpenBSD, mount will tell "device is busy".
> 
> On linux you should use mount --bind to bind a folder on another instead
> of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly
> the same thing as --bind, but OpenBSD doesn't have any of this.

Do you build a shell server or you just want to give SFTP access
to users' web data?

If the latter, why don't you just chroot them directly into their
user dir inside web root? Or, just define their home to be inside
web chroot...

j.

Re: sftp chroot

[Solène Rapenne]

Je 2017-06-14 13:02, Bryan Harris skribis:

On Linux I have mounted another fs inside the user's home folder (it is
mounted twice).  I don't know if OpenBSD has that feature.



This is not possible on OpenBSD, mount will tell "device is busy".

On linux you should use mount --bind to bind a folder on another instead
of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly
the same thing as --bind, but OpenBSD doesn't have any of this.

Re: sftp chroot

[Bryan Harris]

On Linux I have mounted another fs inside the user's home folder (it is
mounted twice).  I don't know if OpenBSD has that feature.

On Wed, Jun 14, 2017 at 6:38 AM, Ville Valkonen 
wrote:

> Hi,
>
> one option is to use local nfs mounts. That's what I've done.
>
> --
> Regards,
> Ville
>
>
> On Jun 14, 2017 11:34 AM, "Markus Rosjat"  wrote:
>
> Hi there,
>
> I want to build an sftp environment where the user is chrooted to his home
> dir. So far so good but then again the user might need access to a
> webserver resource like /var/www/htdocs/some_dir
>
> As far as I understand a symlink doesnt work in the chroot setup and Im not
> quiet sure how to achieve this.
>
> I could simply make /var/www/htdocs/some_dir the home dir of the user but
> Im not sure if this is the recommended way.
>
> so once again adivce  is helpful :)
>
> regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
>

Re: sftp chroot

[Ville Valkonen]

Hi,

one option is to use local nfs mounts. That's what I've done.

--
Regards,
Ville


On Jun 14, 2017 11:34 AM, "Markus Rosjat"  wrote:

Hi there,

I want to build an sftp environment where the user is chrooted to his home
dir. So far so good but then again the user might need access to a
webserver resource like /var/www/htdocs/some_dir

As far as I understand a symlink doesnt work in the chroot setup and Im not
quiet sure how to achieve this.

I could simply make /var/www/htdocs/some_dir the home dir of the user but
Im not sure if this is the recommended way.

so once again adivce  is helpful :)

regards

-- 
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Re: sftp chroot

[Solène Rapenne]

Je 2017-06-14 10:33, Markus Rosjat skribis:

Hi there,

I want to build an sftp environment where the user is chrooted to his
home dir. So far so good but then again the user might need access to
a webserver resource like /var/www/htdocs/some_dir

As far as I understand a symlink doesnt work in the chroot setup and
Im not quiet sure how to achieve this.

I could simply make /var/www/htdocs/some_dir the home dir of the user
but Im not sure if this is the recommended way.

so once again adivce  is helpful :)

regards


hello
you can change the home user folder to one in /var/www/htdocs/
or if the home user in the same mountpoint as /var/www you could
do a hard link folder with ln.

sftp chroot

[Markus Rosjat]

Hi there,

I want to build an sftp environment where the user is chrooted to his 
home dir. So far so good but then again the user might need access to a 
webserver resource like /var/www/htdocs/some_dir


As far as I understand a symlink doesnt work in the chroot setup and Im 
not quiet sure how to achieve this.


I could simply make /var/www/htdocs/some_dir the home dir of the user 
but Im not sure if this is the recommended way.


so once again adivce  is helpful :)

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

sftp chroot does'nt pass the login

[Jean-Francois]

Hi,

I am using sftp server with a chroot with following lines in sshd configuration 
file. The same works for my actual server in 4.4 OpenBSD but I just freshly 
installed a 4.7 one and on it the sftp login fails (it works without chroot).

Match group web
ChrootDirectory /var/www/htdocs
ForceCommand internal-sftp

Any idea what I get wrong ?

Thanks

Re: sftp chroot does'nt pass the login

[Bret S. Lambert]

On Sun, May 30, 2010 at 05:22:22PM +0200, Jean-Francois wrote:
 Hi,
 
 I am using sftp server with a chroot with following lines in sshd 
 configuration 
 file. The same works for my actual server in 4.4 OpenBSD but I just freshly 
 installed a 4.7 one and on it the sftp login fails (it works without chroot).
 
 Match group web
 ChrootDirectory /var/www/htdocs
 ForceCommand internal-sftp
 
 Any idea what I get wrong ?

$ grep web /etc/group
$ grep www /etc/group
www:*:67:
$ 


 
 Thanks

Re: sftp chroot does'nt pass the login

[Jean-Francois]

Le dimanche 30 mai 2010 17:39:36, Bret S. Lambert a icrit :
 On Sun, May 30, 2010 at 05:22:22PM +0200, Jean-Francois wrote:
  Hi,
 
  I am using sftp server with a chroot with following lines in sshd
  configuration file. The same works for my actual server in 4.4 OpenBSD
  but I just freshly installed a 4.7 one and on it the sftp login fails
  (it works without chroot).
 
  Match group web
 
  ChrootDirectory /var/www/htdocs
  ForceCommand internal-sftp
 
  Any idea what I get wrong ?

 $ grep web /etc/group
 $ grep www /etc/group
 www:*:67:
 $

web is a group and also a user in my OS.
# grep web /etc/group
wheel:*:0:root,admin,web
web:*:1001:web

Re: sftp chroot ?

[Stuart Henderson]

On 2009-02-23, Michael W. Lucas mwlu...@blackhelicopters.org wrote:
 On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote:
 Hello,
 
 If I understand this will chroot any user. Am I correct ?
 - Is root chrroted as well ?

 Don't scp or SSH in as root.  Use a regular account and sudo, or at
 least the root password.

Oh, I do that all the time. I don't see a problem with it.
For some things there is no feasible alternative.

Re: sftp chroot ?

[Olivier Cherrier]

On Mon, Feb 23, 2009 at 07:33:23PM +0100, jfsimon1...@gmail.com wrote:
 If I understand this will chroot any user. Am I correct ?
 - Is root chrroted as well ?
 - Is it possible to chrrot only some users ?


What man page is not clear?


-- 
Olivier Cherrier

Re: sftp chroot ?

[Cezary Morga]

Dnia poniedziaEek, 23 lutego 2009, Nigel J. Taylor napisaE:
 ChrootDirectory %h

 Subsystem   sftpinternal-sftp

 Match group wheel
 ChrootDirectory none

Or the other way around.

Subsystem sftp internal-sftp
Match User john paul
ChrootDirectory /chroot/%u

--
Pozdrawiam,
Cezary Morga
The best way to predict the future is to invent it. (Alan Kay)

Re: sftp chroot ?

[Beto]

Hi Jean-Francois

Attach a little example, hope that helps

The user archivos only have access to /var/www/domains/home/
archivos/public_html

$ cat /etc/ssh/sshd_config
Port 22
Protocol 2
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin no
Subsystem sftp  internal-sftp

Match group chrootusers
ForceCommand internal-sftp
ChrootDirectory /var/www/domains/home/%u


$ ls -lh
total 84
drwxr-xr-x  3 root  chrootusers   512B Feb 13 19:23 archivos

$ ls -lh archivos
total 4
drwxr-xr-x  3 archivos  chrootusers   512B Feb 18 14:24 public_html

See the permissions.

Bye

-- 
Beto
www.compumundohypermegared.org


2009/2/23 Jean-Francois jfsimon1...@gmail.com

 Hi All,

 As far as I understand, the sftp service is always running since it is
 the ssh daemon (maybe one can correct me if I'm wrong).
 Hence I need to chroot some users to specific directories.
 I prefer not to use vsftp at present time if this feature is available
 with sftp of OpenBSD.

 One can help me ?

 Thank you;
 JF




-- 
Beto
www.compumundohypermegared.org

sftp chroot ?

[Jean-Francois]

Hi All,

As far as I understand, the sftp service is always running since it is
the ssh daemon (maybe one can correct me if I'm wrong).
Hence I need to chroot some users to specific directories.
I prefer not to use vsftp at present time if this feature is available
with sftp of OpenBSD.

One can help me ?

Thank you;
JF

Re: sftp chroot ?

[Mike Erdely]

On Mon, Feb 23, 2009 at 06:19:07PM +0100, Jean-Francois wrote:
 Hi All,
 
 As far as I understand, the sftp service is always running since it is
 the ssh daemon (maybe one can correct me if I'm wrong).
 Hence I need to chroot some users to specific directories.
 I prefer not to use vsftp at present time if this feature is available
 with sftp of OpenBSD.
 
 One can help me ?

http://lmgtfy.com/?q=sftp+chroot+openbsd

Re: sftp chroot ?

[Floor Terra]

See sshd_config(5) and search for ChrootDirectory.

Floor

On Feb 23, 2009 6:24 PM, Jean-Francois jfsimon1...@gmail.com wrote:

Hi All,

As far as I understand, the sftp service is always running since it is
the ssh daemon (maybe one can correct me if I'm wrong).
Hence I need to chroot some users to specific directories.
I prefer not to use vsftp at present time if this feature is available
with sftp of OpenBSD.

One can help me ?

Thank you;
JF

Re: sftp chroot ?

[Jean-Francois]

Hello,

If I understand this will chroot any user. Am I correct ?
- Is root chrroted as well ?
- Is it possible to chrrot only some users ?

I am afraid that is I do this then all users will be chrooted and I
won't be able to turn this back since I will not have access to /etc.

Line to be changed in sshd_config :
#ChrootDirectory none

Thanks
JF

Le lundi 23 fC)vrier 2009 C  19:07 +0100, Floor Terra a C)crit :
 See sshd_config(5) and search for ChrootDirectory.
 
 Floor
 
 On Feb 23, 2009 6:24 PM, Jean-Francois
 jfsimon1...@gmail.com wrote:
 
 Hi All,
 
 As far as I understand, the sftp service is always running
 since it is
 the ssh daemon (maybe one can correct me if I'm wrong).
 Hence I need to chroot some users to specific directories.
 I prefer not to use vsftp at present time if this feature is
 available
 with sftp of OpenBSD.
 
 One can help me ?
 
 Thank you;
 JF

Re: sftp chroot ?

[patric conant]

That was the funniest thing I have ever seen.

On Mon, Feb 23, 2009 at 11:45 AM, Mike Erdely m...@erdelynet.com wrote:

 On Mon, Feb 23, 2009 at 06:19:07PM +0100, Jean-Francois wrote:
  Hi All,
 
  As far as I understand, the sftp service is always running since it is
  the ssh daemon (maybe one can correct me if I'm wrong).
  Hence I need to chroot some users to specific directories.
  I prefer not to use vsftp at present time if this feature is available
  with sftp of OpenBSD.
 
  One can help me ?

 http://lmgtfy.com/?q=sftp+chroot+openbsd




-- 
/\ASCII Ribbon Campaign
\ /Respect for low technology.
X Keep e-mail messages readable by any computer system.
/ \Keep it ASCII.

Re: sftp chroot ?

[Michael W. Lucas]

On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote:
 Hello,
 
 If I understand this will chroot any user. Am I correct ?
 - Is root chrroted as well ?

Don't scp or SSH in as root.  Use a regular account and sudo, or at
least the root password.

 - Is it possible to chrrot only some users ?

I don't believe so.  You could look at scponly, it can chroot users.
It's an add-on shell, not in ports, has not been audited by OpenBSD,
etc.  YMMV.

 I am afraid that is I do this then all users will be chrooted and I
 won't be able to turn this back since I will not have access to /etc.

Run a separate sshd instance on a different port, with -p.  Test the
changes there.

==ml


 
 Line to be changed in sshd_config :
 #ChrootDirectory none
 
 Thanks
 JF
 
 Le lundi 23 fC)vrier 2009 C  19:07 +0100, Floor Terra a C)crit :
  See sshd_config(5) and search for ChrootDirectory.
  
  Floor
  
  On Feb 23, 2009 6:24 PM, Jean-Francois
  jfsimon1...@gmail.com wrote:
  
  Hi All,
  
  As far as I understand, the sftp service is always running
  since it is
  the ssh daemon (maybe one can correct me if I'm wrong).
  Hence I need to chroot some users to specific directories.
  I prefer not to use vsftp at present time if this feature is
  available
  with sftp of OpenBSD.
  
  One can help me ?
  
  Thank you;
  JF

-- 
Michael W. Lucasmwlu...@blackhelicopters.org, mwlu...@freebsd.org
http://www.BlackHelicopters.org/~mwlucas/
My pessimism extends to the point of even suspecting the sincerity of
  the pessimists. -- Jean Rostand, French biologist and philosopher

Re: sftp chroot ?

[Mike Erdely]

On Mon, Feb 23, 2009 at 04:21:01PM -0500, Michael W. Lucas wrote:
 On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote:
  - Is it possible to chrrot only some users ?
 
 I don't believe so.  You could look at scponly, it can chroot users.
 It's an add-on shell, not in ports, has not been audited by OpenBSD,
 etc.  YMMV.
 
  I am afraid that is I do this then all users will be chrooted and I
  won't be able to turn this back since I will not have access to /etc.
 
 Run a separate sshd instance on a different port, with -p.  Test the
 changes there.

Ugh.  Bad advice.  Please see sshd_config(5) and
http://undeadly.org/cgi?action=articlesid=20080220110039

-ME

Re: sftp chroot ?

[Nigel J. Taylor]

Hi,

You might try a looking at Match in the sshd_config man pages, ChrootDirectory.

Something like this in sshd_config, home directories must be root owned if
chrooted. This is in Openssh v5.1, not sure when it was introduced.

ChrootDirectory %h

Subsystem   sftpinternal-sftp

Match group wheel
ChrootDirectory none

This defaults to chroot to the home directory, unless users are in the group
wheel, you can do this the other way around default is not to chroot, users in a
specific group are chrooted.

Regards

Nigel Taylor

Jean-Francois wrote:
 Hello,
 
 If I understand this will chroot any user. Am I correct ?
 - Is root chrroted as well ?
 - Is it possible to chrrot only some users ?
 
 I am afraid that is I do this then all users will be chrooted and I
 won't be able to turn this back since I will not have access to /etc.
 
 Line to be changed in sshd_config :
 #ChrootDirectory none
 
 Thanks
 JF
 
 Le lundi 23 fC)vrier 2009 C  19:07 +0100, Floor Terra a C)crit :
 See sshd_config(5) and search for ChrootDirectory.

 Floor

 On Feb 23, 2009 6:24 PM, Jean-Francois
 jfsimon1...@gmail.com wrote:
 
 Hi All,
 
 As far as I understand, the sftp service is always running
 since it is
 the ssh daemon (maybe one can correct me if I'm wrong).
 Hence I need to chroot some users to specific directories.
 I prefer not to use vsftp at present time if this feature is
 available
 with sftp of OpenBSD.
 
 One can help me ?
 
 Thank you;
 JF

Re: sftp chroot ?

[Maxime DERCHE]

On Mon, 23 Feb 2009 14:17:57 -0600
patric conant mirage.comput...@gmail.com wrote:

 That was the funniest thing I have ever seen.

Funny, at least. :)

-- 
Maxime DERCHE
GnuPG public key ID : 0x9A85C4C0
(fingerprint : 0FDC 16AF 5A5B 1908 786C  2B85 2D3C C83E 9A85 C4C0)
http://www.mouet-mouet.net/maxime/blog/index.php

Re: sftp chroot ?

[Julien Cabillot]

Hi,
yes it's possible to chroot only some useee,
see match user in sshd_config


Le Mon, 23 Feb 2009 19:33:23 +0100,
Jean-Francois jfsimon1...@gmail.com a C)crit :

 Hello,

 If I understand this will chroot any user. Am I correct ?
 - Is root chrroted as well ?
 - Is it possible to chrrot only some users ?

 I am afraid that is I do this then all users will be chrooted and I
 won't be able to turn this back since I will not have access to /etc.

 Line to be changed in sshd_config :
 #ChrootDirectory none

 Thanks
 JF

 Le lundi 23 fC)vrier 2009 C  19:07 +0100, Floor Terra a C)crit :
  See sshd_config(5) and search for ChrootDirectory.
 
  Floor
 
  On Feb 23, 2009 6:24 PM, Jean-Francois
  jfsimon1...@gmail.com wrote:
 
  Hi All,
 
  As far as I understand, the sftp service is always running
  since it is
  the ssh daemon (maybe one can correct me if I'm wrong).
  Hence I need to chroot some users to specific directories.
  I prefer not to use vsftp at present time if this feature is
  available
  with sftp of OpenBSD.
 
  One can help me ?
 
  Thank you;
  JF



--
Julien Cabillot - SdV Plurimedia

Re: sftp chroot ?

[Michael W. Lucas]

On Mon, Feb 23, 2009 at 05:20:17PM -0500, Mike Erdely wrote:
 On Mon, Feb 23, 2009 at 04:21:01PM -0500, Michael W. Lucas wrote:
  On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote:
   - Is it possible to chrrot only some users ?
  
  I don't believe so.  You could look at scponly, it can chroot users.
  It's an add-on shell, not in ports, has not been audited by OpenBSD,
  etc.  YMMV.
  
   I am afraid that is I do this then all users will be chrooted and I
   won't be able to turn this back since I will not have access to /etc.
  
  Run a separate sshd instance on a different port, with -p.  Test the
  changes there.
 
 Ugh.  Bad advice.  Please see sshd_config(5) and
 http://undeadly.org/cgi?action=articlesid=20080220110039
 
 -ME

Yep, definitely better way to chroot.

But I still suggest running sshd on an off port to test changes if
you're concerned about locking yourself out.

==ml

-- 
Michael W. Lucasmwlu...@blackhelicopters.org, mwlu...@freebsd.org
http://www.BlackHelicopters.org/~mwlucas/
My pessimism extends to the point of even suspecting the sincerity of
  the pessimists. -- Jean Rostand, French biologist and philosopher

SSH, SFTP, chroot and no login shells

[Dave Harrison]

Hi all,

I've been googling around for a couple of days now, and there is little
consensus on how to solve the 'sftp  no shell access' problem.  I've
found references to people that are using patched versions of OpenSSH (a
solution I think begs for problems to occur) to facilitate chroot-ing
users at login, restricted shells (to prevent users doing certain things
like changing directories etc), and chrooting a user to their home dir
using a chroot-ed shell.

The most straight forward solution seems to be offered by this link :
http://turquoise.thing.dk/#create_chroot_home

However I'm still a little concerned that I don't necessarily have the
right solution to this problem.

So here's the problem (I have trawled the misc@ list archives and
recognise people have put forward this problem before, but I haven't
seen a definite solution appear - or at least not one I feel happy
with).  I want to be able to provide sftp access to users, these users
are not anonymous - they will have accounts that I create for them.
However I don't want them to be able to get outside their home dirs (as
with chroot-ed ftp), and I don't want them to have 'shells' (ie. I don't
want them to be able to log in over ssh, or if they must, they must be
chroot-ed to their home dir).

Cheers for any help,
Dave