Re: Sftp Chroot and directory permissions within Chroot

Fri, 23 Jan 2009 09:21:12 -0800 

On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote:
> I've got a chrooted SFTP setup that, for the most part, is working as
> designed.  I have the following in my sshd config file:
> 
> Match group sftponly 
>         ChrootDirectory /var/chroot/sftp
>         X11Forwarding no
>         AllowTcpForwarding no
>         ForceCommand internal-sftp
> 
> The permissions on /var/chroot/sftp are:
> 
> drwxr-xr-x 16 root root   4096 2009-01-21 11:32 var
> drwxr-xr-x  4 root root   4096 2009-01-20 09:45 chroot
> drwxr-xr-x  7 root root     99 2009-01-22 09:47 sftp
> 
> I have sftp accounts set up as such:
> 
> user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
> user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash
> 
> The chroot itself is working fine.  When these accounts sftp, they are
> placed in to the directory path /var/chroot/sftp/account_name where they
> are able to successfully upload and download.  Furthermore, they are
> successfully jailed inside /var/chroot/sftp.
> 
> I have the permissions set on the home directories as such:
> drwxr-x--- 2 user1  root  6 2009-01-21 15:58 user1 
> drwxr-x--- 2 user2  root 21 2009-01-21 15:54 user2 
> 
> The problem I'm having is that when user1 (for example) establishes an
> sftp session, they can issue the following commands:
> 
> shell:~$ sftp us...@sftp_machine
> Connecting to sftp_machine...
> us...@sftp_machine's password: 
> sftp> pwd
> Remote working directory: /user1
> sftp> cd ..
> sftp> ls
> user1    user2   
> sftp> cd user2 
> sftp> pwd
> Remote working directory: /user2
> sftp> ls
> Couldn't get handle: Permission denied
> sftp> 
> 
> Now, thankfully, the 750 permissions are preventing the user from
> getting a listing of the contents of the second user's directory.  But
> why is the first user allowed to enter the second user's directory?
> 
> One more thing, this is not just happening with user1.  It is possible
> with all of the sftp accounts on this machine.  Also, if I change the
> home directory permissions from 750 to 700, the problem persists.
> 
> Finally, I should add that, if pertinent, this machine is running Debian
> Lenny and is running Debian's package of openssh -- version 5.1p1
> 
> Can anybody explain what I am doing wrong?
> 
> Thanks,
> Bryan
>  

Try this:

at sshd_config

Match group sftponly 
        ChrootDirectory /var/chroot/sftp/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

at /etc/passwd

user1:x:1002:1004:SFTP Account,,,:/:/bin/true
user2:x:1002:1004:SFTP Account2,,,:/:/bin/true


This is the way I've it, and works for me.


Cheers.


Martín

Reply via email to