Directory permissions in chroot SFTP

Damien Miller djm at mindrot.org
Thu Nov 13 00:17:33 EST 2008 


On Tue, 11 Nov 2008, Carlo Pradissitto wrote:

> Hi,
> I configured openssh 5.1p1 for sftp server.
> 
> Here the specifications in sshd_config file:
> 
> Subsystem     sftp   internal-sftp
> Match Group sftp
>     ForceCommand internal-sftp
>     ChrootDirectory /home/%u
>     AllowTcpForwarding no
> 
> When a user is logged in, he can't upload his document and he receives
> this message:
> 
> carlo at Music:~$ sftp user at 213.217.147.123
> Connecting to 213.217.147.123...
> user at 213.217.147.123's password:
> sftp> put prova
> Uploading prova to /prova
> Couldn't get handle: Permission denied
> sftp>

>From the sshd_config manual page:

> ChrootDirectory
>     Specifies a path to chroot(2) to after authentication. This path,
>     and all its components, must be root-owned directories that are
>     not writable by any other user or group.


> Here the directory permissions:
> 
> [root at sftp-server ~]# ls -la /home/user/
> total 24
> drwxr-xr-x   6 root sftp 4096 Nov 10 18:05 .
> drwxr-xr-x  54 root root 4096 Nov 10 16:48 ..
> 
> OK, my user is a sftp group member, and the sftp group hasn't
> sufficient permissions to write in user's home directory.

Your permissions are correct.

> I add the write permission for the sftp group:
> 
> [root at sftp-server ~]# chmod 770 /home/user/
> [root at sftp-server ~]# ls -la /home/user/
> total 24
> drwxrwx---   6 root sftp 4096 Nov 10 18:05 .
> drwxr-xr-x  54 root root 4096 Nov 10 16:48 ..
> 
> 
> But now the user can't access:
> 
> carlo at Music:~$ sftp user at 213.217.145.321
> Connecting to 213.217.147.123...
> user at 213.217.145.321's password:
> Read from remote host 213.217.145.321: Connection reset by peer
> Couldn't read packet: Connection reset by peer
> 
> Here the error message in /var/log/messages of sftp-server:
> 
> Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user
> from 213.217.145.329 port 38685 ssh2
> Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes
> for chroot directory "/home/user"

Right, this is on purpose. We ban this because allowing a user write
access to a chroot target is dangerously similar to equivalence with
allowing write access to the root of a filesystem.

If you want the default directory that users start in to be writable
then you must create their home directory under the chroot. After
sshd(8) has chrooted to the ChrootDirectory, it will chdir to the
home directory as normal. So, for a passwd line like:

djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh

Create a home directory "/chroot/djm/home/djm". Make the terminal "djm"
directory user-owned and writable (everything else must be root-owned).
Set "ChrootDirectory /chroot" in /etc/config.

A variant of this that yields less deep directory trees would be to set
the passwd file up as:

djm:*:1000:1000:Damien Miller:/upload:/bin/ksh

Create "/chroot/djm/upload", with "upload" the only user-owned and writable
component. 

-d

More information about the openssh-unix-dev mailing list