Directory permissions in chroot SFTP

Carlo Pradissitto carlopradissitto at gmail.com
Thu Nov 13 00:34:00 EST 2008 

Hi Damien,
Thanks a lot!

Carlo

2008/11/12 Damien Miller <djm at mindrot.org>

>
>
> On Tue, 11 Nov 2008, Carlo Pradissitto wrote:
>
> > Hi,
> > I configured openssh 5.1p1 for sftp server.
> >
> > Here the specifications in sshd_config file:
> >
> > Subsystem     sftp   internal-sftp
> > Match Group sftp
> >     ForceCommand internal-sftp
> >     ChrootDirectory /home/%u
> >     AllowTcpForwarding no
> >
> > When a user is logged in, he can't upload his document and he receives
> > this message:
> >
> > carlo at Music:~$ sftp user at 213.217.147.123
> > Connecting to 213.217.147.123...
> > user at 213.217.147.123's password:
> > sftp> put prova
> > Uploading prova to /prova
> > Couldn't get handle: Permission denied
> > sftp>
>
> From the sshd_config manual page:
>
> > ChrootDirectory
> >     Specifies a path to chroot(2) to after authentication. This path,
> >     and all its components, must be root-owned directories that are
> >     not writable by any other user or group.
>
>
> > Here the directory permissions:
> >
> > [root at sftp-server ~]# ls -la /home/user/
> > total 24
> > drwxr-xr-x   6 root sftp 4096 Nov 10 18:05 .
> > drwxr-xr-x  54 root root 4096 Nov 10 16:48 ..
> >
> > OK, my user is a sftp group member, and the sftp group hasn't
> > sufficient permissions to write in user's home directory.
>
> Your permissions are correct.
>
> > I add the write permission for the sftp group:
> >
> > [root at sftp-server ~]# chmod 770 /home/user/
> > [root at sftp-server ~]# ls -la /home/user/
> > total 24
> > drwxrwx---   6 root sftp 4096 Nov 10 18:05 .
> > drwxr-xr-x  54 root root 4096 Nov 10 16:48 ..
> >
> >
> > But now the user can't access:
> >
> > carlo at Music:~$ sftp user at 213.217.145.321
> > Connecting to 213.217.147.123...
> > user at 213.217.145.321's password:
> > Read from remote host 213.217.145.321: Connection reset by peer
> > Couldn't read packet: Connection reset by peer
> >
> > Here the error message in /var/log/messages of sftp-server:
> >
> > Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user
> > from 213.217.145.329 port 38685 ssh2
> > Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes
> > for chroot directory "/home/user"
>
> Right, this is on purpose. We ban this because allowing a user write
> access to a chroot target is dangerously similar to equivalence with
> allowing write access to the root of a filesystem.
>
> If you want the default directory that users start in to be writable
> then you must create their home directory under the chroot. After
> sshd(8) has chrooted to the ChrootDirectory, it will chdir to the
> home directory as normal. So, for a passwd line like:
>
> djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh
>
> Create a home directory "/chroot/djm/home/djm". Make the terminal "djm"
> directory user-owned and writable (everything else must be root-owned).
> Set "ChrootDirectory /chroot" in /etc/config.
>
> A variant of this that yields less deep directory trees would be to set
> the passwd file up as:
>
> djm:*:1000:1000:Damien Miller:/upload:/bin/ksh
>
> Create "/chroot/djm/upload", with "upload" the only user-owned and writable
> component.
>
> -d
>



-- 
Carlo Pradissitto

Servizi e Supporto IT

I-WAY S.r.l.
Piazza Caduti di via Fani, 2
03100 Frosinone

Mobile: +393939318571

Tel/Fax: 07751880765

E-mail: c.pradissitto at i-way.it

More information about the openssh-unix-dev mailing list