SFTP chroot: Writable root
David Newall
openssh at davidnewall.com
Fri Jan 5 16:30:53 AEDT 2018
On 05/01/18 02:44, Thomas Güttler wrote:
> I set up a chroot sftp server [...]
> Is there a way to get both?
>
> - chroot
>
> - writable root
The source code (sftpd.c) seems to require that the root directory be
owned by root and not group or world writable, so I think, no, not
unless you make local source changes.
I wonder why you need writable root directory. The normal way of
setting up chroot sftp is to put the user directory under the chroot,
so, for example, /sftp is the chroot, and /sftp/user is the directory
that user uses for sftp. You still need a home directory for that user,
i.e. /home/user, to contain the .ssh directory and authorized_keys file,
however, you set a ForcedCommand in /etc/ssh/sshd_config for that user,
preventing the user from accessing any file outside of the chroot. I've
set this up recently, and the only disappointment I have is that
(without a custom patch) I can't force permissions on uploaded files.
This advice assumes you do not want to allow the user to run any desired
command.
More information about the openssh-unix-dev
mailing list